Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: WebKit-GTK + Puseaudio: unexpectedly high sound volume
From: "Alexander E. Patrakov" <patrakov () gmail com>
Date: Mon, 10 Feb 2014 22:18:20 +0600

23.10.2013 00:48, I wrote:
Hello.

Some time ago I have reported an issue:
http://seclists.org/oss-sec/2013/q4/35 , but decided not to request
CVE at that time, because I wanted to collect opinions on the topic
"who should fix what". I have collected them from both involved
parties and thus now request a CVE ID for this coordination issue /
case of contradicting requirements. Please let me know if I have
omitted any of the required information.

Let me reproduce the most important part of my initial report.

======
The following combination of software has a nasty bug when used
together, that I personally consider to be a vulnerability:

* PulseAudio (any version, especially when used in flat-volume mode
that is the default everywhere except Ubuntu).
  * Any browser based on Webkit-GTK 2.x (any version with HTML5
audio/video support based on GStreamer).

The bug is that a malicious piece of javascript on the web page can
cause an audio file to play at an unexpectedly high volume, not
obeying the volume that the user has set for the web browser in
pavucontrol or gnome-volume-control, and effectively not letting the
user move the volume slider corresponding to the web browser [1]. When
flat volumes are in effect, the web page can play that audio file at
the full volume that the sound card is capable of, which can in some
cases damage loudspeakers (especially tweeters) or the user's hearing
[2].

The reproducer (that just sets the volume at regular intervals using a
timer) is already public at http://jsfiddle.net/bteam/FbkGD/ and can
be trivially enhanced to also prevent muting of the audio stream. View
that in Epiphany or Midori on any Linux distribution except Ubuntu.
======

Personally, I classify [1] as an annoyance-class bug (but still a bug)
and [2] as a security issue.

Relevant links:

https://bugs.webkit.org/show_bug.cgi?id=118974
https://bugzilla.gnome.org/show_bug.cgi?id=675217
https://bugs.freedesktop.org/show_bug.cgi?id=46466
https://bugzilla.gnome.org/show_bug.cgi?id=680779

Given the recent news story about VLC and Dell, I want to bump this topic (because it is relevant, exploitable automatically, and because I have warned about hardware damage) and maybe get a CVE ID.

http://hardware.slashdot.org/story/14/02/09/1828229/customer-dell-denies-speaker-repair-under-warranty-blames-vlc

--
Alexander E. Patrakov


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault