[pulseaudio-discuss] PulseAudio vulnerable to CVE-2009-1894
Zygo Blaxell
zygo.blaxell at xandros.com
Thu Jul 23 11:38:53 PDT 2009
On Wed, Jul 22, 2009 at 07:37:28PM +0200, Lennart Poettering wrote:
> On Thu, 16.07.09 16:16, Diego E. ???Flameeyes??? Petten?? (flameeyes at gmail.com) wrote:
> > The fix (pending merge on master branch) is available on my branch:
> >
> > http://gitorious.org/~flameeyes/pulseaudio/flameeyes-pulseaudio
> >
> > http://gitorious.org/~flameeyes/pulseaudio/flameeyes-pulseaudio/commit/84200b423ebfa7e2dad9b1b65f64eac7bf3d2114
[...]
> OTOH the whole feature of enforcing immediate binding is a bit
> snake-oilish. And redundant on prelink-enabled systems. So maybe
> dropping the entire feature wouldn't be that bad after all...
Coincidentally, for a while now I've been using a modified build
of pulseaudio that has the whole ltdl_bind_now feature stripped out
of it. Why, you might ask? Because without the ltdl_bind_now stuff,
pulse 0.9.15-stable can be built with older versions of libtool and
libltdl-dev (like the ones in Debian Lenny).
I'm not sure quite what the bind_now stuff is trying to achieve.
The stated purpose is simple enough, but as far as I can tell pulse
isn't doing a bunch of other things that would be needed to avoid
all unexpected delays in real-time code (e.g. preloading and locking code
pages in RAM, preallocating stack, and so forth). It also seems to me
that most of these delays can be avoided by simply executing a complete
cycle of the audio processing loop once, and most human observers won't
notice even the worst case delays in the first loop iteration (and
the humans who do notice can start the PA daemon in advance and/or play some
silent preroll samples with the specific sink inputs they intend to use).
So I'm all in favor of dropping the feature. If the ltdl_bind_now stuff
goes away, can the libtool dependency be downgraded as well?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.freedesktop.org/archives/pulseaudio-discuss/attachments/20090723/c9e72e26/attachment.pgp>
More information about the pulseaudio-discuss
mailing list