Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 276986 (CVE-2009-1894) - <media-sound/pulseaudio-0.9.9-r54 execv local root vulnerability (CVE-2009-1894)
Summary: <media-sound/pulseaudio-0.9.9-r54 execv local root vulnerability (CVE-2009-1894)
Status: RESOLVED FIXED
Alias: CVE-2009-1894
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://blog.cr0.org/2009/07/old-schoo...
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-07 23:35 UTC by Robert Buchholz (RETIRED)
Modified: 2009-07-20 19:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
pulseaudio-0.9.9-Remove-exploitable-LD_BIND_NOW-hack.patch (pulseaudio-0.9.9-Remove-exploitable-LD_BIND_NOW-hack.patch,2.22 KB, patch)
2009-07-07 23:36 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
pulseaudio-0.9.16-Remove-exploitable-LD_BIND_NOW-hack.patch (pulseaudio-0.9.16-Remove-exploitable-LD_BIND_NOW-hack.patch,3.19 KB, patch)
2009-07-07 23:37 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
media-sound/pulseaudio/pulseaudio-0.9.9-r1.ebuild (pulseaudio-0.9.9-r1.ebuild,5.74 KB, text/plain)
2009-07-09 14:26 UTC, Robert Buchholz (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-07 23:35:40 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that pulseaudio, when installed setuid root, does not drop privileges before re-executing itself to achieve immediate bindings. This can be exploited by a user who has write access to any directory on the file system containing /usr/bin to gain local root access. The user needs to exploit a race condition related to creating a hard link.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-07-07 23:36:50 UTC
Created attachment 197128 [details, diff]
pulseaudio-0.9.9-Remove-exploitable-LD_BIND_NOW-hack.patch
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-07-07 23:37:00 UTC
Created attachment 197130 [details, diff]
pulseaudio-0.9.16-Remove-exploitable-LD_BIND_NOW-hack.patch
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-07-09 14:26:18 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
=media-sound/pulseaudio-0.9.9-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"

CC'ing current Liaisons:
   alpha : armin76, klausman
   amd64 : keytoaster, tester
    hppa : jer
     ppc : josejx, ranger
   ppc64 : josejx, ranger
   sparc : fmccor
     x86 : fauli, maekke
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-07-09 14:26:56 UTC
Created attachment 197344 [details]
media-sound/pulseaudio/pulseaudio-0.9.9-r1.ebuild
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-07-09 14:38:33 UTC
The attached ebuild has all stable keywords already. Obviously, this is what we hope to establish *after* testing.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-09 14:58:36 UTC
x86 ok.
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2009-07-09 16:11:10 UTC
Sparc ok.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-09 19:43:00 UTC
HPPA is OK.
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2009-07-11 19:24:31 UTC
PPC/PPC64 are okay.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-07-13 11:14:49 UTC
alpha, amd64 -- please respond or cc other team members if in doubt.
Comment 11 Olivier Crete (RETIRED) gentoo-dev 2009-07-13 13:40:02 UTC
amd64 ok
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2009-07-14 20:10:22 UTC
Looks okay on alpha/arm/ia64/sh
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-07-14 22:31:25 UTC
great, it's complete:

< KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sh ~sparc ~x86"
---
> KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 14:16:31 UTC
this is now public

*pulseaudio-0.9.9-r54 (16 Jul 2009)

  16 Jul 2009; Diego E. Pettenò <flameeyes@gentoo.org>
  -pulseaudio-0.9.9-r1.ebuild, +pulseaudio-0.9.9-r54.ebuild:
  Replace revision for pulseaudio-0.9.9 for old revision numbers
  overwritten.

*pulseaudio-0.9.16_rc2-r51 (16 Jul 2009)
*pulseaudio-0.9.16_rc2-r2 (16 Jul 2009)
*pulseaudio-0.9.15-r51 (16 Jul 2009)
*pulseaudio-0.9.15-r2 (16 Jul 2009)

  16 Jul 2009; Diego E. Pettenò <flameeyes@gentoo.org>
  +pulseaudio-0.9.9-r1.ebuild, +files/pulseaudio-0.9.9-CVE-2009-1894.patch,
  +pulseaudio-0.9.15-r2.ebuild, +pulseaudio-0.9.15-r51.ebuild,
  +files/pulseaudio-0.9.15-CVE-2009-1894.patch,
  +pulseaudio-0.9.16_rc2-r2.ebuild, +pulseaudio-0.9.16_rc2-r51.ebuild,
  +files/pulseaudio-0.9.16-CVE-2009-1894.patch:
  Add patch to fix CVE-2009-1894, see bug #276986.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 14:43:33 UTC
GLSA 200907-13
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 17:07:56 UTC
this is now upstream:
http://git.0pointer.de/?p=pulseaudio.git;a=commit;h=84200b423ebfa7e2dad9b1b65f64eac7bf3d2114

Thanks to everyone who contributed.
Comment 17 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-20 19:17:19 UTC
CVE-2009-1894 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1894):
  Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local
  users to gain privileges via vectors involving creation of a hard
  link, related to the application setting LD_BIND_NOW to 1, and then
  calling execv on the target of the /proc/self/exe symlink.