lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MRpQi-0005eW-KU@titan.mandriva.com>
Date: Fri, 17 Jul 2009 17:33:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:152 ] pulseaudio


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:152
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : pulseaudio
 Date    : July 17, 2009
 Affected: 2008.1, 2009.0, 2009.1
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in pulseaudio:
 
 Tavis Ormandy and Julien Tinnes of the Google Security Team discovered
 that pulseaudio, when installed setuid root, does not drop privileges
 before re-executing itself to achieve immediate bindings. This can
 be exploited by a user who has write access to any directory on the
 file system containing /usr/bin to gain local root access. The user
 needs to exploit a race condition related to creating a hard link
 (CVE-2009-1894).
 
 This update provides fixes for this vulnerability.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1894
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 a062a8e55091692e577dc180febdc577  2008.1/i586/libpulseaudio0-0.9.9-7.3mdv2008.1.i586.rpm
 f341aba4d3062c064f44b2660f259a12  2008.1/i586/libpulseaudio-devel-0.9.9-7.3mdv2008.1.i586.rpm
 1f1adc7a548cc7770275c863082d47b7  2008.1/i586/libpulsecore5-0.9.9-7.3mdv2008.1.i586.rpm
 354f78b31d6484363d9cf0e67d458407  2008.1/i586/libpulseglib20-0.9.9-7.3mdv2008.1.i586.rpm
 3cc7b2df8634ae76bb565b6a276ab797  2008.1/i586/libpulsezeroconf0-0.9.9-7.3mdv2008.1.i586.rpm
 12b5529062d92b931d5e1cb124aece9e  2008.1/i586/pulseaudio-0.9.9-7.3mdv2008.1.i586.rpm
 8aad4dcba5650a5591383ac7e4e15af5  2008.1/i586/pulseaudio-esound-compat-0.9.9-7.3mdv2008.1.i586.rpm
 347276b1fb509667489145ad4da4e02b  2008.1/i586/pulseaudio-module-bluetooth-0.9.9-7.3mdv2008.1.i586.rpm
 187b0209b14a769148944b9f4ca178e2  2008.1/i586/pulseaudio-module-gconf-0.9.9-7.3mdv2008.1.i586.rpm
 ad6e55a938e9f986e928e1d09993caa6  2008.1/i586/pulseaudio-module-jack-0.9.9-7.3mdv2008.1.i586.rpm
 785b402d90d9a93c3925fccee6a126f4  2008.1/i586/pulseaudio-module-lirc-0.9.9-7.3mdv2008.1.i586.rpm
 51263a625babe3ae286cbcbb6f2c9dfb  2008.1/i586/pulseaudio-module-x11-0.9.9-7.3mdv2008.1.i586.rpm
 976a8d07cb3fe01cffbfd6a2dff876b0  2008.1/i586/pulseaudio-module-zeroconf-0.9.9-7.3mdv2008.1.i586.rpm
 a005e022f9a1f6196c4f9b8c8c8caf62  2008.1/i586/pulseaudio-utils-0.9.9-7.3mdv2008.1.i586.rpm 
 442edda195d371bc35b5c0f127811b2f  2008.1/SRPMS/pulseaudio-0.9.9-7.3mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 8728a2284e266874cc879bd0b6d7edaf  2008.1/x86_64/lib64pulseaudio0-0.9.9-7.3mdv2008.1.x86_64.rpm
