REDHAT-BUG-510071: Race Condition
Tavis Ormandy and Julien Tinnes, Google Security Team, discovered a flaw in the pulseaudio, that allows local users to escalate their privileges to root, if pulseaudio is installed as setuid.
When pulseaudio is built on Linux system with compiler optimization enabled, it tries to re-exec itself with LDBINDNOW environment variable set to 1.
http://git.0pointer.de/?p=pulseaudio.git;a=blob;f=src/daemon/main.c;h=b58bb379#l403
This happens before root privileges are dropped. Command to execute is extracted from /proc. This way is prone to race condition and can allow local user to execute different command with root privileges.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-510071?
The severity of REDHAT-BUG-510071 is critical due to the potential for local privilege escalation to root.
How do I fix REDHAT-BUG-510071?
To fix REDHAT-BUG-510071, it is recommended to disable setuid for pulseaudio or to apply any available patches from the vendor.
Who is affected by REDHAT-BUG-510071?
Local users on systems where pulseaudio is installed with setuid permissions are affected by REDHAT-BUG-510071.
What versions of pulseaudio are impacted by REDHAT-BUG-510071?
All versions of pulseaudio that are built with setuid permissions are impacted by REDHAT-BUG-510071.
What types of systems are likely to be affected by REDHAT-BUG-510071?
Linux systems with pulseaudio installed as setuid are likely to be affected by REDHAT-BUG-510071.