Re: Vulnerability in Webkit-GTK and PulseAudio volume handling

[Colin Guthrie <gmane () colin guthr ie>]

Hi Alexander,

'Twas brillig, and Alexander E. Patrakov at 08/10/13 11:33 did gyre and
gimble:
> Note: this is not a CVE request yet! Before making a formal CVE request,
> I would need to collect "official" information on the topic who needs to
> do what with this bug (although I do have my own opinion, see below).
> For now, I just want to start a discussion by posting this to the
> relevant mailing lists, and also I want to avoid the situation where
> each side blames the other. Please note that I am not an upstream
> developer of any of the mentioned projects. I will attend the audio
> mini-conference at LinuxCon Europe 2013, it is OK to discuss the issue
> there if representatives from both parties intend to come.
>
> The following combination of software has a nasty bug when used
> together, that I personally consider to be a vulnerability:
>
> * PulseAudio (any version, especially when used in flat-volume mode that
> is the default everywhere except Ubuntu).
> * Any browser based on Webkit-GTK 2.x (any version with HTML5
> audio/video support based on GStreamer).
>
> The bug is that a malicious piece of javascript on the web page can
> cause an audio file to play at an unexpectedly high volume, not obeying
> the volume that the user has set for the web browser in pavucontrol or
> gnome-volume-control, and effectively not letting the user move the
> volume slider corresponding to the web browser. When flat volumes are in
> effect, the web page can play that audio file at the full volume that
> the sound card is capable of, which can in some cases damage
> loudspeakers (especially tweeters) or the user's hearing.
>
> The reproducer is already public at http://jsfiddle.net/bteam/FbkGD/ and
> can be trivially enhanced to also prevent muting of the audio stream.
> View that in Epiphany or Midori on any Linux distribution except Ubuntu.
>
> My own opinion is that both parties are equally responsible for the
> vulnerability. The salt of the bug is that PulseAudio's security model
> is based on clients not sending malicious requests to change the stream
> volume, while Webkit passes all volume-changing requests (including
> malicious) to GStreamer, because it has no way of telling user-initiated
> volume change requests from automated malicious ones.
>
> Even with non-flat volumes, passing the javascript-initiated volume
> changes to pulseaudio means that the user cannot drag the "Epiphany"
> volume slider or (with a trivial change to the JavaScript on the page)
> mote the Epiphany stream in pavucontrol. So, in my opinion, using a
> pulseaudio stream volume to represent javascript volume (or, for that
> matter, the volume visible to any other runtime that can execute
> untrusted programs/scripts) is always wrong.
>
> However, the fact that flat volumes are enabled by default in upstream
> PulseAudio makes this small annoyance a real vulnerability. Given that
> the "100% hardware volume" type of bug is still present in some
> applications given the vast amount of time the feature exists, I think
> (but understand that it is an extreme position) that flat-volume mode,
> by its mere existence, is a bug that needs to be removed. At the very
> minimum, there is a documentation bug: it is nowhere explained that you
> should never use PulseAudio stream volumes (and for that matter,
> gstreamer sink volumes) for things that are not guaranteed to directly
> correspond to user-draggable volume sliders that no automated script can
> also move.
>
> See also:
>
> https://bugs.webkit.org/show_bug.cgi?id=118974
> https://bugzilla.gnome.org/show_bug.cgi?id=675217
> https://bugs.freedesktop.org/show_bug.cgi?id=46466
> https://bugzilla.gnome.org/show_bug.cgi?id=680779

It's certainly an interesting issue and your code highlights the problem
quite well.

I'm not sure I consider it a technical vulnerability tho' (just my
personal opinion) but I do appreciate the damage to both h/w and hearing
that could result and thus I won't argue about classifying it as such.

What would be more interesting to me would be how the same code works on
Windows 7 which I believe also implements a flat volume scheme (not sure
about Win 8) and how it handles stream volumes in this context
(background:
http://www.patrickbaudisch.com/publications/2004-Baudisch-CHI04-FlatVolumeControl.pdf)


Look forward to seeing you in a couple weeks at LinuxCon!

Col


-- 

Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/