Bug 510071 (CVE-2009-1894) - CVE-2009-1894 pulseaudio: privilege escalation flaw via pulseaudio re-exec
Summary: CVE-2009-1894 pulseaudio: privilege escalation flaw via pulseaudio re-exec
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2009-1894
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-07 15:42 UTC by Tomas Hoger
Modified: 2019-09-29 12:30 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-07-29 14:47:48 UTC
Embargoed:


Attachments (Terms of Use)
Proposed patch from Diego E. Pettenò (3.19 KB, patch)
2009-07-08 15:23 UTC, Tomas Hoger
no flags Details | Diff

Description Tomas Hoger 2009-07-07 15:42:02 UTC
Tavis Ormandy and Julien Tinnes, Google Security Team, discovered a flaw in the pulseaudio, that allows local users to escalate their privileges to root, if pulseaudio is installed as setuid.

When pulseaudio is built on Linux system with compiler optimization enabled, it tries to re-exec itself with LD_BIND_NOW environment variable set to 1.

http://git.0pointer.de/?p=pulseaudio.git;a=blob;f=src/daemon/main.c;h=b58bb379#l403

This happens before root privileges are dropped.  Command to execute is extracted from /proc.  This way is prone to race condition and can allow local user to execute different command with root privileges.

Comment 2 Tomas Hoger 2009-07-07 15:43:51 UTC
Some vendors wanted an embargo date of Jul9, please do not make public commits before that date.

Comment 3 Tomas Hoger 2009-07-07 15:55:58 UTC
This issue does not seem to affect current Fedora pulseaudio packages.  Due to the bug (feature?) in .spec file, compilation of pulseaudio packages does not use standard RPM CFLAGS, rather only sets them to '-ggdb'.  From build.log:

+ CFLAGS=-ggdb
+ export CFLAGS
+ CXXFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables'
+ export CXXFLAGS
+ FFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -I/usr/lib/gfortran/modules'
+ export FFLAGS

Therefore, the affected code is not compiled in.  I've verified with F10 that pulseaudio does not try to re-exec itself, F11 build.log shows that standard RPM CFLAGS are not use there as well.

I've not checked EPEL-5 packages yet, though the .spec file there does not override CFLAGS.

Comment 4 Tomas Hoger 2009-07-07 16:44:20 UTC
EPEL-5 packages are affected, as they do try to re-exec pulseaudio.

Comment 6 Tomas Hoger 2009-07-08 15:23:50 UTC
Created attachment 350952 [details]
Proposed patch from Diego E. Pettenò

Removes unsafe re-exec, forces non-lazy runtime binding via build options.

Comment 7 Tomas Hoger 2009-07-16 14:27:29 UTC
Public now via Julien's blog post:
  http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html

Comment 8 Fedora Update System 2009-07-16 15:28:26 UTC
pulseaudio-0.9.10-1.el5.2 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/pulseaudio-0.9.10-1.el5.2

Comment 9 Fedora Update System 2009-07-16 20:07:03 UTC
pulseaudio-0.9.10-1.el5.2 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Jan Lieskovsky 2009-07-18 09:58:04 UTC
MITRE's CVE-2009-1894 entry:

Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local
users to gain privileges via vectors involving creation of a hard
link, related to the application setting LD_BIND_NOW to 1, and then
calling execv on the target of the /proc/self/exe symlink.

References:
----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1894
http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html
http://taviso.decsystem.org/research.html
https://admin.fedoraproject.org/updates/pulseaudio-0.9.10-1.el5.2
http://security.gentoo.org/glsa/glsa-200907-13.xml
http://www.ubuntu.com/usn/usn-804-1
http://www.securityfocus.com/bid/35721

Comment 11 Tomas Hoger 2009-07-18 10:13:24 UTC
Advisory with PoC from Yorick Koster (Akita Security):
  http://www.akitasecurity.nl/advisory.php?id=AK20090602

Comment 12 Lennart Poettering 2009-07-28 21:56:47 UTC
Hmm, not sure what the workflow here is for dealing with security fixes. The version in Rawhide is fixed now, and I guess there's not much to do in that area. I've also prepped an updated package for F11, which is in koji now, but I didn't push it yet, since I didn't really know which workflow to follow.

http://koji.fedoraproject.org/koji/taskinfo?taskID=1553720

Comment 13 Tomas Hoger 2009-07-29 06:18:22 UTC
Lennart, is my assessment of Fedora packages not being affected by this issue incorrect? (see comment #3)

In general, process for security updates does not differ much from other updates.  Just create bodhi update request, using type 'security' and adding all relevant bug report to references.

Comment 14 Lennart Poettering 2009-07-29 13:39:54 UTC
Hmm, yes, you seem to be right, Fedora isn't affected. That -ggdb Mathias added, I wonder what that's good for.

Here's the commit that introduced that:

http://cvs.fedoraproject.org/viewvc/devel/pulseaudio/pulseaudio.spec?r1=1.59&r2=1.60

/me goes and asks mclasen about that.

Comment 15 Lennart Poettering 2009-07-29 14:29:21 UTC
Apparently Mathias accidently commited debug stuff, so I have removed that now for Rwhide.

I this bug report can be closed now since everything's fixed.

Comment 16 Tomas Hoger 2009-07-29 14:39:13 UTC
Yup, with just warning.  If -ggdb is dropped in F10 in some future package update, it should not be done without extra patch for this being added.  I see the patch in F11 CVS, so F11 should be safe even if CFLAGS are updates in the future.


Note You need to log in before you can comment on or make changes to this bug.