First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 276986
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
pulseaudio-0.9.9-Remove-exploitable-LD_BIND_NOW-hack.patch pulseaudio-0.9.9-Remove-exploitable-LD_BIND_NOW-hack.patch patch Robert Buchholz 2009-07-07 23:36 0000 2.22 KB Details | Diff
pulseaudio-0.9.16-Remove-exploitable-LD_BIND_NOW-hack.patch pulseaudio-0.9.16-Remove-exploitable-LD_BIND_NOW-hack.patch patch Robert Buchholz 2009-07-07 23:37 0000 3.19 KB Details | Diff
pulseaudio-0.9.9-r1.ebuild media-sound/pulseaudio/pulseaudio-0.9.9-r1.ebuild text/plain Robert Buchholz 2009-07-09 14:26 0000 5.74 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 276986 depends on: Show dependency tree
Bug 276986 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2009-07-07 23:35 0000 
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that
pulseaudio, when installed setuid root, does not drop privileges before
re-executing itself to achieve immediate bindings. This can be exploited by a
user who has write access to any directory on the file system containing
/usr/bin to gain local root access. The user needs to exploit a race condition
related to creating a hard link.

------- Comment #1 From Robert Buchholz 2009-07-07 23:36:50 0000 ------- 
Created an attachment (id=197128) [details]
pulseaudio-0.9.9-Remove-exploitable-LD_BIND_NOW-hack.patch

------- Comment #2 From Robert Buchholz 2009-07-07 23:37:00 0000 ------- 
Created an attachment (id=197130) [details]
pulseaudio-0.9.16-Remove-exploitable-LD_BIND_NOW-hack.patch

------- Comment #3 From Robert Buchholz 2009-07-09 14:26:18 0000 ------- 
Arch Security Liaisons, please test the attached ebuild and report it stable on
this bug.
=media-sound/pulseaudio-0.9.9-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"

CC'ing current Liaisons:
   alpha : armin76, klausman
   amd64 : keytoaster, tester
    hppa : jer
     ppc : josejx, ranger
   ppc64 : josejx, ranger
   sparc : fmccor
     x86 : fauli, maekke

------- Comment #4 From Robert Buchholz 2009-07-09 14:26:56 0000 ------- 
Created an attachment (id=197344) [details]
media-sound/pulseaudio/pulseaudio-0.9.9-r1.ebuild

------- Comment #5 From Robert Buchholz 2009-07-09 14:38:33 0000 ------- 
The attached ebuild has all stable keywords already. Obviously, this is what we
hope to establish *after* testing.

------- Comment #6 From Christian Faulhammer 2009-07-09 14:58:36 0000 ------- 
x86 ok.

------- Comment #7 From Ferris McCormick 2009-07-09 16:11:10 0000 ------- 
Sparc ok.

------- Comment #8 From Jeroen Roovers 2009-07-09 19:43:00 0000 ------- 
HPPA is OK.

------- Comment #9 From Joe Jezak 2009-07-11 19:24:31 0000 ------- 
PPC/PPC64 are okay.

------- Comment #10 From Robert Buchholz 2009-07-13 11:14:49 0000 ------- 
alpha, amd64 -- please respond or cc other team members if in doubt.

------- Comment #11 From Olivier Crete 2009-07-13 13:40:02 0000 ------- 
amd64 ok

------- Comment #12 From Raúl Porcel 2009-07-14 20:10:22 0000 ------- 
Looks okay on alpha/arm/ia64/sh

------- Comment #13 From Robert Buchholz 2009-07-14 22:31:25 0000 ------- 
great, it's complete:

< KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sh ~sparc ~x86"
---
> KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"

------- Comment #14 From Robert Buchholz 2009-07-16 14:16:31 0000 ------- 
this is now public

*pulseaudio-0.9.9-r54 (16 Jul 2009)

  16 Jul 2009; Diego E. Pettenò <flameeyes@gentoo.org>
  -pulseaudio-0.9.9-r1.ebuild, +pulseaudio-0.9.9-r54.ebuild:
  Replace revision for pulseaudio-0.9.9 for old revision numbers
  overwritten.

*pulseaudio-0.9.16_rc2-r51 (16 Jul 2009)
*pulseaudio-0.9.16_rc2-r2 (16 Jul 2009)
*pulseaudio-0.9.15-r51 (16 Jul 2009)
*pulseaudio-0.9.15-r2 (16 Jul 2009)

  16 Jul 2009; Diego E. Pettenò <flameeyes@gentoo.org>
  +pulseaudio-0.9.9-r1.ebuild, +files/pulseaudio-0.9.9-CVE-2009-1894.patch,
  +pulseaudio-0.9.15-r2.ebuild, +pulseaudio-0.9.15-r51.ebuild,
  +files/pulseaudio-0.9.15-CVE-2009-1894.patch,
  +pulseaudio-0.9.16_rc2-r2.ebuild, +pulseaudio-0.9.16_rc2-r51.ebuild,
  +files/pulseaudio-0.9.16-CVE-2009-1894.patch:
  Add patch to fix CVE-2009-1894, see bug #276986.

------- Comment #15 From Robert Buchholz 2009-07-16 14:43:33 0000 ------- 
GLSA 200907-13

------- Comment #16 From Robert Buchholz 2009-07-16 17:07:56 0000 ------- 
this is now upstream:
http://git.0pointer.de/?p=pulseaudio.git;a=commit;h=84200b423ebfa7e2dad9b1b65f64eac7bf3d2114

Thanks to everyone who contributed.

------- Comment #17 From Alex Legler 2009-07-20 19:17:19 0000 ------- 
CVE-2009-1894 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1894):
  Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local
  users to gain privileges via vectors involving creation of a hard
  link, related to the application setting LD_BIND_NOW to 1, and then
  calling execv on the target of the /proc/self/exe symlink.
First Last Prev Next    No search results available      Search page      Enter new bug