180203 2007-05-29 10:45 0000 media-sound/pulseaudio-0.9.5 multiple DoS vulnerabilities (CVE-2007-1804) 2007-06-24 23:39:55 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://pulseaudio.org/ticket/67 B3 [noglsa] jaervosz P2 normal --- 180117 1 flameeyes@gentoo.org security@gentoo.org sound@gentoo.org flameeyes@gentoo.org 2007-05-29 10:45:10 0000 Florian Steinel reported this to me as I didn't know about it at all; I'll look into backporting the fixes to 0.9.5, but I'm not really sure if that's feasible, considering the sheer quantity. Security team please advise. Thanks in Advance, Diego flameeyes@gentoo.org 2007-05-29 11:17:47 0000 I've added pulseaudio-0.9.5-r5 with a patch that should fix all the vulnerabilities. There should be no problem with that going stable, as 0.9.6 stable right now is not something I'd like to see myself. jaervosz@gentoo.org 2007-05-30 05:58:56 0000 Thx Diego! Arches please test and mark stable. Target keywords are: pulseaudio-0.9.5-r5.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86 ~x86-fbsd" ticho@gentoo.org 2007-05-30 09:54:42 0000 Looks like it's not all fixed: ticho@hiker ~ $ ps ax | grep pulse 29103 ? Ss 0:00 /usr/bin/pulseaudio --log-target=syslog --disallow-module-loading=1 --system --fail=1 --daemonize=1 --system 29118 pts/3 R+ 0:00 grep --colour=auto pulse ticho@hiker ~ $ ./p 1 localhost Pulseaudio <= 0.9.5 (rev 1437) termination 0.1 by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org - check localhost - connect to 127.0.0.1:4713 - check if the server is still up: Server doesn't seem vulnerable ticho@hiker ~ $ ./p 2 localhost Pulseaudio <= 0.9.5 (rev 1437) termination 0.1 by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org - check localhost - connect to 127.0.0.1:4713 - check if the server is still up: Server IS vulnerable!!! ticho@hiker ~ $ ps ax | grep pulse 29126 pts/3 S+ 0:00 grep --colour=auto pulse ticho@hiker ~ $ The "p" binary comes from compiling the pulsex.zip source at http://aluigi.org/poc/pulsex.zip ticho@gentoo.org 2007-05-30 09:59:17 0000 Oh, and of course: ticho@hiker ~ $ emerge -pv pulseaudio --nodeps These are the packages that would be merged, in order: [ebuild R ] media-sound/pulseaudio-0.9.5-r5 USE="X alsa hal oss tcpd -avahi -caps -jack -lirc" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB jaervosz@gentoo.org 2007-05-30 12:23:55 0000 Back to ebuild. flameeyes@gentoo.org 2007-05-30 15:06:51 0000 Sigh, I missed one revision; I've bumped to -r6 and should be fine now; I probably forgot to restart pulseaudio when I testcased the patch (and I had 0.9.6 running). jaervosz@gentoo.org 2007-05-30 17:25:28 0000 Thx Diego and Ticho for checking. Please test and mark stable. Target keywords are: pulseaudio-0.9.5-r6.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86 ~x86-fbsd" gustavoz@gentoo.org 2007-05-30 18:40:13 0000 sparc stable. killerfox@gentoo.org 2007-05-30 20:52:34 0000 stable on hppa ticho@gentoo.org 2007-05-30 21:25:52 0000 Gah, back from work at last. -r6 looks good, marked stable on x86. welp@gentoo.org 2007-06-01 08:14:33 0000 amd64 done corsair@gentoo.org 2007-06-02 08:07:24 0000 ppc64 stable killerfox@gentoo.org 2007-06-02 18:57:47 0000 forgot to take a note about the ppc stablize. Done that now. armin76@gentoo.org 2007-06-02 21:08:43 0000 alpha/ia64 stable jaervosz@gentoo.org 2007-06-03 06:32:58 0000 This one is ready for GLSA vote. I vote NO. dercorny@gentoo.org 2007-06-03 09:25:37 0000 voting NO.