{"object_kind":"push","event_name":"push","before":"ef2541a1efdd54f17bd1a97c58df23e5231fdae7","after":"dac6b4f2c5dd3401b4d054b2bd91eeb85f195382","ref":"refs/heads/master","ref_protected":true,"checkout_sha":"dac6b4f2c5dd3401b4d054b2bd91eeb85f195382","message":null,"user_id":3060,"user_name":"Wim Taymans","user_username":"wtaymans","user_email":"","user_avatar":"https://secure.gravatar.com/avatar/1ca1bed246cb9b95b7ead6d6be96bb09f0c112953140c8bb38b41aedf4465270?s=80&d=identicon","project_id":4753,"project":{"id":4753,"name":"pipewire","description":"Multimedia processing graphs","web_url":"https://gitlab.freedesktop.org/pipewire/pipewire","avatar_url":"https://gitlab.freedesktop.org/uploads/-/system/project/avatar/4753/pipewire.png","git_ssh_url":"git@ssh.gitlab.freedesktop.org:pipewire/pipewire.git","git_http_url":"https://gitlab.freedesktop.org/pipewire/pipewire.git","namespace":"PipeWire","visibility_level":20,"path_with_namespace":"pipewire/pipewire","default_branch":"master","ci_config_path":"","homepage":"https://gitlab.freedesktop.org/pipewire/pipewire","url":"git@ssh.gitlab.freedesktop.org:pipewire/pipewire.git","ssh_url":"git@ssh.gitlab.freedesktop.org:pipewire/pipewire.git","http_url":"https://gitlab.freedesktop.org/pipewire/pipewire.git"},"commits":[{"id":"6ea673b68a6ad57cdf0f3de3d1c4085d5c4520da","message":"security: fix issues in pulse module core files\n\n- volume.c: add spa_pod_is_object check before casting param to\n  spa_pod_object, preventing out-of-bounds reads on malformed pods\n- manager.c: add NULL check for p->param in has_param before\n  dereferencing via SPA_POD_SIZE\n- snap-policy.c: check strings1[1] and strings2[1] for NULL before\n  passing to g_str_equal, fixing wrong operand order\n- format.c: use map->channels consistently in format_build_param\n\nCo-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>\n","title":"security: fix issues in pulse module core files","timestamp":"2026-04-30T17:08:04+02:00","url":"https://gitlab.freedesktop.org/pipewire/pipewire/-/commit/6ea673b68a6ad57cdf0f3de3d1c4085d5c4520da","author":{"name":"Wim Taymans","email":"wtaymans@redhat.com"},"added":[],"modified":["src/modules/module-protocol-pulse/format.c","src/modules/module-protocol-pulse/manager.c","src/modules/module-protocol-pulse/snap-policy.c","src/modules/module-protocol-pulse/volume.c"],"removed":[]},{"id":"99a89f8bd46fb465616f244e2afdb79d89f31cfb","message":"security: fix stack overflow via strndupa on long device names\n\nA client-supplied device name ending in \".monitor\" was stack-allocated\nvia strndupa without any size limit. Since protocol messages can be up\nto 16MB, a malicious client could send a very long device name and\noverflow the stack, crashing the daemon.\n\nCap the strndupa length at MAX_NAME (1024) in both find_device and\ndo_set_default.\n\nCo-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>\n","title":"security: fix stack overflow via strndupa on long device names","timestamp":"2026-04-30T17:18:06+02:00","url":"https://gitlab.freedesktop.org/pipewire/pipewire/-/commit/99a89f8bd46fb465616f244e2afdb79d89f31cfb","author":{"name":"Wim Taymans","email":"wtaymans@redhat.com"},"added":[],"modified":["src/modules/module-protocol-pulse/pulse-server.c"],"removed":[]},{"id":"c38a32e2e1df472ecaf3ba583c9b598a985806e1","message":"security: fix NULL pointer dereference in LADSPA sink/source modules\n\nWhen sink_name/source_name is not provided, pw_properties_get for\nPW_KEY_NODE_NAME returns NULL, which is then passed to\npw_properties_setf as a %s argument.\n\nAdd NULL check before calling pw_properties_setf.\n\nCo-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>\n","title":"security: fix NULL pointer dereference in LADSPA sink/source modules","timestamp":"2026-04-30T17:24:52+02:00","url":"https://gitlab.freedesktop.org/pipewire/pipewire/-/commit/c38a32e2e1df472ecaf3ba583c9b598a985806e1","author":{"name":"Wim Taymans","email":"wtaymans@redhat.com"},"added":[],"modified":["src/modules/module-protocol-pulse/modules/module-ladspa-sink.c","src/modules/module-protocol-pulse/modules/module-ladspa-source.c"],"removed":[]},{"id":"dac6b4f2c5dd3401b4d054b2bd91eeb85f195382","message":"security: clamp negative max-clients config to zero in pulse server\n\nA negative max-clients value in the config is parsed as int then\nassigned to uint32_t, wrapping to UINT32_MAX and effectively\ndisabling the client limit.\n\nCo-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>\n","title":"security: clamp negative max-clients config to zero in pulse server","timestamp":"2026-04-30T17:28:02+02:00","url":"https://gitlab.freedesktop.org/pipewire/pipewire/-/commit/dac6b4f2c5dd3401b4d054b2bd91eeb85f195382","author":{"name":"Wim Taymans","email":"wtaymans@redhat.com"},"added":[],"modified":["src/modules/module-protocol-pulse/server.c"],"removed":[]}],"total_commits_count":4,"push_options":{},"repository":{"name":"pipewire","url":"git@ssh.gitlab.freedesktop.org:pipewire/pipewire.git","description":"Multimedia processing graphs","homepage":"https://gitlab.freedesktop.org/pipewire/pipewire","git_http_url":"https://gitlab.freedesktop.org/pipewire/pipewire.git","git_ssh_url":"git@ssh.gitlab.freedesktop.org:pipewire/pipewire.git","visibility_level":20}}