[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MRpQi-0005eW-KU@titan.mandriva.com>
Date: Fri, 17 Jul 2009 17:33:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:152 ] pulseaudio
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:152
http://www.mandriva.com/security/
_______________________________________________________________________
Package : pulseaudio
Date : July 17, 2009
Affected: 2008.1, 2009.0, 2009.1
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in pulseaudio:
Tavis Ormandy and Julien Tinnes of the Google Security Team discovered
that pulseaudio, when installed setuid root, does not drop privileges
before re-executing itself to achieve immediate bindings. This can
be exploited by a user who has write access to any directory on the
file system containing /usr/bin to gain local root access. The user
needs to exploit a race condition related to creating a hard link
(CVE-2009-1894).
This update provides fixes for this vulnerability.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1894
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.1:
a062a8e55091692e577dc180febdc577 2008.1/i586/libpulseaudio0-0.9.9-7.3mdv2008.1.i586.rpm
f341aba4d3062c064f44b2660f259a12 2008.1/i586/libpulseaudio-devel-0.9.9-7.3mdv2008.1.i586.rpm
1f1adc7a548cc7770275c863082d47b7 2008.1/i586/libpulsecore5-0.9.9-7.3mdv2008.1.i586.rpm
354f78b31d6484363d9cf0e67d458407 2008.1/i586/libpulseglib20-0.9.9-7.3mdv2008.1.i586.rpm
3cc7b2df8634ae76bb565b6a276ab797 2008.1/i586/libpulsezeroconf0-0.9.9-7.3mdv2008.1.i586.rpm
12b5529062d92b931d5e1cb124aece9e 2008.1/i586/pulseaudio-0.9.9-7.3mdv2008.1.i586.rpm
8aad4dcba5650a5591383ac7e4e15af5 2008.1/i586/pulseaudio-esound-compat-0.9.9-7.3mdv2008.1.i586.rpm
347276b1fb509667489145ad4da4e02b 2008.1/i586/pulseaudio-module-bluetooth-0.9.9-7.3mdv2008.1.i586.rpm
187b0209b14a769148944b9f4ca178e2 2008.1/i586/pulseaudio-module-gconf-0.9.9-7.3mdv2008.1.i586.rpm
ad6e55a938e9f986e928e1d09993caa6 2008.1/i586/pulseaudio-module-jack-0.9.9-7.3mdv2008.1.i586.rpm
785b402d90d9a93c3925fccee6a126f4 2008.1/i586/pulseaudio-module-lirc-0.9.9-7.3mdv2008.1.i586.rpm
51263a625babe3ae286cbcbb6f2c9dfb 2008.1/i586/pulseaudio-module-x11-0.9.9-7.3mdv2008.1.i586.rpm
976a8d07cb3fe01cffbfd6a2dff876b0 2008.1/i586/pulseaudio-module-zeroconf-0.9.9-7.3mdv2008.1.i586.rpm
a005e022f9a1f6196c4f9b8c8c8caf62 2008.1/i586/pulseaudio-utils-0.9.9-7.3mdv2008.1.i586.rpm
442edda195d371bc35b5c0f127811b2f 2008.1/SRPMS/pulseaudio-0.9.9-7.3mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
