Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <52579861.2010100@gmail.com>
Date: Fri, 11 Oct 2013 12:19:13 +0600
From: "Alexander E. Patrakov" <patrakov@...il.com>
To: General PulseAudio Discussion <pulseaudio-discuss@...ts.freedesktop.org>
CC: oss-security@...ts.openwall.com, webkit-gtk@...ts.webkit.org
Subject: Re: [pulseaudio-discuss] Vulnerability in Webkit-GTK and PulseAudio
 volume handling

Colin Guthrie wrote:
> What would be more interesting to me would be how the same code works 
> on Windows 7 which I believe also implements a flat volume scheme (not 
> sure about Win 8) and how it handles stream volumes in this context 
> (background: 
> http://www.patrickbaudisch.com/publications/2004-Baudisch-CHI04-FlatVolumeControl.pdf)

Here is a Windows 7 screenshot relevant to the flat volume idea. You 
need it to understand the text below.

http://permalink.gmane.org/gmane.comp.audio.pulseaudio.general/17426

Basically, Windows' flat volumes a just an UI feature of the default 
mixer application. Volume sliders inside applications still show 
relative-to-the-master volumes, as can be seen with Windows media player 
on that screenshot. In other words, Microsoft did not go as far as the 
referenced paper suggests.

As far as testing the bad javascript under Windows, I have asked my 
colleague to do just that in all major browsers (Chrome, Firefox, IE 
(with a different media file), non-webkit Opera, webkit Opera). Result: 
no bug. Javascript volume does not correspond to anything in the mixer 
application. The volume slider inside the browser jumps between 99% and 
100%, but the volume slider in the mixer application can be set to any 
value, stays there, and the browser obeys. So the inside-the-browser 
volume control is just an additional element in the path, exposed to the 
user only inside the browser.

-- 
Alexander E. Patrakov

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.