From cd00ea2462dcf39d50a13f27b61756e838e77e7c Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Thu, 23 Apr 2026 17:18:04 +0200 Subject: [PATCH] security: clear sensitive auth data from stack buffers in RAOP Information Disclosure: Medium The MD5_hash() function formats password material into a 1024-byte stack buffer for hashing but never clears it afterward. Similarly, the Basic auth path in rtsp_add_raop_auth_header() formats username:password into a stack buffer without clearing it. These buffers remain on the stack after the functions return, and could be exposed through memory disclosure vulnerabilities, core dumps, or memory inspection. Clear the buffers with explicit_bzero() immediately after they are no longer needed, consistent with the existing practice of clearing the password before freeing in impl_destroy(). Co-Authored-By: Claude Opus 4.6 --- src/modules/module-raop-sink.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/modules/module-raop-sink.c b/src/modules/module-raop-sink.c index 593352b80..6e85f7d61 100644 --- a/src/modules/module-raop-sink.c +++ b/src/modules/module-raop-sink.c @@ -707,6 +707,7 @@ static int MD5_hash(char hash[MD5_HASH_LENGTH+1], const char *fmt, ...) size = MD5_DIGEST_LENGTH; EVP_Digest(buffer, strlen(buffer), d, &size, EVP_md5(), NULL); + explicit_bzero(buffer, sizeof(buffer)); for (i = 0; i < MD5_DIGEST_LENGTH; i++) snprintf(&hash[2*i], 3, "%02x", (uint8_t) d[i]); hash[MD5_HASH_LENGTH] = '\0'; @@ -725,6 +726,7 @@ static int rtsp_add_raop_auth_header(struct impl *impl, const char *method) char enc[512]; spa_scnprintf(buf, sizeof(buf), "%s:%s", RAOP_AUTH_USER_NAME, impl->password); pw_base64_encode((uint8_t*)buf, strlen(buf), enc, '='); + explicit_bzero(buf, sizeof(buf)); spa_scnprintf(auth, sizeof(auth), "Basic %s", enc); } else if (spa_streq(impl->auth_method, "Digest")) {