From ${URL} : It was reported [1],[2] that PulseAudio suffers from a remote denial of service if the module-rtp-recv module is loaded. A remote attacker could crash this instance of PulseAudio by sending an empty UDP packet to the multicast address that module-rtp-recv is listening (due to a previous SAP/SDP announcement). The problematic code is in the pa_rtp_recv() function [3], when it handles the results of the FIONREAD ioctl. The problem has existed in PulseAudio since 2006-04-16 (git commit f1ddf0523, so probably around 0.8.1). A potential patch has been submitted upstream [4] but has not yet been accepted. [1] http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020740.html [2] http://openwall.com/lists/oss-security/2014/06/04/8 [3] http://cgit.freedesktop.org/pulseaudio/pulseaudio/tree/src/modules/rtp/rtp.c#n185 [4] http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020741.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*pulseaudio-5.0-r2 (12 Jun 2014) + + 12 Jun 2014; Pacho Ramos <pacho@gentoo.org> + +files/pulseaudio-5.0-crash-udp.patch, + +files/pulseaudio-5.0-module-switch.patch, +pulseaudio-5.0-r2.ebuild: + Fix CVE-2014-3970 (#512516), bash-completion dir (#509486 by poncho) and apply + a patch from upstream used in Fedora to fix the profiles switching. +
amd64 stable
x86 stable
You mean this? Arch teams, please test and mark stable: =media-sound/pulseaudio-5.0-r2 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
arm stable
Stable on alpha.
ia64 stable
ppc64 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
GLSA vote: no.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA Vote: No
CVE-2014-3970 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3970): The pa_rtp_recv function in modules/rtp/rtp.c in the module-rtp-recv module in PulseAudio 5.0 and earlier allows remote attackers to cause a denial of service (assertion failure and abort) via an empty UDP packet.
Maintainer(s), please drop the vulnerable version(s).
Vulnerable versions have been around for two months. Maintaner(s): Please drop affected versions, security will remove in 30 days if no response.
+ 13 Nov 2014; Pacho Ramos <pacho@gentoo.org> -pulseaudio-2.1-r1.ebuild, + -pulseaudio-4.0.ebuild: + Drop old (#508854) +
Thank you for cleanup. Closing bug as noglsa.