Insecure temporary file creation

Bug #509008 reported by Dan Rosenberg
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pulseaudio (Ubuntu)
Fix Released

Bug Description

Binary package hint: pulseaudio

Because of the way it creates temporary folders, Pulseaudio may be exploited to create denial-of-service conditions or possibly disclose sensitive information to unprivileged users. This behavior has been confirmed in pulseaudio 0.9.19 on Ubuntu Karmic (package version 1:0.9.19-0ubuntu4).

On launching, Pulseaudio creates a temporary folder and opens a Unix socket within that folder. The folder is named in a predictable way: "/tmp/.esd-[uid]", where [uid] is the ID of the user executing the pulseaudio process. After creating this temporary folder (or if the folder already exists), the folder is chown()'d to the UID and GID of the user executing the process, and subsequently chmod()'d to 0700 (if not running in "system mode") or 0755 (if running in "system mode"). The relevant code can be found in the pa_make_secure_dir() function in src/pulsecore/core-util.c, line 196. This function is called to perform the temporary folder creation in the pa__init() function in src/modules/module-protocol-stub.c, line 342, via pa_make_secure_parent_dir().

Because Pulseaudio performs the chown() and chmod() calls regardless of whether or not the directory already exists, and fails to check for symbolic links, an unprivileged user can perform an attack as follows. If the root user does not have a temporary directory (which is especially plausible if /tmp is cleared periodically), an attacker could create a symbolic link named /tmp/.esd-0 pointing to an arbitrary file or folder on the system. The next time the root user launches pulseaudio, the file or folder pointed to by this symbolic link will be chown()'d to root and chmod()'d appropriately. Alternately, if an attacker rapidly alternates the symlink to point to two different files, one file may be chown()'d and the other chmod()'d. If running in "system mode", this could result in information disclosure of sensitive files. Otherwise, this could be used to create denial-of-service conditions, for example by removing access to important system utilities, changing permissions of users' files, removing setuid bits on setuid applications, and so on. An attacker could also target a non-privileged user, changing permissions on their files, which would most likely just be an annoyance, but could also cause denial-of-service conditions if applications (such as sshd) require certain permissions on files.

This vulnerability can be resolved by aborting the chown() and chmod() operations if a symbolic link is detected. I wouldn't describe this vulnerability's impact as particularly high, especially since Ubuntu by default does not encourage the existence of a root user, but I think it's something worth addressing.

Revision history for this message
Kees Cook (kees) wrote :

Hi! Thanks for this report. Yes, it seems that PA is not correctly creating this directory. Luckily, root doesn't start pulseaudio normally, but this is still a problem. I'll investigate further and get back you.

Kees Cook (kees)
Changed in pulseaudio (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :

I've attached a fix for this issue. I modified the configure script to check for fstat, fchmod, and fchown, and adjusted the relevant code in core-util.c to use these functions properly. Please confirm that the right person received the patch - if I don't hear anything in a week, I'll try contacting upstream directly.

Revision history for this message
Kees Cook (kees) wrote :

Updated the patch to use "-u" for improved readability. Sent an email to upstream and vendor-sec requesting a CRD of Mar 16th. Thanks!

Kees Cook (kees)
Changed in pulseaudio (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Kees Cook (kees) wrote :
Revision history for this message
Kees Cook (kees) wrote :


Kees Cook (kees)
visibility: private → public
tags: added: patch
Kees Cook (kees)
tags: added: patch-needs-work
removed: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pulseaudio - 1:0.9.22~0.9.21+stable-queue-32-g8478-0ubuntu12

pulseaudio (1:0.9.22~0.9.21+stable-queue-32-g8478-0ubuntu12) lucid; urgency=low

  * debian/pulseaudio.init: Remove udev from Required-* LSB headers
    (LP: #432301)
  * debian/patches/:
    + 0095-cve-2009-1299.patch: Fix insecure temporary file creation;
      pulled from upstream stable-queue d3efa43; CVE-2009-1299.
      (LP: #509008)
    + 0096-lp533877-handle-digmic.patch: Prefer the built-in digital
      mic on newer Dells, e.g., XPS 1330. (LP: #533877)
    + 0097-regenerate-configure.patch: Apply changes from stable-queue
      f9b31fe (gobject linking) and d3efa43 above.
 -- Daniel T Chen <email address hidden> Wed, 10 Mar 2010 18:53:51 -0500

Changed in pulseaudio (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.