The pa_drop_root function in PulseAudio 0.9.8, and a certain 0.9.9 build, does not check return values from (1) setresuid, (2) setreuid, (3) setuid, and (4) seteuid calls when attempting to drop privileges, which might allow local users to gain privileges by causing those calls to fail via attacks such as resource exhaustion.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| pulseaudio | pulseaudio | 0.9.8 |
| pulseaudio | pulseaudio | 0.9.6 |
The pa_make_secure_dir function in core-util.c in PulseAudio 0.9.10 and 0.9.19 allows local users to change the ownership and permissions of arbitrary files via a symlink attack on a /tmp/.esd-##### temporary file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| pulseaudio | pulseaudio | 0.9.19 |
| pulseaudio | pulseaudio | 0.9.10 |
Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local users to gain privileges via vectors involving creation of a hard link, related to the application setting LD_BIND_NOW to 1, and then calling execv on the target of the /proc/self/exe symlink.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| pulseaudio | pulseaudio | 0.9.14 |
| pulseaudio | pulseaudio | 0.9.9 |
| pulseaudio | pulseaudio | 0.9.10 |
The pa_rtp_recv function in modules/rtp/rtp.c in the module-rtp-recv module in PulseAudio 5.0 and earlier allows remote attackers to cause a denial of service (assertion failure and abort) via an empty UDP packet.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| pulseaudio | pulseaudio | 5.0 |
| pulseaudio | pulseaudio | 1.0 |
| pulseaudio | pulseaudio | 4.0 |
| pulseaudio | pulseaudio | 1.99.1 |
| pulseaudio | pulseaudio | 2.1 |
| pulseaudio | pulseaudio | 3.0 |
| pulseaudio | pulseaudio | 1.1 |
| pulseaudio | pulseaudio | 1.99.2 |
| pulseaudio | pulseaudio | 2.0 |
An Ubuntu-specific modification to Pulseaudio to provide security mediation for Snap-packaged applications was found to have a bypass of intended access restriction for snaps which plugs any of pulseaudio, audio-playback or audio-record via unloading the pulseaudio snap policy module. This issue affects: pulseaudio 1:8.0 versions prior to 1:8.0-0ubuntu3.12; 1:11.1 versions prior to 1:11.1-1ubuntu7.7; 1:13.0 versions prior to 1:13.0-1ubuntu1.2; 1:13.99.1 versions prior to 1:13.99.1-1ubuntu3.2;
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 1.8 | 1.4 |
| security@ubuntu.com | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 1.8 | 1.4 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-284,CWE-668,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 18.04 |
| pulseaudio | pulseaudio | * |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 19.10 |
| canonical | ubuntu_linux | 20.04 |
Ubuntu's implementation of pulseaudio can be crashed by a malicious program if a bluetooth headset is connected.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@ubuntu.com | 4.0 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H | 0.3 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| pulseaudio | pulseaudio | - |