The pa_make_secure_dir function in core-util.c in PulseAudio 0.9.10
and 0.9.19 allows local users to change the ownership and permissions
of arbitrary files via a symlink attack on a /tmp/.esd-#####
0.9.19 is no longer in tree. Can we close this or ...?
(In reply to comment #1)
> 0.9.19 is no longer in tree. Can we close this or ...?
Thanks for the ping, Arun. We are not done however.
I think this was fixed in 0.9.22 via the commit at http://git.0pointer.de/?p=pulseaudio.git;a=commit;h=d3efa43d85ac132c6a5a416a2b6f2115f5d577ee. =media-sound/pulseaudio-0.9.22 is already stable, so this is ready for a vote.
GLSA Vote: yes.
Vote: YES. New GLSA request filed.
This issue was resolved and addressed in
GLSA 201402-10 at http://security.gentoo.org/glsa/glsa-201402-10.xml
by GLSA coordinator Mikle Kolyada (Zlogene).