mailing list archives
Re: CVE request: WebKit-GTK + Puseaudio: unexpectedly high sound volume
From: "Alexander E. Patrakov" <patrakov () gmail com>
Date: Mon, 10 Feb 2014 22:18:20 +0600
23.10.2013 00:48, I wrote:
Some time ago I have reported an issue:
http://seclists.org/oss-sec/2013/q4/35 , but decided not to request
CVE at that time, because I wanted to collect opinions on the topic
"who should fix what". I have collected them from both involved
parties and thus now request a CVE ID for this coordination issue /
case of contradicting requirements. Please let me know if I have
omitted any of the required information.
Let me reproduce the most important part of my initial report.
The following combination of software has a nasty bug when used
together, that I personally consider to be a vulnerability:
* PulseAudio (any version, especially when used in flat-volume mode
that is the default everywhere except Ubuntu).
* Any browser based on Webkit-GTK 2.x (any version with HTML5
audio/video support based on GStreamer).
cause an audio file to play at an unexpectedly high volume, not
obeying the volume that the user has set for the web browser in
pavucontrol or gnome-volume-control, and effectively not letting the
user move the volume slider corresponding to the web browser . When
flat volumes are in effect, the web page can play that audio file at
the full volume that the sound card is capable of, which can in some
cases damage loudspeakers (especially tweeters) or the user's hearing
The reproducer (that just sets the volume at regular intervals using a
timer) is already public at http://jsfiddle.net/bteam/FbkGD/ and can
be trivially enhanced to also prevent muting of the audio stream. View
that in Epiphany or Midori on any Linux distribution except Ubuntu.
Personally, I classify  as an annoyance-class bug (but still a bug)
and  as a security issue.
Given the recent news story about VLC and Dell, I want to bump this
topic (because it is relevant, exploitable automatically, and because I
have warned about hardware damage) and maybe get a CVE ID.
Alexander E. Patrakov
- Re: CVE request: WebKit-GTK + Puseaudio: unexpectedly high sound volume Alexander E. Patrakov (Feb 10)