rpms/pulseaudio/EL-5 pulseaudio-0.9.10-CVE-2009-1894.patch, NONE, 1.1 pulseaudio.spec, 1.4, 1.5

Thu Jul 16 14:58:12 UTC 2009

Author: lkundrak

Update of /cvs/pkgs/rpms/pulseaudio/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20020

Modified Files:
	pulseaudio.spec 
Added Files:
	pulseaudio-0.9.10-CVE-2009-1894.patch 
Log Message:
* Thu Jul 16 2009 Lubomir Rintel <lkundrak at v3.sk> 0.9.10-1.2
- Fix CVE-2009-1894


pulseaudio-0.9.10-CVE-2009-1894.patch:

--- NEW FILE pulseaudio-0.9.10-CVE-2009-1894.patch ---
Reexec only after the privilegies have been broken.
Fix http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html

Lubomir Rintel <lkundrak at v3.sk>

diff -up pulseaudio-0.9.10/src/daemon/main.c.CVE-2009-1894 pulseaudio-0.9.10/src/daemon/main.c
--- pulseaudio-0.9.10/src/daemon/main.c.CVE-2009-1894	2009-07-16 16:43:49.000000000 +0200
+++ pulseaudio-0.9.10/src/daemon/main.c	2009-07-16 16:54:34.000000000 +0200
@@ -342,25 +342,6 @@ int main(int argc, char *argv[]) {
 #endif
 
 
-#if defined(__linux__) && defined(__OPTIMIZE__)
-    /*
-       Disable lazy relocations to make usage of external libraries
-       more deterministic for our RT threads. We abuse __OPTIMIZE__ as
-       a check whether we are a debug build or not.
-    */
-
-    if (!getenv("LD_BIND_NOW")) {
-        char *rp;
-
-        /* We have to execute ourselves, because the libc caches the
-         * value of $LD_BIND_NOW on initialization. */
-
-        putenv(pa_xstrdup("LD_BIND_NOW=1"));
-        pa_assert_se(rp = pa_readlink("/proc/self/exe"));
-        pa_assert_se(execv(rp, argv) == 0);
-    }
-#endif
-
 #ifdef HAVE_GETUID
     real_root = getuid() == 0;
     suid_root = !real_root && geteuid() == 0;
@@ -389,6 +370,25 @@ int main(int argc, char *argv[]) {
      * we were started SUID. If we are started as normal root, than we
      * still are normal root. */
 
+#if defined(__linux__) && defined(__OPTIMIZE__)
+    /*
+       Disable lazy relocations to make usage of external libraries
+       more deterministic for our RT threads. We abuse __OPTIMIZE__ as
+       a check whether we are a debug build or not.
+    */
+
+    if (!getenv("LD_BIND_NOW")) {
+        char *rp;
+
+        /* We have to execute ourselves, because the libc caches the
+         * value of $LD_BIND_NOW on initialization. */
+
+        putenv(pa_xstrdup("LD_BIND_NOW=1"));
+        pa_assert_se(rp = pa_readlink("/proc/self/exe"));
+        pa_assert_se(execv(rp, argv) == 0);
+    }
+#endif
+
     setlocale(LC_ALL, "");
     pa_log_set_maximal_level(PA_LOG_INFO);
     pa_log_set_ident("pulseaudio");


Index: pulseaudio.spec
===================================================================
RCS file: /cvs/pkgs/rpms/pulseaudio/EL-5/pulseaudio.spec,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- pulseaudio.spec	19 Apr 2008 13:05:25 -0000	1.4
+++ pulseaudio.spec	16 Jul 2009 14:57:42 -0000	1.5
@@ -3,10 +3,11 @@
 Name:		pulseaudio
 Summary: 	Improved Linux sound server
 Version:	0.9.10
-Release:	1%{?dist}.1
+Release:	1%{?dist}.2
 License:	GPLv2+
 Group:		System Environment/Daemons
 Source0:	http://0pointer.de/lennart/projects/pulseaudio/pulseaudio-%{version}.tar.gz
+Patch0:         pulseaudio-0.9.10-CVE-2009-1894.patch
 URL:		http://pulseaudio.org
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: tcp_wrappers
@@ -149,6 +150,7 @@ This package contains command line utili
 
 %prep
 %setup -q -T -b0
+%patch0 -p1 -b .CVE-2009-1894
 
 %build
 %configure --disable-ltdl-install --disable-static --disable-rpath --with-system-user=pulse --with-system-group=pulse --with-realtime-group=pulse-rt --with-access-group=pulse-access
@@ -368,7 +370,10 @@ fi
 %{_mandir}/man1/pax11publish.1.gz
 
 %changelog
-* Sun Mar 30 2008 Lennart Poettering <lpoetter at redhat.com> 0.9.10-1.1
+* Thu Jul 16 2009 Lubomir Rintel <lkundrak at v3.sk> 0.9.10-1.2
+- Fix CVE-2009-1894
+
+* Sun Mar 30 2008 Lubomir Rintel <lkundrak at v3.sk> 0.9.10-1.1
 - Adjust for EPEL:
 - Remove LIRC support
 - Do not obsolete esound


