fdo-mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-28 01:18:19 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
pipewire/src
History
Wim Taymans cd00ea2462 security: clear sensitive auth data from stack buffers in RAOP 
Information Disclosure: Medium

The MD5_hash() function formats password material into a 1024-byte
stack buffer for hashing but never clears it afterward. Similarly,
the Basic auth path in rtsp_add_raop_auth_header() formats
username:password into a stack buffer without clearing it.

These buffers remain on the stack after the functions return, and
could be exposed through memory disclosure vulnerabilities, core
dumps, or memory inspection.

Clear the buffers with explicit_bzero() immediately after they are
no longer needed, consistent with the existing practice of clearing
the password before freeing in impl_destroy().

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-23 17:49:43 +02:00
..
daemon filter-chain: update virtual surround with convolver2 2026-04-21 17:03:55 +02:00
examples impl-node: accept more node.passive values 2026-03-12 17:25:36 +01:00
gst gst: fix crop height typo in pipewiresink do_send_buffer 2026-04-21 20:19:24 +01:00
modules security: clear sensitive auth data from stack buffers in RAOP 2026-04-23 17:49:43 +02:00
pipewire security: fix missing fdopen() NULL check in conf.c 2026-04-23 17:45:29 +02:00
tests stream: return -EIO when doing get_time in != STREAMING 2026-02-12 12:26:33 +01:00
tools security: fix integer overflow in DSF file buffer allocation 2026-04-23 16:59:14 +02:00
meson.build meson.build: fix compile with -Dexamples=disabled 2023-11-28 10:18:25 +00:00