oss-sec mailing list archives
Re: CVE request: PulseAudio crash due to empty UDP packet
From: cve-assign () mitre org
Date: Wed, 4 Jun 2014 11:30:43 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
If one has module-rtp-recv loaded into PulseAudio, then a remote attacker can crash this instance of PulseAudio by sending an empty UDP packet
memblock.c: Assertion 'b' failed
Use CVE-2014-3970.
PulseAudio usually gets respawned anyway.
Apparently there are realistic circumstances in which respawning doesn't happen (possibly a zero value of conf->daemonize or the "User-configured server at %s, refusing to start/autospawn." case in http://cgit.freedesktop.org/pulseaudio/pulseaudio/tree/src/daemon/main.c).
http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020740.html
expecting to find an infinite loop (as it would be common for such FIONREAD misuse), but found an assertion failure instead. So there may be two bugs.
The scope of CVE-2014-3970 does not include any infinite loop that might be discovered later. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTjztGAAoJEKllVAevmvmspWYIAMDODhaMo0EfkzPHhhmadz1H B1wYGv+h7cvW3/acKVpvdE+oIcHS9I2rbzSuPlgAtAghAc+HNQFS4/QSNtvFfBo9 9AgbvUgsCYiF5uNcylnmK80P5f4QpxZ+n7lBqu75uveZV3EsitqKiS5W3qQ3Ef3i GaIAYwpvtXLPq/GSdEv/UznmnOVqaTK4hwvqfyePgSfIEMdcED0GgeDGo8D/NLEL XSYfDJbVgi5ry8YQcS4Q5nJtpTfBQS6knlcKPMqYB7KtvUesOECLC9hrv9jYYJga XORzNGRP9tWJspn05rc9NlmAegurGeOUStaE/2q3PDA53gEWKhH4JwhzISfMmOQ= =3Sw2 -----END PGP SIGNATURE-----
Current thread:
- CVE request: PulseAudio crash due to empty UDP packet Alexander E. Patrakov (Jun 04)
- Re: CVE request: PulseAudio crash due to empty UDP packet cve-assign (Jun 04)
- Re: CVE request: PulseAudio crash due to empty UDP packet Alexander E. Patrakov (Jun 04)
- Re: CVE request: PulseAudio crash due to empty UDP packet cve-assign (Jun 04)