Florian Steinel reported this to me as I didn't know about it at all; I'll look into backporting the fixes to 0.9.5, but I'm not really sure if that's feasible, considering the sheer quantity. Security team please advise. Thanks in Advance, Diego
I've added pulseaudio-0.9.5-r5 with a patch that should fix all the vulnerabilities. There should be no problem with that going stable, as 0.9.6 stable right now is not something I'd like to see myself.
Thx Diego! Arches please test and mark stable. Target keywords are: pulseaudio-0.9.5-r5.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86 ~x86-fbsd"
Looks like it's not all fixed: ticho@hiker ~ $ ps ax | grep pulse 29103 ? Ss 0:00 /usr/bin/pulseaudio --log-target=syslog --disallow-module-loading=1 --system --fail=1 --daemonize=1 --system 29118 pts/3 R+ 0:00 grep --colour=auto pulse ticho@hiker ~ $ ./p 1 localhost Pulseaudio <= 0.9.5 (rev 1437) termination 0.1 by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org - check localhost - connect to 127.0.0.1:4713 - check if the server is still up: Server doesn't seem vulnerable ticho@hiker ~ $ ./p 2 localhost Pulseaudio <= 0.9.5 (rev 1437) termination 0.1 by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org - check localhost - connect to 127.0.0.1:4713 - check if the server is still up: Server IS vulnerable!!! ticho@hiker ~ $ ps ax | grep pulse 29126 pts/3 S+ 0:00 grep --colour=auto pulse ticho@hiker ~ $ The "p" binary comes from compiling the pulsex.zip source at http://aluigi.org/poc/pulsex.zip
Oh, and of course: ticho@hiker ~ $ emerge -pv pulseaudio --nodeps These are the packages that would be merged, in order: [ebuild R ] media-sound/pulseaudio-0.9.5-r5 USE="X alsa hal oss tcpd -avahi -caps -jack -lirc" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB
Back to ebuild.
Sigh, I missed one revision; I've bumped to -r6 and should be fine now; I probably forgot to restart pulseaudio when I testcased the patch (and I had 0.9.6 running).
Thx Diego and Ticho for checking. Please test and mark stable. Target keywords are: pulseaudio-0.9.5-r6.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86 ~x86-fbsd"
sparc stable.
stable on hppa
Gah, back from work at last. -r6 looks good, marked stable on x86.
amd64 done
ppc64 stable
forgot to take a note about the ppc stablize. Done that now.
alpha/ia64 stable
This one is ready for GLSA vote. I vote NO.
voting NO.
