date:20090724

[Pkg-pulseaudio-devel] Processing of pulseaudio_0.9.15-4.1_amd64.changes

2009-07-24 Thread Archive Administrator

pulseaudio_0.9.15-4.1_amd64.changes uploaded successfully to localhost
along with the files:
  pulseaudio_0.9.15-4.1.dsc
  pulseaudio_0.9.15-4.1.diff.gz
  pulseaudio_0.9.15-4.1_amd64.deb
  pulseaudio-dbg_0.9.15-4.1_amd64.deb
  pulseaudio-utils_0.9.15-4.1_amd64.deb
  pulseaudio-utils-dbg_0.9.15-4.1_amd64.deb
  pulseaudio-esound-compat_0.9.15-4.1_amd64.deb
  pulseaudio-esound-compat-dbg_0.9.15-4.1_amd64.deb
  pulseaudio-module-zeroconf_0.9.15-4.1_amd64.deb
  pulseaudio-module-zeroconf-dbg_0.9.15-4.1_amd64.deb
  pulseaudio-module-hal_0.9.15-4.1_amd64.deb
  pulseaudio-module-hal-dbg_0.9.15-4.1_amd64.deb
  pulseaudio-module-jack_0.9.15-4.1_amd64.deb
  pulseaudio-module-jack-dbg_0.9.15-4.1_amd64.deb
  pulseaudio-module-lirc_0.9.15-4.1_amd64.deb
  pulseaudio-module-lirc-dbg_0.9.15-4.1_amd64.deb
  pulseaudio-module-gconf_0.9.15-4.1_amd64.deb
  pulseaudio-module-gconf-dbg_0.9.15-4.1_amd64.deb
  pulseaudio-module-raop_0.9.15-4.1_amd64.deb
  pulseaudio-module-raop-dbg_0.9.15-4.1_amd64.deb
  pulseaudio-module-bluetooth_0.9.15-4.1_amd64.deb
  pulseaudio-module-bluetooth-dbg_0.9.15-4.1_amd64.deb
  pulseaudio-module-x11_0.9.15-4.1_amd64.deb
  pulseaudio-module-x11-dbg_0.9.15-4.1_amd64.deb
  libpulse0_0.9.15-4.1_amd64.deb
  libpulse0-dbg_0.9.15-4.1_amd64.deb
  libpulse-mainloop-glib0_0.9.15-4.1_amd64.deb
  libpulse-mainloop-glib0-dbg_0.9.15-4.1_amd64.deb
  libpulse-browse0_0.9.15-4.1_amd64.deb
  libpulse-browse0-dbg_0.9.15-4.1_amd64.deb
  libpulse-dev_0.9.15-4.1_amd64.deb

Greetings,

Your Debian queue daemon

___
Pkg-pulseaudio-devel mailing list
Pkg-pulseaudio-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-pulseaudio-devel

