CVE-2008-0008
Summary
| CVE | CVE-2008-0008 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2008-01-29 00:00:00 UTC |
| Updated | 2024-01-09 02:46:00 UTC |
| Description | The pa_drop_root function in PulseAudio 0.9.8, and a certain 0.9.9 build, does not check return values from (1) setresuid, (2) setreuid, (3) setuid, and (4) seteuid calls when attempting to drop privileges, which might allow local users to gain privileges by causing those calls to fail via attacks such as resource exhaustion. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Mandrakesoft | Mandrake Linux | 2007.1 | All | All | All |
| Operating System | Mandrakesoft | Mandrake Linux | 2007.1 | All | x86-64 | All |
| Operating System | Mandrakesoft | Mandrake Linux | 2007.1 | All | x86_64 | All |
| Operating System | Mandrakesoft | Mandrake Linux | 2008.0 | All | All | All |
| Operating System | Mandrakesoft | Mandrake Linux | 2008.0 | All | x86-64 | All |
| Operating System | Mandrakesoft | Mandrake Linux | 2008.0 | All | x86_64 | All |
| Operating System | Mandrakesoft | Mandrake Linux | 2007.1 | All | All | All |
| Operating System | Mandrakesoft | Mandrake Linux | 2007.1 | All | x86-64 | All |
| Operating System | Mandrakesoft | Mandrake Linux | 2008.0 | All | All | All |
| Operating System | Mandrakesoft | Mandrake Linux | 2008.0 | All | x86-64 | All |
| Application | Pulseaudio | Pulseaudio | 0.9.6 | All | All | All |
| Application | Pulseaudio | Pulseaudio | 0.9.8 | All | All | All |
| Application | Pulseaudio | Pulseaudio | 0.9.6 | All | All | All |
| Application | Pulseaudio | Pulseaudio | 0.9.8 | All | All | All |
| Operating System | Redhat | Fedora | 7 | All | All | All |
| Operating System | Redhat | Fedora | 8 | All | All | All |
| Operating System | Redhat | Fedora | 7 | All | All | All |
| Operating System | Redhat | Fedora | 8 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pulseaudio: Privilege escalation — Gentoo Linux Documentation | GENTOO | security.gentoo.org | |
| IBM X-Force Exchange | XF | exchange.xforce.ibmcloud.com | |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | VUPEN | www.vupen.com | Vendor Advisory |
| PulseAudio Local Privilege Escalation Vulnerability | BID | www.securityfocus.com | |
| PulseAudio | CONFIRM | pulseaudio.org | Exploit |
| USN-573-1: PulseAudio vulnerability | Ubuntu | UBUNTU | www.ubuntu.com | |
| Debian -- Security Information -- DSA-1476-1 pulseaudio | DEBIAN | www.debian.org | |
| Debian update for pulseaudio - Advisories - Secunia | SECUNIA | secunia.com | Vendor Advisory |
| [pulseaudio-discuss] [ANNOUNCE] PulseAudio 0.9.9 | MLIST | tango.0pointer.de | |
| Bug 347822 – AUDIT-0: PulseAudio permissions | CONFIRM | bugzilla.novell.com | |
| Fedora update for pulseaudio - Advisories - Secunia | SECUNIA | secunia.com | Vendor Advisory |
| Advisories | Mandriva | MANDRIVA | www.mandriva.com | |
| Ubuntu update for pulseaudio - Advisories - Secunia | SECUNIA | secunia.com | Vendor Advisory |
| Gentoo Bug 207214 - media-sound/pulseaudio < 0.9.9 Pulseaudio ignores setuid() return value (CVE-2008-0008) | CONFIRM | bugs.gentoo.org | |
| Gentoo update for pulseaudio - Advisories - Secunia | SECUNIA | secunia.com | Vendor Advisory |
| [SECURITY] Fedora 8 Update: pulseaudio-0.9.8-5.fc8 | FEDORA | www.redhat.com | |
| [SECURITY] Fedora 7 Update: pulseaudio-0.9.6-2.fc7.1 | FEDORA | www.redhat.com | |
| Bug 425481 – CVE-2008-0008 Pulseaudio ignores setuid() return value | CONFIRM | bugzilla.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.