Pulseaudio fails to check the return value of setuid().
Sound please advise.
Okay so I looked at the code, the setuid() call is actually unlikely to be used in Gentoo, as it's protected by a !defined(HAVE_SETRESUID) and !defined(HAVE_SETREUID). I have a patch to fix the function not to ignore setuid() call. But I don't have time _right now_ to check if this is enough to make sure the server is secure. On the other hand, I've just seen Lennart tagging the release 0.9.9 ... and I didn't see any fix for this, which makes me a bit concerned.
Okay, the fix will be released in version 0.9.9 for which the ebuild are ready on my repository ready to be committed once the tarball is available. Note: there will be three revisions for the 0.9.9 release: 0.9.9(-r0): this is what you want to mark stable, it's based off 0.9.8-r6; 0.9.9-r1: has to stay ~arch, it has glib as optional with an USE flag; 0.9.9-r2: has to stay package.masked, it will be the baselayout 2 version; Please also CC bsd together with the other arches as they'll lose their highest ~arch version. for bsd, arm, sh and ppc keywording requests refer to bug #200076.
Arches, please test and mark stable: =media-sound/pulseaudio-0.9.9 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86 ~x86-fbsd"
@betelgeuse, Is this gonna cause any problems for stabling bluez-{libs,utils}-3.x? Any preference on which version to go stable?
(In reply to comment #5) > @betelgeuse, > > Is this gonna cause any problems for stabling bluez-{libs,utils}-3.x? > > Any preference on which version to go stable? > If you stable bluez-3* you will screw users big time.
I suppose we could package.use.mask bluetooth for the 0.9.9-r0 revision.
(In reply to comment #7) > I suppose we could package.use.mask bluetooth for the 0.9.9-r0 revision. > I have been meaning to work on getting bluez-3 stable for ages but probably best for now would be to keep bluetooth only for ~arch users.
Tested =media-sound/pulseaudio-0.9.9 with USE="X alsa dbus gnome hal -asyncns -avahi -bluetooth -caps -jack -libsamplerate (-lirc) -oss (-policykit) -tcpd" and with USE="alsa dbus hal -X -asyncns -avahi -bluetooth -caps -gnome -jack -libsamplerate (-lirc) -oss (-policykit) -tcpd" on sparc. - emerges fine - test phase runs fine(well, it has a test phase but no real tests) - no collisions works! # emerge --info Portage 2.1.3.19 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r3 sparc64) ================================================================= System uname: 2.6.23-gentoo-r3 sparc64 sun4u Timestamp of tree: Thu, 24 Jan 2008 20:00:01 +0000 app-shells/bash: 3.2_p17-r1 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.10-r5 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="sparc" CBUILD="sparc-unknown-linux-gnu" CFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers" CHOST="sparc-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CPPFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers" CXXFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers" DISTDIR="/tmp/distfiles" FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sanxbox strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="de_DE.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en de" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="64bit 7zip X a52 aac aalib alsa artworkextra audacious blender-game bzip2 cups custom-cflags cvs dbus dga divx dts dv dvd dvdread encode fat ffmpeg flac ftp fuse gd gif gnome gnome-print gnomecanvas gpm grammar gtk hal hpn ieee1394 ithreads javascript jpeg jpeg2k lzo mad mjpeg mp2 mp3 mpeg mpeg2 mplayer musepack nautilus ncurses network networking nls nptl nptlonly nsplugin offensive ogg openal opengl opera pam png pnm quicktime regex ruby samba sdl slang smp sms sound soundex sparc speex spell sqlite3 ssl subversion svg symlink test theora threads tiff truetype tta unicode usb userlocales utils vcd vidix vim vim-syntax vim-with-x vorbis wma wmf x264 xanim xcb xfce xine xinerama xorg xulrunner xv xvid zlib" ALSA_PCM_PLUGINS="adpcm alaw copy dshare dsnoop extplug file hooks ladspa lfloat linear meter mulaw multi null rate route share shm" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de" USERLAND="GNU" VIDEO_CARDS="mach64" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #7) > I suppose we could package.use.mask bluetooth for the 0.9.9-r0 revision. I did that in base profile. x86 stable.
er...this has an use-flag on policykit, which is masked. So i can't commit...Opfer, you broke it!
