REDHAT-BUG-510071: Race Condition
First published: Tue Jul 07 2009(Updated: )
Tavis Ormandy and Julien Tinnes, Google Security Team, discovered a flaw in the pulseaudio, that allows local users to escalate their privileges to root, if pulseaudio is installed as setuid. When pulseaudio is built on Linux system with compiler optimization enabled, it tries to re-exec itself with LD_BIND_NOW environment variable set to 1. <a href="http://git.0pointer.de/?p=pulseaudio.git;a=blob;f=src/daemon/main.c;h=b58bb379#l403">http://git.0pointer.de/?p=pulseaudio.git;a=blob;f=src/daemon/main.c;h=b58bb379#l403</a> This happens before root privileges are dropped. Command to execute is extracted from /proc. This way is prone to race condition and can allow local user to execute different command with root privileges.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PulseAudio |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.0pointer.de/?p=pulseaudio.git;a=blob;f=src/daemon/main.c;h=b58bb379#l403
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=350952&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=350952&action=edit
- http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html
- http://admin.fedoraproject.org/updates/pulseaudio-0.9.10-1.el5.2
- https://access.redhat.com/security/cve/CVE-2009-1894
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1894
- http://taviso.decsystem.org/research.html
- https://admin.fedoraproject.org/updates/pulseaudio-0.9.10-1.el5.2
- http://security.gentoo.org/glsa/glsa-200907-13.xml
- http://www.ubuntu.com/usn/usn-804-1
- http://www.securityfocus.com/bid/35721
- http://www.akitasecurity.nl/advisory.php?id=AK20090602
- http://koji.fedoraproject.org/koji/taskinfo?taskID=1553720
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=510071#c3
- http://cvs.fedoraproject.org/viewvc/devel/pulseaudio/pulseaudio.spec?r1=1.59&r2=1.60
- https://bugzilla.redhat.com/show_bug.cgi?id=510071
Frequently Asked Questions
What is the severity of REDHAT-BUG-510071?
The severity of REDHAT-BUG-510071 is critical due to the potential for local privilege escalation to root.
How do I fix REDHAT-BUG-510071?
To fix REDHAT-BUG-510071, it is recommended to disable setuid for pulseaudio or to apply any available patches from the vendor.
Who is affected by REDHAT-BUG-510071?
Local users on systems where pulseaudio is installed with setuid permissions are affected by REDHAT-BUG-510071.
What versions of pulseaudio are impacted by REDHAT-BUG-510071?
All versions of pulseaudio that are built with setuid permissions are impacted by REDHAT-BUG-510071.
What types of systems are likely to be affected by REDHAT-BUG-510071?
Linux systems with pulseaudio installed as setuid are likely to be affected by REDHAT-BUG-510071.
- agent/type
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-1894
- agent/first-publish-date
- agent/source
- agent/weakness
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/pulseaudio
- canonical/pulseaudio