 1533b2777a8d2e56963f5b48d1683d48  2008.1/x86_64/lib64pulseaudio-devel-0.9.9-7.3mdv2008.1.x86_64.rpm
 5e66f925ac1454ad6ac7a08e68737b94  2008.1/x86_64/lib64pulsecore5-0.9.9-7.3mdv2008.1.x86_64.rpm
 b0ce01eaf200843f15ee35fdcdc5dc43  2008.1/x86_64/lib64pulseglib20-0.9.9-7.3mdv2008.1.x86_64.rpm
 78bc7dbf0946169938c6d16c8365a7e6  2008.1/x86_64/lib64pulsezeroconf0-0.9.9-7.3mdv2008.1.x86_64.rpm
 00274092fc0860c5f14947c85f301c43  2008.1/x86_64/pulseaudio-0.9.9-7.3mdv2008.1.x86_64.rpm
 6e85932ff0a922826098c3e7d2bf7ca6  2008.1/x86_64/pulseaudio-esound-compat-0.9.9-7.3mdv2008.1.x86_64.rpm
 3e9d1ff042999eaa80996346d0994bd3  2008.1/x86_64/pulseaudio-module-bluetooth-0.9.9-7.3mdv2008.1.x86_64.rpm
 d5636d90102c47c5d5523dc139ccb076  2008.1/x86_64/pulseaudio-module-gconf-0.9.9-7.3mdv2008.1.x86_64.rpm
 c90c261515c775728653cfcca191850f  2008.1/x86_64/pulseaudio-module-jack-0.9.9-7.3mdv2008.1.x86_64.rpm
 9cdb901529b26c1d27374cd44a34e802  2008.1/x86_64/pulseaudio-module-lirc-0.9.9-7.3mdv2008.1.x86_64.rpm
 444225d1a612afafb0766fe6e6e65e33  2008.1/x86_64/pulseaudio-module-x11-0.9.9-7.3mdv2008.1.x86_64.rpm
 582f12ee41fa42e61e40ef89ba398509  2008.1/x86_64/pulseaudio-module-zeroconf-0.9.9-7.3mdv2008.1.x86_64.rpm
 de769508329229fa4ede392710c94fc4  2008.1/x86_64/pulseaudio-utils-0.9.9-7.3mdv2008.1.x86_64.rpm 
 442edda195d371bc35b5c0f127811b2f  2008.1/SRPMS/pulseaudio-0.9.9-7.3mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 2bd956446a959942bde9244e8acfde76  2009.0/i586/libpulseaudio0-0.9.10-11.2mdv2009.0.i586.rpm
 3fe94b495ff275f122ccc860dfa8e773  2009.0/i586/libpulseaudio-devel-0.9.10-11.2mdv2009.0.i586.rpm
 9e076dc1b4c4c29aebef04381b36b75c  2009.0/i586/libpulsecore5-0.9.10-11.2mdv2009.0.i586.rpm
 f6142fa6cd387016360f14e90f3b8e51  2009.0/i586/libpulseglib20-0.9.10-11.2mdv2009.0.i586.rpm
 42cd75d1ef577468cd72e31b2396aa20  2009.0/i586/libpulsezeroconf0-0.9.10-11.2mdv2009.0.i586.rpm
 df5ca44d1bfd83dae7c6f844f084d284  2009.0/i586/pulseaudio-0.9.10-11.2mdv2009.0.i586.rpm
 782b151e7bd4d557030272aaf0d9b692  2009.0/i586/pulseaudio-esound-compat-0.9.10-11.2mdv2009.0.i586.rpm
 2171e5cf67657ae96b01b3ac288087bf  2009.0/i586/pulseaudio-module-bluetooth-0.9.10-11.2mdv2009.0.i586.rpm
 0292753f956a71e71534f1e1c20cc955  2009.0/i586/pulseaudio-module-gconf-0.9.10-11.2mdv2009.0.i586.rpm
 d8de6623fbdf73b83cf3c7b0063ae76f  2009.0/i586/pulseaudio-module-jack-0.9.10-11.2mdv2009.0.i586.rpm
 155328b8eee49b4ad60d63c30f36d8f9  2009.0/i586/pulseaudio-module-lirc-0.9.10-11.2mdv2009.0.i586.rpm