8728a2284e266874cc879bd0b6d7edaf 2008.1/x86_64/lib64pulseaudio0-0.9.9-7.3mdv2008.1.x86_64.rpm
1533b2777a8d2e56963f5b48d1683d48 2008.1/x86_64/lib64pulseaudio-devel-0.9.9-7.3mdv2008.1.x86_64.rpm
5e66f925ac1454ad6ac7a08e68737b94 2008.1/x86_64/lib64pulsecore5-0.9.9-7.3mdv2008.1.x86_64.rpm
b0ce01eaf200843f15ee35fdcdc5dc43 2008.1/x86_64/lib64pulseglib20-0.9.9-7.3mdv2008.1.x86_64.rpm
78bc7dbf0946169938c6d16c8365a7e6 2008.1/x86_64/lib64pulsezeroconf0-0.9.9-7.3mdv2008.1.x86_64.rpm
00274092fc0860c5f14947c85f301c43 2008.1/x86_64/pulseaudio-0.9.9-7.3mdv2008.1.x86_64.rpm
6e85932ff0a922826098c3e7d2bf7ca6 2008.1/x86_64/pulseaudio-esound-compat-0.9.9-7.3mdv2008.1.x86_64.rpm
3e9d1ff042999eaa80996346d0994bd3 2008.1/x86_64/pulseaudio-module-bluetooth-0.9.9-7.3mdv2008.1.x86_64.rpm
d5636d90102c47c5d5523dc139ccb076 2008.1/x86_64/pulseaudio-module-gconf-0.9.9-7.3mdv2008.1.x86_64.rpm
c90c261515c775728653cfcca191850f 2008.1/x86_64/pulseaudio-module-jack-0.9.9-7.3mdv2008.1.x86_64.rpm
9cdb901529b26c1d27374cd44a34e802 2008.1/x86_64/pulseaudio-module-lirc-0.9.9-7.3mdv2008.1.x86_64.rpm
444225d1a612afafb0766fe6e6e65e33 2008.1/x86_64/pulseaudio-module-x11-0.9.9-7.3mdv2008.1.x86_64.rpm
582f12ee41fa42e61e40ef89ba398509 2008.1/x86_64/pulseaudio-module-zeroconf-0.9.9-7.3mdv2008.1.x86_64.rpm
de769508329229fa4ede392710c94fc4 2008.1/x86_64/pulseaudio-utils-0.9.9-7.3mdv2008.1.x86_64.rpm
442edda195d371bc35b5c0f127811b2f 2008.1/SRPMS/pulseaudio-0.9.9-7.3mdv2008.1.src.rpm
Mandriva Linux 2009.0:
2bd956446a959942bde9244e8acfde76 2009.0/i586/libpulseaudio0-0.9.10-11.2mdv2009.0.i586.rpm
3fe94b495ff275f122ccc860dfa8e773 2009.0/i586/libpulseaudio-devel-0.9.10-11.2mdv2009.0.i586.rpm
9e076dc1b4c4c29aebef04381b36b75c 2009.0/i586/libpulsecore5-0.9.10-11.2mdv2009.0.i586.rpm
f6142fa6cd387016360f14e90f3b8e51 2009.0/i586/libpulseglib20-0.9.10-11.2mdv2009.0.i586.rpm
42cd75d1ef577468cd72e31b2396aa20 2009.0/i586/libpulsezeroconf0-0.9.10-11.2mdv2009.0.i586.rpm
df5ca44d1bfd83dae7c6f844f084d284 2009.0/i586/pulseaudio-0.9.10-11.2mdv2009.0.i586.rpm
782b151e7bd4d557030272aaf0d9b692 2009.0/i586/pulseaudio-esound-compat-0.9.10-11.2mdv2009.0.i586.rpm
2171e5cf67657ae96b01b3ac288087bf 2009.0/i586/pulseaudio-module-bluetooth-0.9.10-11.2mdv2009.0.i586.rpm
0292753f956a71e71534f1e1c20cc955 2009.0/i586/pulseaudio-module-gconf-0.9.10-11.2mdv2009.0.i586.rpm
d8de6623fbdf73b83cf3c7b0063ae76f 2009.0/i586/pulseaudio-module-jack-0.9.10-11.2mdv2009.0.i586.rpm
