Binary package hint: pulseaudio
Because of the way it creates temporary folders, Pulseaudio may be exploited to create denial-of-service conditions or possibly disclose sensitive information to unprivileged users. This behavior has been confirmed in pulseaudio 0.9.19 on Ubuntu Karmic (package version 1:0.9.19-0ubuntu4).
On launching, Pulseaudio creates a temporary folder and opens a Unix socket within that folder. The folder is named in a predictable way: "/tmp/.esd-[uid]", where [uid] is the ID of the user executing the pulseaudio process. After creating this temporary folder (or if the folder already exists), the folder is chown()'d to the UID and GID of the user executing the process, and subsequently chmod()'d to 0700 (if not running in "system mode") or 0755 (if running in "system mode"). The relevant code can be found in the pa_make_secure_dir() function in src/pulsecore/core-util.c, line 196. This function is called to perform the temporary folder creation in the pa__init() function in src/modules/module-protocol-stub.c, line 342, via pa_make_secure_parent_dir().
Because Pulseaudio performs the chown() and chmod() calls regardless of whether or not the directory already exists, and fails to check for symbolic links, an unprivileged user can perform an attack as follows. If the root user does not have a temporary directory (which is especially plausible if /tmp is cleared periodically), an attacker could create a symbolic link named /tmp/.esd-0 pointing to an arbitrary file or folder on the system. The next time the root user launches pulseaudio, the file or folder pointed to by this symbolic link will be chown()'d to root and chmod()'d appropriately. Alternately, if an attacker rapidly alternates the symlink to point to two different files, one file may be chown()'d and the other chmod()'d. If running in "system mode", this could result in information disclosure of sensitive files. Otherwise, this could be used to create denial-of-service conditions, for example by removing access to important system utilities, changing permissions of users' files, removing setuid bits on setuid applications, and so on. An attacker could also target a non-privileged user, changing permissions on their files, which would most likely just be an annoyance, but could also cause denial-of-service conditions if applications (such as sshd) require certain permissions on files.
This vulnerability can be resolved by aborting the chown() and chmod() operations if a symbolic link is detected. I wouldn't describe this vulnerability's impact as particularly high, especially since Ubuntu by default does not encourage the existence of a root user, but I think it's something worth addressing.
Hi! Thanks for this report. Yes, it seems that PA is not correctly creating this directory. Luckily, root doesn't start pulseaudio normally, but this is still a problem. I'll investigate further and get back you.