425481 – (CVE-2008-0008) CVE-2008-0008 Pulseaudio ignores setuid() return value

Bug 425481 (CVE-2008-0008) - CVE-2008-0008 Pulseaudio ignores setuid() return value

Summary: CVE-2008-0008 Pulseaudio ignores setuid() return value

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-0008
Product:	Fedora
Classification:	Fedora
Component:	pulseaudio
Sub Component:
Version:	8
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Lennart Poettering
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-12-14 21:34 UTC by Lubomir Kundrak
Modified:	2008-01-24 22:01 UTC (History)
CC List:	1 user (show)
Fixed In Version:	0.9.8-5.fc8
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-01-24 21:59:26 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Fail when it's not possible to drop root privileges (2.94 KB, patch) 2007-12-20 12:40 UTC, Lubomir Kundrak	no flags	Details \| Diff
Fail when it's not possible to drop root privileges (2.56 KB, patch) 2008-01-23 15:15 UTC, Lubomir Kundrak	no flags	Details \| Diff
Show Obsolete (1) View All

Description Lubomir Kundrak 2007-12-14 21:34:09 UTC

The SUSE bug [1] states that we don't check a return value of setuid() to see if
we were able to drop privilegies. User can cause the call to fail by exhausting
the resources in some cases, please add the check. Thanks!

[1] https://bugzilla.novell.com/show_bug.cgi?id=347822

Comment 1 Lubomir Kundrak 2007-12-20 12:40:23 UTC

Created attachment 290146 [details]
Fail when it's not possible to drop root privileges

Lennart -- could it be done like this?

Comment 2 Lubomir Kundrak 2008-01-23 15:15:13 UTC

Created attachment 292647 [details]
Fail when it's not possible to drop root privileges

Comment 3 Lennart Poettering 2008-01-24 01:24:45 UTC

That patch is fine! Lubomir, thanks a lot for fixing this much faster than I could.

I have now merged a different patch into upstream SVN, because I initially
wasn't aware of yours. But yours is fine, too.

http://pulseaudio.org/changeset/2100

Comment 4 Fedora Update System 2008-01-24 21:59:25 UTC

pulseaudio-0.9.8-5.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2008-01-24 22:01:58 UTC

pulseaudio-0.9.6-2.fc7.1 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.