Summary: | media-sound/pulseaudio-0.9.5 multiple DoS vulnerabilities (CVE-2007-1804) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Diego Elio Pettenò (RETIRED) <flameeyes> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | sound |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://pulseaudio.org/ticket/67 | ||
Whiteboard: | B3 [noglsa] jaervosz | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 180117 | ||
Bug Blocks: |
Description
Diego Elio Pettenò (RETIRED)
2007-05-29 10:45:10 UTC
I've added pulseaudio-0.9.5-r5 with a patch that should fix all the vulnerabilities. There should be no problem with that going stable, as 0.9.6 stable right now is not something I'd like to see myself. Thx Diego! Arches please test and mark stable. Target keywords are: pulseaudio-0.9.5-r5.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86 ~x86-fbsd" Looks like it's not all fixed: ticho@hiker ~ $ ps ax | grep pulse 29103 ? Ss 0:00 /usr/bin/pulseaudio --log-target=syslog --disallow-module-loading=1 --system --fail=1 --daemonize=1 --system 29118 pts/3 R+ 0:00 grep --colour=auto pulse ticho@hiker ~ $ ./p 1 localhost Pulseaudio <= 0.9.5 (rev 1437) termination 0.1 by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org - check localhost - connect to 127.0.0.1:4713 - check if the server is still up: Server doesn't seem vulnerable ticho@hiker ~ $ ./p 2 localhost Pulseaudio <= 0.9.5 (rev 1437) termination 0.1 by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org - check localhost - connect to 127.0.0.1:4713 - check if the server is still up: Server IS vulnerable!!! ticho@hiker ~ $ ps ax | grep pulse 29126 pts/3 S+ 0:00 grep --colour=auto pulse ticho@hiker ~ $ The "p" binary comes from compiling the pulsex.zip source at http://aluigi.org/poc/pulsex.zip Oh, and of course: ticho@hiker ~ $ emerge -pv pulseaudio --nodeps These are the packages that would be merged, in order: [ebuild R ] media-sound/pulseaudio-0.9.5-r5 USE="X alsa hal oss tcpd -avahi -caps -jack -lirc" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB Back to ebuild. Sigh, I missed one revision; I've bumped to -r6 and should be fine now; I probably forgot to restart pulseaudio when I testcased the patch (and I had 0.9.6 running). Thx Diego and Ticho for checking. Please test and mark stable. Target keywords are: pulseaudio-0.9.5-r6.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86 ~x86-fbsd" sparc stable. stable on hppa Gah, back from work at last. -r6 looks good, marked stable on x86. amd64 done ppc64 stable forgot to take a note about the ppc stablize. Done that now. alpha/ia64 stable This one is ready for GLSA vote. I vote NO. voting NO. |