Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Feb 2014 22:18:20 +0600
From: "Alexander E. Patrakov" <patrakov@...il.com>
To: oss-security@...ts.openwall.com
CC: kseifried@...hat.com
Subject: Re: CVE request: WebKit-GTK + Puseaudio: unexpectedly high sound
 volume

23.10.2013 00:48, I wrote:
> Hello.
>
> Some time ago I have reported an issue:
> http://seclists.org/oss-sec/2013/q4/35 , but decided not to request
> CVE at that time, because I wanted to collect opinions on the topic
> "who should fix what". I have collected them from both involved
> parties and thus now request a CVE ID for this coordination issue /
> case of contradicting requirements. Please let me know if I have
> omitted any of the required information.
>
> Let me reproduce the most important part of my initial report.
>
> ======
> The following combination of software has a nasty bug when used
> together, that I personally consider to be a vulnerability:
>
> * PulseAudio (any version, especially when used in flat-volume mode
> that is the default everywhere except Ubuntu).
>   * Any browser based on Webkit-GTK 2.x (any version with HTML5
> audio/video support based on GStreamer).
>
> The bug is that a malicious piece of javascript on the web page can
> cause an audio file to play at an unexpectedly high volume, not
> obeying the volume that the user has set for the web browser in
> pavucontrol or gnome-volume-control, and effectively not letting the
> user move the volume slider corresponding to the web browser [1]. When
> flat volumes are in effect, the web page can play that audio file at
> the full volume that the sound card is capable of, which can in some
> cases damage loudspeakers (especially tweeters) or the user's hearing
> [2].
>
> The reproducer (that just sets the volume at regular intervals using a
> timer) is already public at http://jsfiddle.net/bteam/FbkGD/ and can
> be trivially enhanced to also prevent muting of the audio stream. View
> that in Epiphany or Midori on any Linux distribution except Ubuntu.
> ======
>
> Personally, I classify [1] as an annoyance-class bug (but still a bug)
> and [2] as a security issue.
>
> Relevant links:
>
> https://bugs.webkit.org/show_bug.cgi?id=118974
> https://bugzilla.gnome.org/show_bug.cgi?id=675217
> https://bugs.freedesktop.org/show_bug.cgi?id=46466
> https://bugzilla.gnome.org/show_bug.cgi?id=680779

Given the recent news story about VLC and Dell, I want to bump this 
topic (because it is relevant, exploitable automatically, and because I 
have warned about hardware damage) and maybe get a CVE ID.

http://hardware.slashdot.org/story/14/02/09/1828229/customer-dell-denies-speaker-repair-under-warranty-blames-vlc

-- 
Alexander E. Patrakov

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.