[Pkg-pulseaudio-devel] pulseaudio_0.9.15-4.1_amd64.changes ACCEPTED

2009-07-24 Thread Archive Administrator


Accepted:
libpulse-browse0-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/libpulse-browse0-dbg_0.9.15-4.1_amd64.deb
libpulse-browse0_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/libpulse-browse0_0.9.15-4.1_amd64.deb
libpulse-dev_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/libpulse-dev_0.9.15-4.1_amd64.deb
libpulse-mainloop-glib0-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/libpulse-mainloop-glib0-dbg_0.9.15-4.1_amd64.deb
libpulse-mainloop-glib0_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/libpulse-mainloop-glib0_0.9.15-4.1_amd64.deb
libpulse0-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/libpulse0-dbg_0.9.15-4.1_amd64.deb
libpulse0_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/libpulse0_0.9.15-4.1_amd64.deb
pulseaudio-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-dbg_0.9.15-4.1_amd64.deb
pulseaudio-esound-compat-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-esound-compat-dbg_0.9.15-4.1_amd64.deb
pulseaudio-esound-compat_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-esound-compat_0.9.15-4.1_amd64.deb
pulseaudio-module-bluetooth-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-bluetooth-dbg_0.9.15-4.1_amd64.deb
pulseaudio-module-bluetooth_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-bluetooth_0.9.15-4.1_amd64.deb
pulseaudio-module-gconf-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-gconf-dbg_0.9.15-4.1_amd64.deb
pulseaudio-module-gconf_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-gconf_0.9.15-4.1_amd64.deb
pulseaudio-module-hal-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-hal-dbg_0.9.15-4.1_amd64.deb
pulseaudio-module-hal_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-hal_0.9.15-4.1_amd64.deb
pulseaudio-module-jack-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-jack-dbg_0.9.15-4.1_amd64.deb
pulseaudio-module-jack_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-jack_0.9.15-4.1_amd64.deb
pulseaudio-module-lirc-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-lirc-dbg_0.9.15-4.1_amd64.deb
pulseaudio-module-lirc_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-lirc_0.9.15-4.1_amd64.deb
pulseaudio-module-raop-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-raop-dbg_0.9.15-4.1_amd64.deb
pulseaudio-module-raop_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-raop_0.9.15-4.1_amd64.deb
pulseaudio-module-x11-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-x11-dbg_0.9.15-4.1_amd64.deb
pulseaudio-module-x11_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-x11_0.9.15-4.1_amd64.deb
pulseaudio-module-zeroconf-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-zeroconf-dbg_0.9.15-4.1_amd64.deb
pulseaudio-module-zeroconf_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-module-zeroconf_0.9.15-4.1_amd64.deb
pulseaudio-utils-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-utils-dbg_0.9.15-4.1_amd64.deb
pulseaudio-utils_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio-utils_0.9.15-4.1_amd64.deb
pulseaudio_0.9.15-4.1.diff.gz
  to pool/main/p/pulseaudio/pulseaudio_0.9.15-4.1.diff.gz
pulseaudio_0.9.15-4.1.dsc
  to pool/main/p/pulseaudio/pulseaudio_0.9.15-4.1.dsc
pulseaudio_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/pulseaudio_0.9.15-4.1_amd64.deb


Override entries for your package:
libpulse-browse0-dbg_0.9.15-4.1_amd64.deb - extra debug
libpulse-browse0_0.9.15-4.1_amd64.deb - optional sound
libpulse-dev_0.9.15-4.1_amd64.deb - optional libdevel
libpulse-mainloop-glib0-dbg_0.9.15-4.1_amd64.deb - extra debug
libpulse-mainloop-glib0_0.9.15-4.1_amd64.deb - optional sound
libpulse0-dbg_0.9.15-4.1_amd64.deb - extra debug
libpulse0_0.9.15-4.1_amd64.deb - optional libs
pulseaudio-dbg_0.9.15-4.1_amd64.deb - extra debug
pulseaudio-esound-compat-dbg_0.9.15-4.1_amd64.deb - extra debug
pulseaudio-esound-compat_0.9.15-4.1_amd64.deb - optional sound
pulseaudio-module-bluetooth-dbg_0.9.15-4.1_amd64.deb - extra debug
pulseaudio-module-bluetooth_0.9.15-4.1_amd64.deb - extra sound
pulseaudio-module-gconf-dbg_0.9.15-4.1_amd64.deb - extra debug
pulseaudio-module-gconf_0.9.15-4.1_amd64.deb - optional sound
pulseaudio-module-hal-dbg_0.9.15-4.1_amd64.deb - extra debug
pulseaudio-module-hal_0.9.15-4.1_amd64.deb - optional sound
pulseaudio-module-jack-dbg_0.9.15-4.1_amd64.deb - extra debug
pulseaudio-module-jack_0.9.15-4.1_amd64.deb - optional sound
pulseaudio-module-lirc-dbg_0.9.15-4.1_amd64.deb - extra debug
pulseaudio-module-lirc_0.9.15-4.1_amd64.deb - optional sound
pulseaudio-module-raop-dbg_0.9.15-4.1_amd64.deb - optional debug
pulseaudio-module-raop_0.9.15-4.1_amd64.deb - optional sound
pulseaudio-module-x11-dbg_0.9.15-4.1_amd64.deb - extra debug
pulseaudio-module-x11_0.9.15-4.1_amd64.deb - optional

[Pkg-pulseaudio-devel] Accepted pulseaudio 0.9.15-4.1 (source amd64)