155328b8eee49b4ad60d63c30f36d8f9 2009.0/i586/pulseaudio-module-lirc-0.9.10-11.2mdv2009.0.i586.rpm
7384cbc44eea2b072dbddcb975de5bc8 2009.0/i586/pulseaudio-module-x11-0.9.10-11.2mdv2009.0.i586.rpm
f934999602cb29a03a545b256c26f1b8 2009.0/i586/pulseaudio-module-zeroconf-0.9.10-11.2mdv2009.0.i586.rpm
4c4a8d722f831b00bb8bcf54c44244d9 2009.0/i586/pulseaudio-utils-0.9.10-11.2mdv2009.0.i586.rpm
87e5b2d12daee5876785c5a0ab31b4c5 2009.0/SRPMS/pulseaudio-0.9.10-11.2mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
73fcb6879f5e8c289d5b10ae4219b141 2009.0/x86_64/lib64pulseaudio0-0.9.10-11.2mdv2009.0.x86_64.rpm
1c61d1f64cd1c212298817a18acc5ca4 2009.0/x86_64/lib64pulseaudio-devel-0.9.10-11.2mdv2009.0.x86_64.rpm
49d711f9b351ea08bd5eda2ee04f55ce 2009.0/x86_64/lib64pulsecore5-0.9.10-11.2mdv2009.0.x86_64.rpm
a8fdfb9ffdef78288c6cda40b61e6f18 2009.0/x86_64/lib64pulseglib20-0.9.10-11.2mdv2009.0.x86_64.rpm
f18f537ad924239d27daf8f4874d7442 2009.0/x86_64/lib64pulsezeroconf0-0.9.10-11.2mdv2009.0.x86_64.rpm
d8475e84e680b1a2ee5b9aabcbc0a914 2009.0/x86_64/pulseaudio-0.9.10-11.2mdv2009.0.x86_64.rpm
7b9b9361f2bcaf7f2164e0d52826df9c 2009.0/x86_64/pulseaudio-esound-compat-0.9.10-11.2mdv2009.0.x86_64.rpm
dcf79cb270166b6968162241b5b0c64e 2009.0/x86_64/pulseaudio-module-bluetooth-0.9.10-11.2mdv2009.0.x86_64.rpm
e321d4e6b726d556b7bab4f0eb68c453 2009.0/x86_64/pulseaudio-module-gconf-0.9.10-11.2mdv2009.0.x86_64.rpm
8cd25eaf38c2dc27de66f6f9b7f6eff5 2009.0/x86_64/pulseaudio-module-jack-0.9.10-11.2mdv2009.0.x86_64.rpm
3179eed7fc73f936ebfcd2291164ec51 2009.0/x86_64/pulseaudio-module-lirc-0.9.10-11.2mdv2009.0.x86_64.rpm
12e1246a76c219a094c856cd67b01726 2009.0/x86_64/pulseaudio-module-x11-0.9.10-11.2mdv2009.0.x86_64.rpm
12f30ef44575f593133d72c86c01bfee 2009.0/x86_64/pulseaudio-module-zeroconf-0.9.10-11.2mdv2009.0.x86_64.rpm
f71cc26c7ea4b6c6f050143167e2c0ed 2009.0/x86_64/pulseaudio-utils-0.9.10-11.2mdv2009.0.x86_64.rpm
87e5b2d12daee5876785c5a0ab31b4c5 2009.0/SRPMS/pulseaudio-0.9.10-11.2mdv2009.0.src.rpm
Mandriva Linux 2009.1:
b34a028de279eeff79b8c6fdfe0fd2b1 2009.1/i586/libpulseaudio0-0.9.15-2.0.6mdv2009.1.i586.rpm
70c44b7103a88e29b917d139b3dbfcb4 2009.1/i586/libpulseaudio-devel-0.9.15-2.0.6mdv2009.1.i586.rpm
92ed545bdefb77fcefd5d1b205608c8d 2009.1/i586/libpulseglib20-0.9.15-2.0.6mdv2009.1.i586.rpm
88c6b62951397fd1f844810e2f29f9d2 2009.1/i586/libpulsezeroconf0-0.9.15-2.0.6mdv2009.1.i586.rpm
61ef1d493c85320b9465b8d47cbde537 2009.1/i586/pulseaudio-0.9.15-2.0.6mdv2009.1.i586.rpm
