[pulseaudio-discuss] PulseAudio vulnerable to CVE-2009-1894
Lennart Poettering
lennart at poettering.net
Wed Jul 22 10:37:28 PDT 2009
On Thu, 16.07.09 16:16, Diego E. “Flameeyes” Pettenò (flameeyes at gmail.com) wrote:
> Blatantly copying the Gentoo Advisory (since they are the security team
> I have contact with) you can find all the needed information here.
BTW, would be great if the security folks themselves would actually
contact upstream with this. All they can do is whine that we don't take
the security issues serious enough. But uh, it's a bit hard to do that
if we are only informed indirectly via the distros. Gah.
> The fix (pending merge on master branch) is available on my branch:
>
> http://gitorious.org/~flameeyes/pulseaudio/flameeyes-pulseaudio
>
> http://gitorious.org/~flameeyes/pulseaudio/flameeyes-pulseaudio/commit/84200b423ebfa7e2dad9b1b65f64eac7bf3d2114
I am not conviced that this is the right fix. The documentation on "-z
now" is a bit terse. The way I understood it it actually only effects
the .so or binary we are linking and not recursively all objects that
might be pulled in indirectly. Due to that LD_BIND_NOW has a greater
effect than -z now. But uh, I am not sure if my reading is correct.
OTOH the whole feature of enforcing immediate binding is a bit
snake-oilish. And redundant on prelink-enabled systems. So maybe
dropping the entire feature wouldn't be that bad after all...
Lennart
--
Lennart Poettering Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/ GnuPG 0x1A015CC4
More information about the pulseaudio-discuss
mailing list