CVE-2008-0008 Information

Feb 14, 2021 cve

Description

The pa_drop_root function in PulseAudio 0.9.8 and a certain 0.9.9 build does not check return values from (1) setresuid (2) setreuid (3) setuid and (4) seteuid calls when attempting to drop privileges which might allow local users to gain privileges by causing those calls to fail via attacks such as resource exhaustion.

Reference

http://bugs.gentoo.org/show_bug.cgi?id=207214 http://pulseaudio.org/changeset/2100 http://secunia.com/advisories/28608 http://secunia.com/advisories/28623 http://secunia.com/advisories/28738 http://secunia.com/advisories/28952 http://security.gentoo.org/glsa/glsa-200802-07.xml http://www.debian.org/security/2008/dsa-1476 http://www.mandriva.com/security/advisories?name=MDVSA-2008:027 http://www.securityfocus.com/bid/27449 http://www.ubuntu.com/usn/usn-573-1 http://www.vupen.com/english/advisories/2008/0283 https://bugzilla.novell.com/show_bug.cgi?id=347822 https://bugzilla.redhat.com/show_bug.cgi?id=425481 https://exchange.xforce.ibmcloud.com/vulnerabilities/39992 https://tango.0pointer.de/pipermail/pulseaudio-discuss/2008-January/001228.html https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00852.html https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00869.html

Share on: