Re: CVE request: PulseAudio crash due to empty UDP packet

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> If one has module-rtp-recv loaded into PulseAudio, then a remote
> attacker can crash this instance of PulseAudio by sending an empty UDP
> packet

> memblock.c: Assertion 'b' failed

Use CVE-2014-3970.


> PulseAudio usually gets respawned anyway.

Apparently there are realistic circumstances in which respawning
doesn't happen (possibly a zero value of conf->daemonize or the
"User-configured server at %s, refusing to start/autospawn." case in
http://cgit.freedesktop.org/pulseaudio/pulseaudio/tree/src/daemon/main.c).


> http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020740.html

> expecting to find an infinite loop (as it would be common for such
> FIONREAD misuse), but found an assertion failure instead. So there may
> be two bugs.

The scope of CVE-2014-3970 does not include any infinite loop that
might be discovered later.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTjztGAAoJEKllVAevmvmspWYIAMDODhaMo0EfkzPHhhmadz1H
B1wYGv+h7cvW3/acKVpvdE+oIcHS9I2rbzSuPlgAtAghAc+HNQFS4/QSNtvFfBo9
9AgbvUgsCYiF5uNcylnmK80P5f4QpxZ+n7lBqu75uveZV3EsitqKiS5W3qQ3Ef3i
GaIAYwpvtXLPq/GSdEv/UznmnOVqaTK4hwvqfyePgSfIEMdcED0GgeDGo8D/NLEL
XSYfDJbVgi5ry8YQcS4Q5nJtpTfBQS6knlcKPMqYB7KtvUesOECLC9hrv9jYYJga
XORzNGRP9tWJspn05rc9NlmAegurGeOUStaE/2q3PDA53gEWKhH4JwhzISfMmOQ=
=3Sw2
-----END PGP SIGNATURE-----