 7384cbc44eea2b072dbddcb975de5bc8  2009.0/i586/pulseaudio-module-x11-0.9.10-11.2mdv2009.0.i586.rpm
 f934999602cb29a03a545b256c26f1b8  2009.0/i586/pulseaudio-module-zeroconf-0.9.10-11.2mdv2009.0.i586.rpm
 4c4a8d722f831b00bb8bcf54c44244d9  2009.0/i586/pulseaudio-utils-0.9.10-11.2mdv2009.0.i586.rpm 
 87e5b2d12daee5876785c5a0ab31b4c5  2009.0/SRPMS/pulseaudio-0.9.10-11.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 73fcb6879f5e8c289d5b10ae4219b141  2009.0/x86_64/lib64pulseaudio0-0.9.10-11.2mdv2009.0.x86_64.rpm
 1c61d1f64cd1c212298817a18acc5ca4  2009.0/x86_64/lib64pulseaudio-devel-0.9.10-11.2mdv2009.0.x86_64.rpm
 49d711f9b351ea08bd5eda2ee04f55ce  2009.0/x86_64/lib64pulsecore5-0.9.10-11.2mdv2009.0.x86_64.rpm
 a8fdfb9ffdef78288c6cda40b61e6f18  2009.0/x86_64/lib64pulseglib20-0.9.10-11.2mdv2009.0.x86_64.rpm
 f18f537ad924239d27daf8f4874d7442  2009.0/x86_64/lib64pulsezeroconf0-0.9.10-11.2mdv2009.0.x86_64.rpm
 d8475e84e680b1a2ee5b9aabcbc0a914  2009.0/x86_64/pulseaudio-0.9.10-11.2mdv2009.0.x86_64.rpm
 7b9b9361f2bcaf7f2164e0d52826df9c  2009.0/x86_64/pulseaudio-esound-compat-0.9.10-11.2mdv2009.0.x86_64.rpm
 dcf79cb270166b6968162241b5b0c64e  2009.0/x86_64/pulseaudio-module-bluetooth-0.9.10-11.2mdv2009.0.x86_64.rpm
 e321d4e6b726d556b7bab4f0eb68c453  2009.0/x86_64/pulseaudio-module-gconf-0.9.10-11.2mdv2009.0.x86_64.rpm
 8cd25eaf38c2dc27de66f6f9b7f6eff5  2009.0/x86_64/pulseaudio-module-jack-0.9.10-11.2mdv2009.0.x86_64.rpm
 3179eed7fc73f936ebfcd2291164ec51  2009.0/x86_64/pulseaudio-module-lirc-0.9.10-11.2mdv2009.0.x86_64.rpm
 12e1246a76c219a094c856cd67b01726  2009.0/x86_64/pulseaudio-module-x11-0.9.10-11.2mdv2009.0.x86_64.rpm
 12f30ef44575f593133d72c86c01bfee  2009.0/x86_64/pulseaudio-module-zeroconf-0.9.10-11.2mdv2009.0.x86_64.rpm
 f71cc26c7ea4b6c6f050143167e2c0ed  2009.0/x86_64/pulseaudio-utils-0.9.10-11.2mdv2009.0.x86_64.rpm 
 87e5b2d12daee5876785c5a0ab31b4c5  2009.0/SRPMS/pulseaudio-0.9.10-11.2mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 b34a028de279eeff79b8c6fdfe0fd2b1  2009.1/i586/libpulseaudio0-0.9.15-2.0.6mdv2009.1.i586.rpm
 70c44b7103a88e29b917d139b3dbfcb4  2009.1/i586/libpulseaudio-devel-0.9.15-2.0.6mdv2009.1.i586.rpm
 92ed545bdefb77fcefd5d1b205608c8d  2009.1/i586/libpulseglib20-0.9.15-2.0.6mdv2009.1.i586.rpm
 88c6b62951397fd1f844810e2f29f9d2  2009.1/i586/libpulsezeroconf0-0.9.15-2.0.6mdv2009.1.i586.rpm
 61ef1d493c85320b9465b8d47cbde537  2009.1/i586/pulseaudio-0.9.15-2.0.6mdv2009.1.i586.rpm
