CVE-2020-15710 – Potential double-free in pulseaudio
https://notcve.org/view.php?id=CVE-2020-15710
Potential double free in Bluez 5 module of PulseAudio could allow a local attacker to leak memory or crash the program. The modargs variable may be freed twice in the fail condition in src/modules/bluetooth/module-bluez5-device.c and src/modules/bluetooth/module-bluez5-device.c. Fixed in 1:8.0-0ubuntu3.14. Una potencial doble liberación en el módulo Bluez 5 de PulseAudio, podría permitir a un atacante local perder memoria o bloquear el programa. La variable modargs puede ser liberada dos veces en una condición de fallo en los archivos src/modules/bluetooth/module-bluez5-device.c y src/modules/bluetooth/module-bluez5-device.c. • https://launchpad.net/bugs/1884738 https://ubuntu.com/USN-4519-1 • CWE-415: Double Free •
CVE-2020-11931 – Ubuntu modifications to pulseaudio to provide snap security enforcement could be unloaded
https://notcve.org/view.php?id=CVE-2020-11931
An Ubuntu-specific modification to Pulseaudio to provide security mediation for Snap-packaged applications was found to have a bypass of intended access restriction for snaps which plugs any of pulseaudio, audio-playback or audio-record via unloading the pulseaudio snap policy module. This issue affects: pulseaudio 1:8.0 versions prior to 1:8.0-0ubuntu3.12; 1:11.1 versions prior to 1:11.1-1ubuntu7.7; 1:13.0 versions prior to 1:13.0-1ubuntu1.2; 1:13.99.1 versions prior to 1:13.99.1-1ubuntu3.2; Una modificación específica de Ubuntu para Pulseaudio para proporcionar mediación de seguridad para aplicaciones empaquetadas de Snap se encontró que presenta una omisión de la restricción de acceso prevista para los snaps que conecta cualquiera pulseaudio, audio-playback o audio-record mediante la descarga del módulo de la política de snap de pulseaudio. Este problema afecta a: pulseaudio versiones 1:8.0 anteriores a 1:8.0-0ubuntu3.12; versiones 1:11.1 anteriores a 1:11.1-1ubuntu7.7; versiones 1:13.0 anteriores a 1:13.0-1ubuntu1.2; versiones 1:13.99.1 anteriores a 1:13.99.1-1ubuntu3.2; • https://forum.snapcraft.io/t/audio-switcher-pulseaudio-interface-auto-connect-request/16648/3 https://usn.ubuntu.com/4355-1 • CWE-284: Improper Access Control CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2014-3970
https://notcve.org/view.php?id=CVE-2014-3970
The pa_rtp_recv function in modules/rtp/rtp.c in the module-rtp-recv module in PulseAudio 5.0 and earlier allows remote attackers to cause a denial of service (assertion failure and abort) via an empty UDP packet. La función pa_rtp_recv en modules/rtp/rtp.c en el módulo module-rtp-recv en PulseAudio 5.0 y anteriores permite a atacantes remotos causar una denegación de servicio (fallo de aserción y abortar) a través de un paquete UDP vacío. • http://advisories.mageia.org/MGASA-2014-0440.html http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020740.html http://seclists.org/oss-sec/2014/q2/429 http://seclists.org/oss-sec/2014/q2/437 http://secunia.com/advisories/60624 http://www.mandriva.com/security/advisories?name=MDVSA-2015:134 http://www.securityfocus.com/bid/67814 •
CVE-2009-1299
https://notcve.org/view.php?id=CVE-2009-1299
The pa_make_secure_dir function in core-util.c in PulseAudio 0.9.10 and 0.9.19 allows local users to change the ownership and permissions of arbitrary files via a symlink attack on a /tmp/.esd-##### temporary file. La v0.9.10 y v0.9.19 permite a usuarios locales modificar el propietario y permisos de ficheros de su elección a través de ataque de enlaces simbólicos sobre un fichero temporal /tmp/.esd-#####. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573615 http://git.0pointer.de/?p=pulseaudio.git%3Ba=patch%3Bh=d3efa43d85ac132c6a5a416a2b6f2115f5d577ee http://www.debian.org/security/2010/dsa-2017 http://www.mandriva.com/security/advisories?name=MDVSA-2010:124 http://www.vupen.com/english/advisories/2010/1570 https://bugs.edge.launchpad.net/ubuntu/+source/pulseaudio/+bug/509008 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2009-1894 – PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2009-1894
Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LD_BIND_NOW to 1, and then calling execv on the target of the /proc/self/exe symlink. Condición de carrera en PulseAudio v0.9.9, v0.9.10, y v0.9.14 permite a usuarios locales conseguir privilegios a través de vectores que implican la creación de "hard links", relativo a fijar la configuración de LD_BIND_NOW a 1, y entonces, llamar a execv con el objetivo /proc/self/exe symlink. • https://www.exploit-db.com/exploits/9208 https://www.exploit-db.com/exploits/9207 http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html http://secunia.com/advisories/35868 http://secunia.com/advisories/35886 http://secunia.com/advisories/35896 http://security.gentoo.org/glsa/glsa-200907-13.xml http://taviso.decsystem.org/research.html http://www.akitasecurity.nl/advisory.php?id=AK20090602 http://www.debian.org/security/2009/dsa-1838 http://www.mand • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •