Bug 425481 (CVE-2008-0008) - CVE-2008-0008 Pulseaudio ignores setuid() return value
Summary: CVE-2008-0008 Pulseaudio ignores setuid() return value
Status: CLOSED ERRATA
Alias: CVE-2008-0008
Product: Fedora
Classification: Fedora
Component: pulseaudio
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Lennart Poettering
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-14 21:34 UTC by Lubomir Kundrak
Modified: 2008-01-24 22:01 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2008-01-24 21:59:26 UTC


Attachments (Terms of Use)
Fail when it's not possible to drop root privileges (2.94 KB, patch)
2007-12-20 12:40 UTC, Lubomir Kundrak
no flags Details | Diff
Fail when it's not possible to drop root privileges (2.56 KB, patch)
2008-01-23 15:15 UTC, Lubomir Kundrak
no flags Details | Diff

Description Lubomir Kundrak 2007-12-14 21:34:09 UTC
The SUSE bug [1] states that we don't check a return value of setuid() to see if
we were able to drop privilegies. User can cause the call to fail by exhausting
the resources in some cases, please add the check. Thanks!

[1] https://bugzilla.novell.com/show_bug.cgi?id=347822

Comment 1 Lubomir Kundrak 2007-12-20 12:40:23 UTC
Created attachment 290146 [details]
Fail when it's not possible to drop root privileges

Lennart -- could it be done like this?

Comment 2 Lubomir Kundrak 2008-01-23 15:15:13 UTC
Created attachment 292647 [details]
Fail when it's not possible to drop root privileges

Comment 3 Lennart Poettering 2008-01-24 01:24:45 UTC
That patch is fine! Lubomir, thanks a lot for fixing this much faster than I could.

I have now merged a different patch into upstream SVN, because I initially
wasn't aware of yours. But yours is fine, too.

http://pulseaudio.org/changeset/2100

Comment 4 Fedora Update System 2008-01-24 21:59:25 UTC
pulseaudio-0.9.8-5.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2008-01-24 22:01:58 UTC
pulseaudio-0.9.6-2.fc7.1 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.