Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 276986 (CVE-2009-1894)

Summary: <media-sound/pulseaudio-0.9.9-r54 execv local root vulnerability (CVE-2009-1894)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: sound
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html
Whiteboard: A1 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
pulseaudio-0.9.9-Remove-exploitable-LD_BIND_NOW-hack.patch
none
pulseaudio-0.9.16-Remove-exploitable-LD_BIND_NOW-hack.patch
none
media-sound/pulseaudio/pulseaudio-0.9.9-r1.ebuild none

Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-07 23:35:40 UTC 
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that pulseaudio, when installed setuid root, does not drop privileges before re-executing itself to achieve immediate bindings. This can be exploited by a user who has write access to any directory on the file system containing /usr/bin to gain local root access. The user needs to exploit a race condition related to creating a hard link.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-07-07 23:36:50 UTC 
Created attachment 197128 [details, diff]
pulseaudio-0.9.9-Remove-exploitable-LD_BIND_NOW-hack.patch
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-07-07 23:37:00 UTC 
Created attachment 197130 [details, diff]
pulseaudio-0.9.16-Remove-exploitable-LD_BIND_NOW-hack.patch
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-07-09 14:26:18 UTC 
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
=media-sound/pulseaudio-0.9.9-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"

CC'ing current Liaisons:
   alpha : armin76, klausman
   amd64 : keytoaster, tester
    hppa : jer
     ppc : josejx, ranger
   ppc64 : josejx, ranger
   sparc : fmccor
     x86 : fauli, maekke
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-07-09 14:26:56 UTC 
Created attachment 197344 [details]
media-sound/pulseaudio/pulseaudio-0.9.9-r1.ebuild
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-07-09 14:38:33 UTC 
The attached ebuild has all stable keywords already. Obviously, this is what we hope to establish *after* testing.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-09 14:58:36 UTC 
x86 ok.
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2009-07-09 16:11:10 UTC 
Sparc ok.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-09 19:43:00 UTC 
HPPA is OK.
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2009-07-11 19:24:31 UTC 
PPC/PPC64 are okay.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-07-13 11:14:49 UTC 
alpha, amd64 -- please respond or cc other team members if in doubt.
Comment 11 Olivier Crete (RETIRED) gentoo-dev 2009-07-13 13:40:02 UTC 
amd64 ok
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2009-07-14 20:10:22 UTC 
Looks okay on alpha/arm/ia64/sh
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-07-14 22:31:25 UTC 
great, it's complete:

< KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sh ~sparc ~x86"
---
> KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 14:16:31 UTC 
this is now public

*pulseaudio-0.9.9-r54 (16 Jul 2009)

  16 Jul 2009; Diego E. Pettenò <flameeyes@gentoo.org>
  -pulseaudio-0.9.9-r1.ebuild, +pulseaudio-0.9.9-r54.ebuild:
  Replace revision for pulseaudio-0.9.9 for old revision numbers
  overwritten.

*pulseaudio-0.9.16_rc2-r51 (16 Jul 2009)
*pulseaudio-0.9.16_rc2-r2 (16 Jul 2009)
*pulseaudio-0.9.15-r51 (16 Jul 2009)
*pulseaudio-0.9.15-r2 (16 Jul 2009)

  16 Jul 2009; Diego E. Pettenò <flameeyes@gentoo.org>
  +pulseaudio-0.9.9-r1.ebuild, +files/pulseaudio-0.9.9-CVE-2009-1894.patch,
  +pulseaudio-0.9.15-r2.ebuild, +pulseaudio-0.9.15-r51.ebuild,
  +files/pulseaudio-0.9.15-CVE-2009-1894.patch,
  +pulseaudio-0.9.16_rc2-r2.ebuild, +pulseaudio-0.9.16_rc2-r51.ebuild,
  +files/pulseaudio-0.9.16-CVE-2009-1894.patch:
  Add patch to fix CVE-2009-1894, see bug #276986.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 14:43:33 UTC 
GLSA 200907-13
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 17:07:56 UTC 
this is now upstream:
http://git.0pointer.de/?p=pulseaudio.git;a=commit;h=84200b423ebfa7e2dad9b1b65f64eac7bf3d2114

Thanks to everyone who contributed.
Comment 17 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-20 19:17:19 UTC 
CVE-2009-1894 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1894):
  Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local
  users to gain privileges via vectors involving creation of a hard
  link, related to the application setting LD_BIND_NOW to 1, and then
  calling execv on the target of the /proc/self/exe symlink.