** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that pulseaudio, when installed setuid root, does not drop privileges before re-executing itself to achieve immediate bindings. This can be exploited by a user who has write access to any directory on the file system containing /usr/bin to gain local root access. The user needs to exploit a race condition related to creating a hard link.
Created attachment 197128 [details, diff] pulseaudio-0.9.9-Remove-exploitable-LD_BIND_NOW-hack.patch
Created attachment 197130 [details, diff] pulseaudio-0.9.16-Remove-exploitable-LD_BIND_NOW-hack.patch
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. =media-sound/pulseaudio-0.9.9-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86" CC'ing current Liaisons: alpha : armin76, klausman amd64 : keytoaster, tester hppa : jer ppc : josejx, ranger ppc64 : josejx, ranger sparc : fmccor x86 : fauli, maekke
Created attachment 197344 [details] media-sound/pulseaudio/pulseaudio-0.9.9-r1.ebuild
The attached ebuild has all stable keywords already. Obviously, this is what we hope to establish *after* testing.
x86 ok.
Sparc ok.
HPPA is OK.
PPC/PPC64 are okay.
alpha, amd64 -- please respond or cc other team members if in doubt.
amd64 ok
Looks okay on alpha/arm/ia64/sh
great, it's complete: < KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sh ~sparc ~x86" --- > KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
this is now public *pulseaudio-0.9.9-r54 (16 Jul 2009) 16 Jul 2009; Diego E. Pettenò <flameeyes@gentoo.org> -pulseaudio-0.9.9-r1.ebuild, +pulseaudio-0.9.9-r54.ebuild: Replace revision for pulseaudio-0.9.9 for old revision numbers overwritten. *pulseaudio-0.9.16_rc2-r51 (16 Jul 2009) *pulseaudio-0.9.16_rc2-r2 (16 Jul 2009) *pulseaudio-0.9.15-r51 (16 Jul 2009) *pulseaudio-0.9.15-r2 (16 Jul 2009) 16 Jul 2009; Diego E. Pettenò <flameeyes@gentoo.org> +pulseaudio-0.9.9-r1.ebuild, +files/pulseaudio-0.9.9-CVE-2009-1894.patch, +pulseaudio-0.9.15-r2.ebuild, +pulseaudio-0.9.15-r51.ebuild, +files/pulseaudio-0.9.15-CVE-2009-1894.patch, +pulseaudio-0.9.16_rc2-r2.ebuild, +pulseaudio-0.9.16_rc2-r51.ebuild, +files/pulseaudio-0.9.16-CVE-2009-1894.patch: Add patch to fix CVE-2009-1894, see bug #276986.
GLSA 200907-13
this is now upstream: http://git.0pointer.de/?p=pulseaudio.git;a=commit;h=84200b423ebfa7e2dad9b1b65f64eac7bf3d2114 Thanks to everyone who contributed.
CVE-2009-1894 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1894): Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LD_BIND_NOW to 1, and then calling execv on the target of the /proc/self/exe symlink.