Source: pulseaudio Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for pulseaudio.
CVE-2009-1894[0]:
| Race condition
|
| If the PulseAudio binary is started on Linux systems, it checks if the
| LD_BIND_NOW environment variable is set. If this is not the case, PulseAudio
| will set the variable and it will reload itself. It tries to determine its
path
| name by looking at the /proc/self/exe symbolic link. This symbolic link will
| point to the full path name of the current process.
|
| int main(int argc, char *argv[]) {
| [...]
| #if defined(__linux__) && defined(__OPTIMIZE__)
| /*
| Disable lazy relocations to make usage of external libraries
| more deterministic for our RT threads. We abuse __OPTIMIZE__ as
| a check whether we are a debug build or not.
| */
|
| if (!getenv("LD_BIND_NOW")) {
| char *rp;
|
| /* We have to execute ourselves, because the libc caches the
| * value of $LD_BIND_NOW on initialization. */
|
| pa_set_env("LD_BIND_NOW", "1");
| pa_assert_se(rp = pa_readlink("/proc/self/exe"));
| pa_assert_se(execv(rp, argv) == 0);
| }
| #endif
|
| Normally, /proc/self/exe will point to something like /usr/bin/pulseaudio.
| However by using hard links, it is possible to cause /proc/self/exe to point
to
| a different location.
|
| $ cd /tmp
| $ ls -la /proc/self/exe
| lrwxrwxrwx 1 yorick yorick 0 2009-06-09 16:31 /proc/self/exe -> /bin/ls
| $ ln `which ls` ls
| $ ./ls -la /proc/self/exe
| lrwxrwxrwx 1 yorick yorick 0 2009-06-09 16:31 /proc/self/exe -> /tmp/ls
|
| In addition, if a hard link is created, the SUID bit is preserved.
|
| $ ln `which pulseaudio` pulseaudio
| $ ls -la pulseaudio
| -rwsr-xr-x 2 root root 71616 2009-04-09 02:12 pulseaudio
|
| A race condition exists in the reload mechanism of PulseAudio. An attacker
| can exploit this issue by creating a hard link pointing to the PulseAudio
| binary. After this it can execute this binary through the hard link. At this
| moment /proc/sef/exe will point to the hard link. Before PulseAudio is
| restarted, the attacker can replace the hard link with a different
(executable)
| file or (symbolic) link. If PulseAudio is restarted, it will use a path name
| that at this moment points to a different file, for example a command shell.
| Root privileges are not dropped when PulseAudio is reloading, thus allowing a
| local attacker to gain root privileges.
|
| Please note, this attack is only possible if the attacker can create hard
| links on the same hard disk partition on which PulseAudio is installed (i.e.
| /usr/bin and /tmp reside on the same partition).
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Patch available at
http://git.0pointer.de/?p=pulseaudio.git;a=commitdiff_plain;h=84200b423ebfa7e2dad9b1b65f64eac7bf3d2114;hp=ff252cb48d9bd827d262eb2633fecaff47c6fe5c
For further information see:
[0] http://www.akitasecurity.nl/advisory.php?id=AK20090602
http://security-tracker.debian.net/tracker/CVE-2009-1894
--
Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
pgpAENxc0QKJr.pgp
Description: PGP signature
