CVE-2009-1894: Race Condition
Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LDBINDNOW to 1, and then calling execv on the target of the /proc/self/exe symlink.
Other sources
Tavis Ormandy and Julien Tinnes, Google Security Team, discovered a flaw in the pulseaudio, that allows local users to escalate their privileges to root, if pulseaudio is installed as setuid.
When pulseaudio is built on Linux system with compiler optimization enabled, it tries to re-exec itself with LDBINDNOW environment variable set to 1.
http://git.0pointer.de/?p=pulseaudio.git;a=blob;f=src/daemon/main.c;h=b58bb379#l403
This happens before root privileges are dropped. Command to execute is extracted from /proc. This way is prone to race condition and can allow local user to execute different command with root privileges.
— Red Hat
Affected Software
Remediation
Patch Available
Patch Available
Event History
Frequently Asked Questions
What is the severity of CVE-2009-1894?
CVE-2009-1894 is classified as a high severity vulnerability due to its potential to allow local users to gain elevated privileges.
How do I fix CVE-2009-1894?
To fix CVE-2009-1894, upgrade PulseAudio to a version later than 0.9.14 where the race condition has been addressed.
Which versions of PulseAudio are affected by CVE-2009-1894?
PulseAudio versions 0.9.9, 0.9.10, and 0.9.14 are affected by CVE-2009-1894.
What type of vulnerability is CVE-2009-1894?
CVE-2009-1894 is a race condition vulnerability that can be exploited to achieve privilege escalation.
What systems are vulnerable to CVE-2009-1894?
Any system running the affected versions of PulseAudio, typically found in Unix-like operating systems, is vulnerable to CVE-2009-1894.