 90e019b2452a026e002b83beb4144446  2009.1/i586/pulseaudio-esound-compat-0.9.15-2.0.6mdv2009.1.i586.rpm
 21aa6bee1f8a7904a8b1644765d8f773  2009.1/i586/pulseaudio-module-bluetooth-0.9.15-2.0.6mdv2009.1.i586.rpm
 3124e03a2347231eb6a2aff9a5833e71  2009.1/i586/pulseaudio-module-gconf-0.9.15-2.0.6mdv2009.1.i586.rpm
 54cc2ef02ca448f5540cb4775f807497  2009.1/i586/pulseaudio-module-jack-0.9.15-2.0.6mdv2009.1.i586.rpm
 48de396bedac8da600ded2f09a713e27  2009.1/i586/pulseaudio-module-lirc-0.9.15-2.0.6mdv2009.1.i586.rpm
 2f7a58cf7258ce6ab2bd335e2ce9e24a  2009.1/i586/pulseaudio-module-x11-0.9.15-2.0.6mdv2009.1.i586.rpm
 bc3fd52f6ce8ba97466da1faded37c1e  2009.1/i586/pulseaudio-module-zeroconf-0.9.15-2.0.6mdv2009.1.i586.rpm
 251cc934964ab60a989690b01939d25d  2009.1/i586/pulseaudio-utils-0.9.15-2.0.6mdv2009.1.i586.rpm 
 02142a9dd6148a6b79993b5387180e14  2009.1/SRPMS/pulseaudio-0.9.15-2.0.6mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 c8af7246c1b3a6ffb54c759cfc475c88  2009.1/x86_64/lib64pulseaudio0-0.9.15-2.0.6mdv2009.1.x86_64.rpm
 715578b74205dcc1666f2b4c6607cfcf  2009.1/x86_64/lib64pulseaudio-devel-0.9.15-2.0.6mdv2009.1.x86_64.rpm
 d4d2ee6c8c7eaaae7242c14088269781  2009.1/x86_64/lib64pulseglib20-0.9.15-2.0.6mdv2009.1.x86_64.rpm
 4b53569e3636e9369ebb1db66617e83f  2009.1/x86_64/lib64pulsezeroconf0-0.9.15-2.0.6mdv2009.1.x86_64.rpm
 c974082748919e19f703578661e2f037  2009.1/x86_64/pulseaudio-0.9.15-2.0.6mdv2009.1.x86_64.rpm
 1e79b47e907b2dba5a5d2f938b1c6420  2009.1/x86_64/pulseaudio-esound-compat-0.9.15-2.0.6mdv2009.1.x86_64.rpm
 00b8e0bc3dea7054e108c45073dd5192  2009.1/x86_64/pulseaudio-module-bluetooth-0.9.15-2.0.6mdv2009.1.x86_64.rpm
 55179425940554fa93d9df17ad3e0130  2009.1/x86_64/pulseaudio-module-gconf-0.9.15-2.0.6mdv2009.1.x86_64.rpm
 0f43e642f93caa04107552a64b4c86ba  2009.1/x86_64/pulseaudio-module-jack-0.9.15-2.0.6mdv2009.1.x86_64.rpm
 c12814a8e83842ddb9c8075e4b06adef  2009.1/x86_64/pulseaudio-module-lirc-0.9.15-2.0.6mdv2009.1.x86_64.rpm
 10f9ea21717946abad25edfca2198ac0  2009.1/x86_64/pulseaudio-module-x11-0.9.15-2.0.6mdv2009.1.x86_64.rpm
 d0c3cc9dac5ea0f3fe4dbff344148207  2009.1/x86_64/pulseaudio-module-zeroconf-0.9.15-2.0.6mdv2009.1.x86_64.rpm
 8779d5adf45fd7cfe58bf8bae436914b  2009.1/x86_64/pulseaudio-utils-0.9.15-2.0.6mdv2009.1.x86_64.rpm 
 02142a9dd6148a6b79993b5387180e14  2009.1/SRPMS/pulseaudio-0.9.15-2.0.6mdv2009.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKYG2fmqjQ0CJFipgRAlZXAKCMxZivrn7Ez4PQJZl4rtnfGiR+uQCcCbh6
fBiuyxqIfFmlT/+59ZXwodQ=
=kCm6
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