2009-07-24 Thread Nico Golde

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Fri, 24 Jul 2009 18:02:24 +0200
Source: pulseaudio
Binary: pulseaudio pulseaudio-dbg pulseaudio-utils pulseaudio-utils-dbg 
pulseaudio-esound-compat pulseaudio-esound-compat-dbg 
pulseaudio-module-zeroconf pulseaudio-module-zeroconf-dbg pulseaudio-module-hal 
pulseaudio-module-hal-dbg pulseaudio-module-jack pulseaudio-module-jack-dbg 
pulseaudio-module-lirc pulseaudio-module-lirc-dbg pulseaudio-module-gconf 
pulseaudio-module-gconf-dbg pulseaudio-module-raop pulseaudio-module-raop-dbg 
pulseaudio-module-bluetooth pulseaudio-module-bluetooth-dbg 
pulseaudio-module-x11 pulseaudio-module-x11-dbg libpulse0 libpulse0-dbg 
libpulse-mainloop-glib0 libpulse-mainloop-glib0-dbg libpulse-browse0 
libpulse-browse0-dbg libpulse-dev
Architecture: source amd64
Version: 0.9.15-4.1
Distribution: unstable
Urgency: high
Maintainer: Pulseaudio maintenance team 
pkg-pulseaudio-devel@lists.alioth.debian.org
Changed-By: Nico Golde n...@debian.org
Description: 
 libpulse-browse0 - PulseAudio client libraries (zeroconf support)
 libpulse-browse0-dbg - PulseAudio client libraries (zeroconf support) 
debugging symbols
 libpulse-dev - PulseAudio client development headers and libraries
 libpulse-mainloop-glib0 - PulseAudio client libraries (glib support)
 libpulse-mainloop-glib0-dbg - PulseAudio client libraries (glib support) 
debugging symbols
 libpulse0  - PulseAudio client libraries
 libpulse0-dbg - PulseAudio client libraries detached debugging symbols
 pulseaudio - PulseAudio sound server
 pulseaudio-dbg - PulseAudio sound server detached debugging symbols
 pulseaudio-esound-compat - PulseAudio ESD compatibility layer
 pulseaudio-esound-compat-dbg - PulseAudio ESD compatibility layer debugging 
symbols
 pulseaudio-module-bluetooth - Bluetooth module for PulseAudio sound server
 pulseaudio-module-bluetooth-dbg - Bluetooth module for PulseAudio sound server
 pulseaudio-module-gconf - GConf module for PulseAudio sound server
 pulseaudio-module-gconf-dbg - GConf module for PulseAudio sound server 
debugging symbols
 pulseaudio-module-hal - HAL device detection module for PulseAudio sound server
 pulseaudio-module-hal-dbg - HAL module for PulseAudio sound server debugging 
symbols
 pulseaudio-module-jack - jackd modules for PulseAudio sound server
 pulseaudio-module-jack-dbg - jackd modules for PulseAudio sound server 
debugging symbols
 pulseaudio-module-lirc - lirc module for PulseAudio sound server
