Bug#1009271: dleyna-server: various upstream fixes
Package: dleyna-server
Version: 0.6.0-2
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu jammy ubuntu-patch
Dear Maintainer,
I noticed that what appears to be the new upstream for dleyna-server
(https://github.com/phako/dleyna-server) had several small fixes. It looks like
they've released 0.7.2 that has these, but they've changed the build system so
I've created a debdiff against 0.6.0:
* https://github.com/phako/dleyna-server/commit/3f62e9fbd3de11df52184ca8dfcabfb7d1c0fdeb
* https://github.com/phako/dleyna-server/commit/bb401fe30f1b42d20bf65a1cc3d130a0d9f18f3f
* https://github.com/phako/dleyna-server/commit/4cfee380092e6f222c3fc2e727439c7e5830017d
Thanks for considering the patch.
-- System Information:
Debian Release: bookworm/sid
APT prefers jammy
APT policy: (500, 'jammy')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.0-25-generic (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru dleyna-server-0.6.0/debian/control dleyna-server-0.6.0/debian/control
--- dleyna-server-0.6.0/debian/control 2021-11-07 01:46:20.000000000 -0600
+++ dleyna-server-0.6.0/debian/control 2022-04-10 12:38:22.000000000 -0500
@@ -1,8 +1,7 @@
Source: dleyna-server
Section: net
Priority: optional
-Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
-XSBC-Original-Maintainer: Debian QA Group <packages@qa.debian.org>
+Maintainer: Debian QA Group <packages@qa.debian.org>
Build-Depends: debhelper-compat (= 12),
libglib2.0-dev,
libgssdp-1.2-dev (>= 0.13.2),
diff -Nru dleyna-server-0.6.0/debian/patches/3f62e9fb.patch dleyna-server-0.6.0/debian/patches/3f62e9fb.patch
--- dleyna-server-0.6.0/debian/patches/3f62e9fb.patch 1969-12-31 18:00:00.000000000 -0600
+++ dleyna-server-0.6.0/debian/patches/3f62e9fb.patch 2022-04-10 12:33:17.000000000 -0500
@@ -0,0 +1,63 @@
+From 3f62e9fbd3de11df52184ca8dfcabfb7d1c0fdeb Mon Sep 17 00:00:00 2001
+From: Robert Tiemann <rtie@gmx.de>
+Date: Fri, 17 May 2019 12:43:04 +0200
+Subject: [PATCH] Avoid possible crash when getting server properties.
+
+The crash occurs when calling dls_device_get_all_props() for a content
+directory server that we have not yet subscribed to (that is,
+prv_cds_subscribed() returns FALSE in
+prv_get_system_update_id_for_props()). This crash is caused by an
+invalid GVariantBuilder passed to g_variant_builder_end() in
+prv_get_sleeping_for_props(), leading to a NULL result pointer being
+passed to dls_async_task_complete(). A GVariant is attempted to be
+constructed from this NULL pointer in dls_task_complete().
+
+Here is the call chain that leads to the crash:
+
+ dls_device_get_all_props()
+ prv_get_system_update_id_for_props()
+ gupnp_service_proxy_begin_action("GetSystemUpdateID") -> prv_system_update_id_for_props_cb()
+ prv_system_update_id_for_props_cb()
+ prv_get_sr_token_for_props()
+ prv_get_sleeping_for_props()
+ dls_async_task_complete()
+ cb_data->cb() -> prv_async_task_complete()
+ prv_async_task_complete()
+ dls_task_complete()
+ g_variant_new()
+
+The crash was most likely observed when a device running Plex Media
+Server was present on the network.
+
+This commit moves the call of g_variant_builder_end() in
+prv_system_update_id_for_props_cb() (which invalidates the
+GVariantBuilder used later in prv_get_sleeping_for_props()) to the
+error handling branch. This leaves the GVariantBuilder alone and
+allows prv_get_sr_token_for_props() or one of its descendants to call
+g_variant_builder_end() and complete the task.
