Pulseaudio in Ubuntu 16.04 contains a potential double-free bug in Bluez 5 module
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pulseaudio (Ubuntu) |
Fix Released
|
Undecided
|
Avital Ostromich |
Bug Description
I've found a potential double-free bug in Ubuntu's SCO-over-PCM patch in PA. It creates code paths in pa__init() that will free the modargs twice in its failure handler and in pa__done() called from that handler. However, I can't find a way to trigger this with the current version of the code, as the failure mode of the code is pretty small.
The way this bug surface is when I tried to fix the "profile" option in Pulseaudio for UBports' Ubuntu Touch, where I made it failed if the requested profile isn't supported, thus creating a failure mode that can trigger this. Side note: are you interested in this patch? The profile option in Xenial is currently not working, but I guess nothing in Ubuntu uses it.
I've attached the patch which should fix the bug. I'm not sure if it worths SRU or not, so it's up to you.
CVE References
Changed in pulseaudio (Ubuntu): | |
status: | New → Confirmed |
assignee: | nobody → Avital Ostromich (avital) |
information type: | Private Security → Public Security |
Hi Ratchanan,
Is this bug specific to Ubuntu, or does it also affect the upstream Pulseaudio Bluez5 module?
Thanks,
Mike Salvatore