oss-sec mailing list archives
Re: CVE request: WebKit-GTK + Puseaudio: unexpectedly high sound volume
From: "Alexander E. Patrakov" <patrakov () gmail com>
Date: Mon, 10 Feb 2014 22:18:20 +0600
23.10.2013 00:48, I wrote:
Hello. Some time ago I have reported an issue: http://seclists.org/oss-sec/2013/q4/35 , but decided not to request CVE at that time, because I wanted to collect opinions on the topic "who should fix what". I have collected them from both involved parties and thus now request a CVE ID for this coordination issue / case of contradicting requirements. Please let me know if I have omitted any of the required information. Let me reproduce the most important part of my initial report. ====== The following combination of software has a nasty bug when used together, that I personally consider to be a vulnerability: * PulseAudio (any version, especially when used in flat-volume mode that is the default everywhere except Ubuntu). * Any browser based on Webkit-GTK 2.x (any version with HTML5 audio/video support based on GStreamer). The bug is that a malicious piece of javascript on the web page can cause an audio file to play at an unexpectedly high volume, not obeying the volume that the user has set for the web browser in pavucontrol or gnome-volume-control, and effectively not letting the user move the volume slider corresponding to the web browser [1]. When flat volumes are in effect, the web page can play that audio file at the full volume that the sound card is capable of, which can in some cases damage loudspeakers (especially tweeters) or the user's hearing [2]. The reproducer (that just sets the volume at regular intervals using a timer) is already public at http://jsfiddle.net/bteam/FbkGD/ and can be trivially enhanced to also prevent muting of the audio stream. View that in Epiphany or Midori on any Linux distribution except Ubuntu. ====== Personally, I classify [1] as an annoyance-class bug (but still a bug) and [2] as a security issue. Relevant links: https://bugs.webkit.org/show_bug.cgi?id=118974 https://bugzilla.gnome.org/show_bug.cgi?id=675217 https://bugs.freedesktop.org/show_bug.cgi?id=46466 https://bugzilla.gnome.org/show_bug.cgi?id=680779
Given the recent news story about VLC and Dell, I want to bump this topic (because it is relevant, exploitable automatically, and because I have warned about hardware damage) and maybe get a CVE ID.
http://hardware.slashdot.org/story/14/02/09/1828229/customer-dell-denies-speaker-repair-under-warranty-blames-vlc -- Alexander E. Patrakov
Current thread:
- Re: CVE request: WebKit-GTK + Puseaudio: unexpectedly high sound volume Alexander E. Patrakov (Feb 10)
- Re: CVE request: WebKit-GTK + Puseaudio: unexpectedly high sound volume cve-assign (Feb 10)