 pulseaudio-module-lirc-dbg - lirc module for PulseAudio sound server debugging 
symbols
 pulseaudio-module-raop - RAOP module for PulseAudio sound server
 pulseaudio-module-raop-dbg - RAOP module for PulseAudio sound server
 pulseaudio-module-x11 - X11 module for PulseAudio sound server
 pulseaudio-module-x11-dbg - X11 module for PulseAudio sound server debugging 
symbols
 pulseaudio-module-zeroconf - Zeroconf module for PulseAudio sound server
 pulseaudio-module-zeroconf-dbg - Zeroconf module for PulseAudio sound server 
debugging symbols
 pulseaudio-utils - Command line tools for the PulseAudio sound server
 pulseaudio-utils-dbg - PulseAudio command line tools detached debugging symbols
Closes: 537351
Changes: 
 pulseaudio (0.9.15-4.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix race condition when reading /proc/self/exe and reloading the binary
 that leads to arbitrary code execution as pulseaudio is suid root
 + Use LDFLAGS to preload DSOs
 + regenerate autofoo
 (CVE-2009-1894; Closes: #537351).
Checksums-Sha1: 
 1446a1f4bff005d9df734348dbfcb1264b2dafeb 2603 pulseaudio_0.9.15-4.1.dsc
 c174edf68def7398dcceda0398453fdb38c5b057 40884 pulseaudio_0.9.15-4.1.diff.gz
 41964df914da50e35e9015a5e1d3ddd95aea701a 1015510 
pulseaudio_0.9.15-4.1_amd64.deb
 c3ef4c645f0627bf8806b8659057d167778acc22 1268956 
pulseaudio-dbg_0.9.15-4.1_amd64.deb
 2755867062d99e23676d8bd4d3278788c12aeb0c 194680 
pulseaudio-utils_0.9.15-4.1_amd64.deb
 552cb60a4802e1bb57f3b2e512a491df758e4307 216626 
pulseaudio-utils-dbg_0.9.15-4.1_amd64.deb
 eeb23069fd63d69b733a2487140af9633e7195a7 158990 
pulseaudio-esound-compat_0.9.15-4.1_amd64.deb
 72e978886317884a0032c47a24f500fb272caace 186564 
pulseaudio-esound-compat-dbg_0.9.15-4.1_amd64.deb
 bc7b2fa4a713b1a7d4f3798f57fddd8366860599 143988 
pulseaudio-module-zeroconf_0.9.15-4.1_amd64.deb
 f6c177c88cdd05ea19c586d726af777bac71f01b 166494 
pulseaudio-module-zeroconf-dbg_0.9.15-4.1_amd64.deb
 24c02d7cfdbce38c3266dd278f0cebfa9e4fb819 137276 
pulseaudio-module-hal_0.9.15-4.1_amd64.deb
 76afbf783a093d68945d2310a8408833cdffa703 144312 
pulseaudio-module-hal-dbg_0.9.15-4.1_amd64.deb
 355e40b9781280327f1cdb7a3920cf26e96dd895 140816 
pulseaudio-module-jack_0.9.15-4.1_amd64.deb
 9e1bbcac6e4beb268200c25d3fef81a379848ddd 157216 
pulseaudio-module-jack-dbg_0.9.15-4.1_amd64.deb
 dae54406a5b7c7decd9715378825de26dafb1e10 131878 
pulseaudio-module-lirc_0.9.15-4.1_amd64.deb
 2cebce7f4b77c05265f9b7e65011ca0853dc7505 138658

