_______________________________________________________________________
Package : pulseaudio
Date : July 17, 2009
Affected: 2008.1, 2009.0, 2009.1
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in pulseaudio:
Tavis Ormandy and Julien Tinnes of the Google Security Team discovered
that pulseaudio, when installed setuid root, does not drop privileges
before re-executing itself to achieve immediate bindings. This can
be exploited by a user who has write access to any directory on the
file system containing /usr/bin to gain local root access. The user
needs to exploit a race condition related to creating a hard link
(CVE-2009-1894).
This update provides fixes for this vulnerability.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-1894
_______________________________________________________________________