90e019b2452a026e002b83beb4144446 2009.1/i586/pulseaudio-esound-compat-0.9.15-2.0.6mdv2009.1.i586.rpm
21aa6bee1f8a7904a8b1644765d8f773 2009.1/i586/pulseaudio-module-bluetooth-0.9.15-2.0.6mdv2009.1.i586.rpm
3124e03a2347231eb6a2aff9a5833e71 2009.1/i586/pulseaudio-module-gconf-0.9.15-2.0.6mdv2009.1.i586.rpm
54cc2ef02ca448f5540cb4775f807497 2009.1/i586/pulseaudio-module-jack-0.9.15-2.0.6mdv2009.1.i586.rpm
48de396bedac8da600ded2f09a713e27 2009.1/i586/pulseaudio-module-lirc-0.9.15-2.0.6mdv2009.1.i586.rpm
2f7a58cf7258ce6ab2bd335e2ce9e24a 2009.1/i586/pulseaudio-module-x11-0.9.15-2.0.6mdv2009.1.i586.rpm
bc3fd52f6ce8ba97466da1faded37c1e 2009.1/i586/pulseaudio-module-zeroconf-0.9.15-2.0.6mdv2009.1.i586.rpm
251cc934964ab60a989690b01939d25d 2009.1/i586/pulseaudio-utils-0.9.15-2.0.6mdv2009.1.i586.rpm
02142a9dd6148a6b79993b5387180e14 2009.1/SRPMS/pulseaudio-0.9.15-2.0.6mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
c8af7246c1b3a6ffb54c759cfc475c88 2009.1/x86_64/lib64pulseaudio0-0.9.15-2.0.6mdv2009.1.x86_64.rpm
715578b74205dcc1666f2b4c6607cfcf 2009.1/x86_64/lib64pulseaudio-devel-0.9.15-2.0.6mdv2009.1.x86_64.rpm
d4d2ee6c8c7eaaae7242c14088269781 2009.1/x86_64/lib64pulseglib20-0.9.15-2.0.6mdv2009.1.x86_64.rpm
4b53569e3636e9369ebb1db66617e83f 2009.1/x86_64/lib64pulsezeroconf0-0.9.15-2.0.6mdv2009.1.x86_64.rpm
c974082748919e19f703578661e2f037 2009.1/x86_64/pulseaudio-0.9.15-2.0.6mdv2009.1.x86_64.rpm
1e79b47e907b2dba5a5d2f938b1c6420 2009.1/x86_64/pulseaudio-esound-compat-0.9.15-2.0.6mdv2009.1.x86_64.rpm
00b8e0bc3dea7054e108c45073dd5192 2009.1/x86_64/pulseaudio-module-bluetooth-0.9.15-2.0.6mdv2009.1.x86_64.rpm
55179425940554fa93d9df17ad3e0130 2009.1/x86_64/pulseaudio-module-gconf-0.9.15-2.0.6mdv2009.1.x86_64.rpm
0f43e642f93caa04107552a64b4c86ba 2009.1/x86_64/pulseaudio-module-jack-0.9.15-2.0.6mdv2009.1.x86_64.rpm
c12814a8e83842ddb9c8075e4b06adef 2009.1/x86_64/pulseaudio-module-lirc-0.9.15-2.0.6mdv2009.1.x86_64.rpm
10f9ea21717946abad25edfca2198ac0 2009.1/x86_64/pulseaudio-module-x11-0.9.15-2.0.6mdv2009.1.x86_64.rpm
d0c3cc9dac5ea0f3fe4dbff344148207 2009.1/x86_64/pulseaudio-module-zeroconf-0.9.15-2.0.6mdv2009.1.x86_64.rpm
8779d5adf45fd7cfe58bf8bae436914b 2009.1/x86_64/pulseaudio-utils-0.9.15-2.0.6mdv2009.1.x86_64.rpm
02142a9dd6148a6b79993b5387180e14 2009.1/SRPMS/pulseaudio-0.9.15-2.0.6mdv2009.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKYG2fmqjQ0CJFipgRAlZXAKCMxZivrn7Ez4PQJZl4rtnfGiR+uQCcCbh6
fBiuyxqIfFmlT/+59ZXwodQ=
=kCm6
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists