Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 10 Feb 2014 13:40:49 -0500 (EST)
From: cve-assign@...re.org
To: patrakov@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: WebKit-GTK + Puseaudio: unexpectedly high sound volume

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://openwall.com/lists/oss-security/2013/10/08/4

> The following combination of software has a nasty bug when used 
> together, that I personally consider to be a vulnerability:
> 
> * PulseAudio (any version, especially when used in flat-volume mode that 
> is the default everywhere except Ubuntu).
> * Any browser based on Webkit-GTK 2.x (any version with HTML5 
> audio/video support based on GStreamer).


> http://openwall.com/lists/oss-security/2013/10/21/7

> For each of the two points below, there is a (non-100%) majority
> supporting it.
> 
> 1. This is not an audio issue. It is a sandboxing issue in Webkit-GTK.
> 
> (that's the statement that Arun needs to think about a bit more, but
> which, I think, captures the most essential component of the problem,
> even without flat volumes, due to disobeying sliders in pavucontrol if
> a web app resets the volume using a periodic timer)
> 
> 2. There is nothing to fix in PulseAudio code.


> https://www.w3.org/Bugs/Public/show_bug.cgi?id=23642
> Comment 1

> WebKitGtk+ is ok as it is now and complies with the standard, though I
> agree with you that there's a security issue with the volume and I
> think the problem is with the standard.

It is conceivable for a CVE assignment to apply to a combination of
two products, and not apply to either product alone, but we prefer not
to do that if there's any type of (partial) agreement that one product
could be chosen.

Use CVE-2013-7324 for this issue in WebKit-GTK. When the issue is
later listed on the
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7324 web page,
we will try to include a note that the WebKit-GTK behavior complies
with existing W3C standards and existing practices for GNOME desktop
integration.


> PulseAudio's security model is based on clients not sending malicious
> requests to change the stream volume

If there ever happens to be a later vendor announcement that this
model is incorrect, and that a different model is required as a
security fix, then a second CVE assignment could be made.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS+RxLAAoJEKllVAevmvmsbocIAMkf8XGhegKtNyseitiL19FK
G9Ap7h2kVTUEC8QP3B02YZ+8ti1C3B8Tbx6O4k5GhTFSOgsr1uDX81vhmSFSY9or
3CskFqsNoe/c+LEZeeW0lThr6AG35EBzmIBuIpmxOHk52raWi/KEviM58I0GijzU
1JbsI6FtnOfCOXGXeScl3yBigiEX66uAi0ZcHuhJanJuye+wk/JUaB/GZxyL/tu+
srHc6bi55sZ2/52nv7qViug+Y9uUkUTdvfTJzyQ4/XBwsvlE2tp7k7Q0JD8qrXbb
JENELCwpDfN4bNS7hCj8y/De0dEH9WXtIuNM6GXRe1gLaoDJcMWhmWYp5A0wi+I=
=pkWX
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.