PT-2009-4355 · Pulseaudio · Pulseaudio
Julien Tinnes
+1
·
Published
2009-07-17
·
Updated
2023-02-13
·
CVE-2009-1894
CVSS v2.0
7.2
High
| Vector | AV:L/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions:
PulseAudio versions 0.9.9 through 0.9.14
Description:
A race condition exists that allows local users to gain privileges. This issue involves the creation of a hard link and is related to the application setting
LD BIND NOW to 1, and then calling execv() on the target of the /proc/self/exe symlink.Recommendations:
For PulseAudio versions 0.9.9 through 0.9.14, consider restricting access to the
execv() function call until a patch is available. As a temporary workaround, avoid setting LD BIND NOW to 1 to minimize the risk of exploitation.Exploit
Fix
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pulseaudio