Your message dated Mon, 21 Feb 2011 17:51:57 +0100
with message-id <1298307117.2560.18.camel@deep-thought>
and subject line Re: libportaudio.so.2 overrides the libasound2 error handler
has caused the Debian Bug report #563192,
regarding libportaudio.so.2 overrides the libasound2 error handler
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
563192: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563192
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libportaudio2
Version: 19+svn20071022-3
Severity: grave
Upon initialization. libportaudio2 (function PaAlsa_Initialize()) sets
a new global libasound2 error handler by invoking
snd_lib_error_set_handler(). It is bad style for a library to do
this, because this may overwrite the application's custom error
handler.
Now the real critical problem: when loaded with OpenAL (libopenal1
1:1.10.622-1 in this case), libportaudio2 sets the error handler, but
gets unloaded later, rendering the memory address of
AlsaErrorHandler() invalid. This results in a crash of the
application on the next ALSA error.
(I have submitted this bug for libportaudio2 instead of libopenal1,
because I think libportaudio2 is really doing the wrong thing by
overwriting another library's global variable; you could argue that
unloading the library is wrong in the first place)
Practical example: the Music Player Daemon, which has plugins for
OpenAL as well as for native ALSA. Here is a crash backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe2ab6910 (LWP 31128)]
0x00007ffff7e73d08 in ?? ()
(gdb) bt
#0 0x00007ffff7e73d08 in ?? ()
#1 0x00007ffff23fb9a6 in snd_pcm_hw_open (pcmp=0x513178, name=0x5130d0 "hw:0",
card=0, device=0, subdevice=-1,
stream=SND_PCM_STREAM_PLAYBACK, mode=327681, mmap_emulation=0,
sync_ptr_ioctl=0) at pcm_hw.c:1325
#2 0x00007ffff23fc05e in _snd_pcm_hw_open (pcmp=0x513178, name=0x5130d0
"hw:0", root=0x538960, conf=0x55e290,
stream=SND_PCM_STREAM_PLAYBACK, mode=327680) at pcm_hw.c:1505
#3 0x00007ffff23ea527 in snd_pcm_open_conf (pcmp=0x513178, name=0x5130d0
"hw:0", pcm_root=0x538960, pcm_conf=0x55e290,
stream=SND_PCM_STREAM_PLAYBACK, mode=327680) at pcm.c:2181
#4 0x00007ffff23ea6aa in snd_pcm_open_noupdate (pcmp=0x513178, root=0x538960,
name=0x5130d0 "hw:0",
stream=SND_PCM_STREAM_PLAYBACK, mode=327680, hop=0) at pcm.c:2219
#5 0x00007ffff23ea740 in snd_pcm_open (pcmp=0x513178, name=0x5130d0 "hw:0",
stream=SND_PCM_STREAM_PLAYBACK, mode=327680)
at pcm.c:2241
#6 0x000000000042b34a in alsa_open (data=0x513160, audio_format=0x512d20,
error=0x7fffe2ab6008)
at /home/max/git/mpd/src/output/alsa_plugin.c:471
#7 0x0000000000428153 in ao_plugin_open (plugin=0x4678c0, data=0x513160,
audio_format=0x512d20, error=0x7fffe2ab6008)
at /home/max/git/mpd/src/output_plugin.h:196
[...]
Severity "grave" because this allows an attacker to make MPD crash
remotely. It might also be possible to inject and execute code this
way, if the address happens to be memory mapped later.
--- End Message ---
--- Begin Message ---
Version: 19+svn20101113-1
The snapshot of portaudio does not set snd_lib_error_set_handler() any
more.
--
Benjamin Drung
Debian & Ubuntu Developer
signature.asc
Description: This is a digitally signed message part
--- End Message ---