[Pkg-pulseaudio-devel] Bug#537351: marked as done (pulsaudio: CVE-2009-1894 race allows privilege escalation to root)

2009-07-24 Thread Debian Bug Tracking System


Your message dated Fri, 24 Jul 2009 16:32:45 +
with message-id e1munhn-00012q...@ries.debian.org
and subject line Bug#537351: fixed in pulseaudio 0.9.15-4.1
has caused the Debian Bug report #537351,
regarding pulsaudio: CVE-2009-1894 race allows privilege escalation to root
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
537351: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537351
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Source: pulseaudio
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities  Exposures) id was
published for pulseaudio.

CVE-2009-1894[0]:
| Race condition
| 
| If the PulseAudio binary is started on Linux systems, it checks if the
| LD_BIND_NOW environment variable is set. If this is not the case, PulseAudio
| will set the variable and it will reload itself. It tries to determine its 
path
| name by looking at the /proc/self/exe symbolic link. This symbolic link will
| point to the full path name of the current process.
| 
| int main(int argc, char *argv[]) {
| [...]
| #if defined(__linux__)  defined(__OPTIMIZE__)
|/*
|   Disable lazy relocations to make usage of external libraries
|   more deterministic for our RT threads. We abuse __OPTIMIZE__ as
|   a check whether we are a debug build or not.
|*/
|
|if (!getenv(LD_BIND_NOW)) {
|   char *rp;
|
|   /* We have to execute ourselves, because the libc caches the
|   * value of $LD_BIND_NOW on initialization. */
|
|   pa_set_env(LD_BIND_NOW, 1);
|   pa_assert_se(rp = pa_readlink(/proc/self/exe));
|   pa_assert_se(execv(rp, argv) == 0);
|}
| #endif
| 
| Normally, /proc/self/exe will point to something like /usr/bin/pulseaudio.
| However by using hard links, it is possible to cause /proc/self/exe to point 
to
| a different location.
| 
| $ cd /tmp
| $ ls -la /proc/self/exe
| lrwxrwxrwx 1 yorick yorick 0 2009-06-09 16:31 /proc/self/exe - /bin/ls
| $ ln `which ls` ls
| $ ./ls -la /proc/self/exe
| lrwxrwxrwx 1 yorick yorick 0 2009-06-09 16:31 /proc/self/exe - /tmp/ls
| 
| In addition, if a hard link is created, the SUID bit is preserved.
| 
| $ ln `which pulseaudio` pulseaudio
| $ ls -la pulseaudio 
| -rwsr-xr-x 2 root root 71616 2009-04-09 02:12 pulseaudio
| 
| A race condition exists in the reload mechanism of PulseAudio. An attacker
| can exploit this issue by creating a hard link pointing to the PulseAudio
| binary. After this it can execute this binary through the hard link. At this
| moment /proc/sef/exe will point to the hard link. Before PulseAudio is
| restarted, the attacker can replace the hard link with a different 
(executable)
| file or (symbolic) link. If PulseAudio is restarted, it will use a path name
| that at this moment points to a different file, for example a command shell.
| Root privileges are not dropped when PulseAudio is reloading, thus allowing a
| local attacker to gain root privileges.
| 
| Please note, this attack is only possible if the attacker can create hard
| links on the same hard disk partition on which PulseAudio is installed (i.e.
| /usr/bin and /tmp reside on the same partition).

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Patch available at 
http://git.0pointer.de/?p=pulseaudio.git;a=commitdiff_plain;h=84200b423ebfa7e2dad9b1b65f64eac7bf3d2114;hp=ff252cb48d9bd827d262eb2633fecaff47c6fe5c

For further information see:

[0] http://www.akitasecurity.nl/advisory.php?id=AK20090602
http://security-tracker.debian.net/tracker/CVE-2009-1894

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpCbEQkMcqqV.pgp
Description: PGP signature
---End Message---
---BeginMessage---
Source: pulseaudio
Source-Version: 0.9.15-4.1

We believe that the bug you reported is fixed in the latest version of
pulseaudio, which is due to be installed in the Debian FTP archive:

libpulse-browse0-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/libpulse-browse0-dbg_0.9.15-4.1_amd64.deb
libpulse-browse0_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/libpulse-browse0_0.9.15-4.1_amd64.deb
libpulse-dev_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/libpulse-dev_0.9.15-4.1_amd64.deb
libpulse-mainloop-glib0-dbg_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/libpulse-mainloop-glib0-dbg_0.9.15-4.1_amd64.deb
libpulse-mainloop-glib0_0.9.15-4.1_amd64.deb
  to pool/main/p/pulseaudio/libpulse-mainloop-glib0_0.9.15-4.1_amd64.deb
libpulse0-dbg_0.9.15-4.1_amd64.deb

[Pkg-pulseaudio-devel] Bug#537351: Bug#537351: intent to NMU

2009-07-24 Thread Sjoerd Simons

On Fri, Jul 24, 2009 at 06:23:40PM +0200, Nico Golde wrote:
 Hi,
 I intent to upload a 0-day NMU for this bug.
 
 Patch on 
 http://people.debian.org/~nion/nmu-diff/pulseaudio-0.9.15-4_0.9.15-4.1.patch

  Thanks! i'll pull this into the packaging repository asap

Sjoerd
-- 
Ma Bell is a mean mother!



___
Pkg-pulseaudio-devel mailing list
Pkg-pulseaudio-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-pulseaudio-devel

[Pkg-pulseaudio-devel] Processing of pulseaudio_0.9.15-4.1_amd64.changes

[Pkg-pulseaudio-devel] pulseaudio_0.9.15-4.1_amd64.changes ACCEPTED

[Pkg-pulseaudio-devel] Accepted pulseaudio 0.9.15-4.1 (source amd64)

[Pkg-pulseaudio-devel] Bug#537351: marked as done (pulsaudio: CVE-2009-1894 race allows privilege escalation to root)

[Pkg-pulseaudio-devel] Bug#537351: Bug#537351: intent to NMU

5 matches

Site Navigation

Mail list logo

Footer information