oss-sec mailing list archives
Re: Re: [pulseaudio-discuss] Vulnerability in Webkit-GTK and PulseAudio volume handling
From: "Alexander E. Patrakov" <patrakov () gmail com>
Date: Fri, 11 Oct 2013 15:38:35 +0600
Xabier RodrÃguez Calvar wrote:
For Colin to know, before touching anything in WebKitGtk+ the behavior
was that the volume was ramping up to 100% with every website regardless
their volume control.
I met Slomo and Lennart at GUADEC and we thought that the best was
letting the sink, pulsesink in this case, set the volume and we would
just get that for the slider, regardless the volume model applied. This
was supposed to be a good compromise for the different situations (using
PA with or without flat volumes, using another sink) as volume wouldn't
ramp up to 100% always.
There are some other restrictions we have to observe, though:
1. We want to be agnostic of the GStreamer sink used and of course,
to the volume model used by pulse, because we don't know it.
2. We want to allow audio passthrough when possible.
3. We want to be coherent with the rest of GNOME apps, and the
volume model they are using.
4. We have to comply with the HTML5 W3C standard that says that
volume will be 100% by default, though user agents can decide to
restore former volume (perfect if we let pulse decide it).
We would easily add a GStreamer volume element and solve what Alexander
says, buy we would be breaking 2 and 3 rules and to fulfill 3 and 4, I
actually tested that with the proposed fix, the volume could still ramp
up to 100% because in our opinion, it is up to the web developer to
sanitize their volume management or up to the user to change the volume
model.
Well, my point is exactly that items (2) or (3) don't (and can't) make any sense in the context of web apps (or rather, in _any_ context of potentially untrusted non-native apps), even if a sane (non-flat) volume model is implemented in PulseAudio. Please don't try to do the impossible.
My current viewpoint is that the root of the problem is not in flat volumes (they are just an aggravating factor), but in the fact that untrusted javascript volume is directly connected to a pavucontrol slider, potentially making that slider disobey the user.
And this is not about sanitizing the volume management in non-malicious web pages. As I already said, this is about deliberately-malicious scripts whose (no matter absolute or relative) volume and mute status cannot be overridden. Think of them as a sound equivalent of a "1000 popups" problem.
P.S. I am not currently registered for GStreamer conference - should I do so in order to discuss the issue in person with you or with other GStreamer developers, or is my current LinuxCon registration sufficient?
-- Alexander E. Patrakov
Current thread:
- Vulnerability in Webkit-GTK and PulseAudio volume handling Alexander E. Patrakov (Oct 08)
- Re: Vulnerability in Webkit-GTK and PulseAudio volume handling Colin Guthrie (Oct 10)
- Re: [pulseaudio-discuss] Vulnerability in Webkit-GTK and PulseAudio volume handling Alexander E. Patrakov (Oct 10)
- Re: [pulseaudio-discuss] Vulnerability in Webkit-GTK and PulseAudio volume handling Xabier RodrÃguez Calvar (Oct 11)
- Re: Re: [pulseaudio-discuss] Vulnerability in Webkit-GTK and PulseAudio volume handling Alexander E. Patrakov (Oct 11)
- Message not available
- Re: [pulseaudio-discuss] Vulnerability in Webkit-GTK and PulseAudio volume handling Alexander E. Patrakov (Oct 21)
- Re: Vulnerability in Webkit-GTK and PulseAudio volume handling Colin Guthrie (Oct 10)