(In reply to comment #11) > er...this has an use-flag on policykit, which is masked. Yes...and that's why repoman bails out with no reason. There is the --force flag. It was "broken" before and after my x86 stabilisation.
Ok, some warnings in SELinux profiles have been resolved by masking USE=policykit for pulseaudio...but things like media-sound/pulseaudio/pulseaudio-0.9.9.ebuild: x86(default-linux/x86/no-nptl) ['sys-auth/policykit'] I don't understand. no-nptl is child of x86, is child of default-linux, is child of base. And USE=policykit is masked in base.
ppc64 stable
(In reply to comment #13) > Ok, some warnings in SELinux profiles have been resolved by masking > USE=policykit for pulseaudio...but things like > > media-sound/pulseaudio/pulseaudio-0.9.9.ebuild: > x86(default-linux/x86/no-nptl) ['sys-auth/policykit'] > > I don't understand. no-nptl is child of x86, is child of default-linux, is > child of base. And USE=policykit is masked in base. > This is due to interference from the "=media-sound/pulseaudio-0.9.9 bluetooth" entry in the base profile. It causes portage to ignore the "media-sound/pulseaudio policykit" entry when calculating use masks for pulseaudio-0.9.9. I've added a "=media-sound/pulseaudio-0.9.9 policykit" entry to serve as a workaround. I'll think about changing this behavior since it seems confusing and error prone.
alpha/ia64/sparc stable, thanks Tobias and Friedrich Opfer, i'm removing you from cc since zmedico fixed this :)
Stable for HPPA.
ppc stable
stable on amd64 [ebuild R ] media-sound/pulseaudio-0.9.9-r1 USE="X alsa avahi caps dbus glib hal tcpd -asyncns -bluetooth -gnome -jack -libsamplerate -lirc -oss (-policykit)" tested using mplayer and mpd, nothing too fancy with source/sink, just basic audio playing.. Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23.9 x86_64) ================================================================= System uname: 2.6.23.9 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4000+ Timestamp of tree: Wed, 06 Feb 2008 03:00:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-shells/bash: 3.2_p17-r1 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.10-r5 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe -fomit-frame-pointer -fweb -ftracer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=athlon64 -O2 -pipe -fomit-frame-pointer -fweb -ftracer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--verbose --nospinner" FEATURES="buildpkg collision-protect distlocks fixpackages metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LINGUAS="en" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://192.168.1.102/gentoo-portage" USE="3dnow X a52 aac acl acpi alsa amd64 ao apache2 audiofile autoipd automount avahi bash-completion berkdb bitmap-fonts bzip2 caps cddb cdparanoia cli cracklib crypt dbus directfb dri dvd encode expat fbcon ffmpeg flac fontconfig ftp gdbm gif gnutella gnutls hal iconv icu id3 idea imagemagick imlib ipv6 isdnlog java jpeg kerberos key-screen lame logrotate lzo mad mdnsresponder-compat midi mmap mmx mp3 mpeg mplayer ncurses network nolvm1 nptl nptlonly ogg openft openmp pam pcre perl png pppd pulseadio pulseaudio python quicktime readline reflection samba sdl search-screen session spl sse sse2 ssl subtitles svg swat syslog tcpd test theora threads tiff truetype truetype-fonts type1-fonts unicode vorbis x264 xgetdefault xinetd xml xorg xvid zeroconf zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="peruser" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="fbdev radeon radeonhd vesa vga" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 please mark stable.
amd64 stable, sorry for the delay
GLSA 200802-07
Forgot to add... This was fixed in release snapshot.