CVE-2008-0008

Summary

CVE	CVE-2008-0008
State	PUBLISHED
Assigner	redhat
Source Priority	CVE Program / NVD first with legacy fallback
Published	2008-01-29 00:00:00 UTC
Updated	2026-04-23 00:35:47 UTC
Description	The pa_drop_root function in PulseAudio 0.9.8, and a certain 0.9.9 build, does not check return values from (1) setresuid, (2) setreuid, (3) setuid, and (4) seteuid calls when attempting to drop privileges, which might allow local users to gain privileges by causing those calls to fail via attacks such as resource exhaustion.

Risk And Classification

Primary CVSS: v2.0 7.2 from [email protected]

AV:L/AC:L/Au:N/C:C/I:C/A:C

Problem Types: CWE-20 | n/a

CVSS v2.0 Breakdown

Access Vector

Local

Access Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Mandrakesoft	Mandrake Linux	2007.1	All	All	All
Operating System	Mandrakesoft	Mandrake Linux	2007.1	All	x86_64	All
Operating System	Mandrakesoft	Mandrake Linux	2008.0	All	All	All
Operating System	Mandrakesoft	Mandrake Linux	2008.0	All	x86_64	All
Application	Pulseaudio	Pulseaudio	0.9.6	All	All	All
Application	Pulseaudio	Pulseaudio	0.9.8	All	All	All
Operating System	Redhat	Fedora	7	All	All	All
Operating System	Redhat	Fedora	8	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Na	N/a	affected n/a	Not specified

References

Reference	Source	Link	Tags
Gentoo Bug 207214 - media-sound/pulseaudio < 0.9.9 Pulseaudio ignores setuid() return value (CVE-2008-0008)	af854a3a-2127-422b-91ae-364da2661108	bugs.gentoo.org	Third Party Advisory
Bug 425481 – CVE-2008-0008 Pulseaudio ignores setuid() return value	af854a3a-2127-422b-91ae-364da2661108	bugzilla.redhat.com	Issue Tracking
[SECURITY] Fedora 7 Update: pulseaudio-0.9.6-2.fc7.1	af854a3a-2127-422b-91ae-364da2661108	www.redhat.com	Third Party Advisory
IBM X-Force Exchange	af854a3a-2127-422b-91ae-364da2661108	exchange.xforce.ibmcloud.com	VDB Entry
PulseAudio	af854a3a-2127-422b-91ae-364da2661108	pulseaudio.org	Exploit
Pulseaudio: Privilege escalation — Gentoo Linux Documentation	af854a3a-2127-422b-91ae-364da2661108	security.gentoo.org	Third Party Advisory
Gentoo update for pulseaudio - Advisories - Secunia	af854a3a-2127-422b-91ae-364da2661108	secunia.com	Vendor Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	af854a3a-2127-422b-91ae-364da2661108	www.vupen.com	Vendor Advisory
[SECURITY] Fedora 8 Update: pulseaudio-0.9.8-5.fc8	af854a3a-2127-422b-91ae-364da2661108	www.redhat.com	Third Party Advisory
Bug 347822 – AUDIT-0: PulseAudio permissions	af854a3a-2127-422b-91ae-364da2661108	bugzilla.novell.com	Issue Tracking
Fedora update for pulseaudio - Advisories - Secunia	af854a3a-2127-422b-91ae-364da2661108	secunia.com	Vendor Advisory
PulseAudio Local Privilege Escalation Vulnerability	af854a3a-2127-422b-91ae-364da2661108	www.securityfocus.com	Third Party Advisory, VDB Entry
[pulseaudio-discuss] [ANNOUNCE] PulseAudio 0.9.9	af854a3a-2127-422b-91ae-364da2661108	tango.0pointer.de	Broken Link
Advisories \| Mandriva	af854a3a-2127-422b-91ae-364da2661108	www.mandriva.com	Third Party Advisory
Debian update for pulseaudio - Advisories - Secunia	af854a3a-2127-422b-91ae-364da2661108	secunia.com	Vendor Advisory
Ubuntu update for pulseaudio - Advisories - Secunia	af854a3a-2127-422b-91ae-364da2661108	secunia.com	Vendor Advisory
USN-573-1: PulseAudio vulnerability \| Ubuntu	af854a3a-2127-422b-91ae-364da2661108	www.ubuntu.com	Third Party Advisory
Debian -- Security Information -- DSA-1476-1 pulseaudio	af854a3a-2127-422b-91ae-364da2661108	www.debian.org	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.