Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 313329 (CVE-2009-1299)

Summary: <media-sound/pulseaudio-0.9.22: pa_make_secure_dir() symlink attack (CVE-2009-1299)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: sound
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-04-06 03:10:38 UTC
CVE-2009-1299 (
  The pa_make_secure_dir function in core-util.c in PulseAudio 0.9.10
  and 0.9.19 allows local users to change the ownership and permissions
  of arbitrary files via a symlink attack on a /tmp/.esd-#####
  temporary file.
Comment 1 Arun Raghavan (RETIRED) gentoo-dev 2011-05-18 04:20:17 UTC
0.9.19 is no longer in tree. Can we close this or ...?
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-05-23 02:49:58 UTC
(In reply to comment #1)
> 0.9.19 is no longer in tree. Can we close this or ...?

Thanks for the ping, Arun. We are not done however.

I think this was fixed in 0.9.22 via the commit at;a=commit;h=d3efa43d85ac132c6a5a416a2b6f2115f5d577ee. =media-sound/pulseaudio-0.9.22 is already stable, so this is ready for a vote.

GLSA Vote: yes.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:12:30 UTC
Vote: YES. New GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-02-07 21:03:13 UTC
This issue was resolved and addressed in
 GLSA 201402-10 at
by GLSA coordinator Mikle Kolyada (Zlogene).