+---
+ libdleyna/server/device.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/libdleyna/server/device.c b/libdleyna/server/device.c
+index d77dfbc..8777da0 100644
+--- a/libdleyna/server/device.c
++++ b/libdleyna/server/device.c
+@@ -2256,15 +2256,14 @@ static void prv_system_update_id_for_props_cb(GUPnPServiceProxy *proxy,
+ DLS_SYSTEM_UPDATE_VAR,
+ g_variant_new_uint32(id));
+
+- cb_data->task.result = g_variant_ref_sink(g_variant_builder_end(
+- cb_task_data->vb));
+-
+ on_complete:
+
+ if (!cb_data->error)
+ prv_get_sr_token_for_props(proxy, cb_data->task.target.device,
+ cb_data);
+ else {
++ cb_data->task.result = g_variant_ref_sink(g_variant_builder_end(
++ cb_task_data->vb));
+ (void) g_idle_add(dls_async_task_complete, cb_data);
+ g_cancellable_disconnect(cb_data->cancellable,
+ cb_data->cancel_id);
diff -Nru dleyna-server-0.6.0/debian/patches/4cfee380.patch dleyna-server-0.6.0/debian/patches/4cfee380.patch
--- dleyna-server-0.6.0/debian/patches/4cfee380.patch 1969-12-31 18:00:00.000000000 -0600
+++ dleyna-server-0.6.0/debian/patches/4cfee380.patch 2022-04-10 12:37:45.000000000 -0500
@@ -0,0 +1,22 @@
+From 4cfee380092e6f222c3fc2e727439c7e5830017d Mon Sep 17 00:00:00 2001
+From: Jens Georg <mail@jensge.org>
+Date: Sat, 23 Jan 2021 20:48:15 +0100
+Subject: [PATCH] [Device] Properly initialize buffer
+
+---
+ libdleyna/server/device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libdleyna/server/device.c b/libdleyna/server/device.c
+index df58900..a6b3b6d 100644
+--- a/libdleyna/server/device.c
++++ b/libdleyna/server/device.c
+@@ -5909,7 +5909,7 @@ static uint8_t *prv_hex_str_to_bin(const gchar *hex_str, gsize *out_len)
+ goto on_exit;
+ }
+
+- buffer = g_malloc(len / 2);
++ buffer = g_malloc0(len / 2);
+
+ for (i = 0, j = 0; i < len; i += 2, j++) {
+ if (!prv_hex_char_to_byte(hex_str[i], &buffer[j]))
diff -Nru dleyna-server-0.6.0/debian/patches/bb401fe3.patch dleyna-server-0.6.0/debian/patches/bb401fe3.patch
--- dleyna-server-0.6.0/debian/patches/bb401fe3.patch 1969-12-31 18:00:00.000000000 -0600
+++ dleyna-server-0.6.0/debian/patches/bb401fe3.patch 2022-04-10 12:36:14.000000000 -0500
@@ -0,0 +1,39 @@
+From bb401fe30f1b42d20bf65a1cc3d130a0d9f18f3f Mon Sep 17 00:00:00 2001
+From: Jens Georg <mail@jensge.org>
+Date: Sat, 23 Jan 2021 20:46:30 +0100
+Subject: [PATCH] [Device] Fix use-after-free
+
+---
+ libdleyna/server/device.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libdleyna/server/device.c b/libdleyna/server/device.c
+index 8777da0..df58900 100644
+--- a/libdleyna/server/device.c
++++ b/libdleyna/server/device.c
+@@ -5789,6 +5789,7 @@ static void tcp_wake_cb(GObject *source, GAsyncResult *result,
+ dls_async_task_t *cb_data = (dls_async_task_t *)tcp_data->task;
+ GError *tcp_error = NULL;
+ gssize written;
++ guint max_wake_on_delay;
+
+ DLEYNA_LOG_DEBUG("Enter");
+
+@@ -5854,6 +5855,8 @@ static void tcp_wake_cb(GObject *source, GAsyncResult *result,
+ goto on_exit;
+
+ on_complete:
++ // Save no delay for potential use later
++ max_wake_on_delay = tcp_data->max_wake_on_delay;
+ prv_free_tcp_data(tcp_data);
+
+ if (!g_cancellable_is_cancelled(cb_data->cancellable)) {
+@@ -5861,7 +5864,7 @@ static void tcp_wake_cb(GObject *source, GAsyncResult *result,
+
+ if (cb_data->task.target.device->sleeping_context != NULL)
+ prv_start_wake_on_watcher(cb_data->task.target.device,
+- tcp_data->max_wake_on_delay);
++ max_wake_on_delay);
+ }
+
+ g_cancellable_disconnect(cb_data->cancellable, cb_data->cancel_id);
diff -Nru dleyna-server-0.6.0/debian/patches/series dleyna-server-0.6.0/debian/patches/series
--- dleyna-server-0.6.0/debian/patches/series 2021-02-03 19:14:00.000000000 -0600
+++ dleyna-server-0.6.0/debian/patches/series 2022-04-10 12:37:54.000000000 -0500
@@ -1 +1,4 @@
git_newgupnp_build.patch
+3f62e9fb.patch
+bb401fe3.patch
+4cfee380.patch
Reply to: