CVE-2007-1804 - OpenCVE

PulseAudio 0.9.5 allows remote attackers to cause a denial of service (daemon crash) via (1) a PA_PSTREAM_DESCRIPTOR_LENGTH value of FRAME_SIZE_MAX_ALLOW sent on TCP port 9875, which triggers a p->export assertion failure in do_read; (2) a PA_PSTREAM_DESCRIPTOR_LENGTH value of 0 sent on TCP port 9875, which triggers a length assertion failure in pa_memblock_new; or (3) an empty packet on UDP port 9875, which triggers a t assertion failure in pa_sdp_parse; and allows remote authenticated users to cause a denial of service (daemon crash) via a crafted packet on TCP port 9875 that (4) triggers a maxlength assertion failure in pa_memblockq_new, (5) triggers a size assertion failure in pa_xmalloc, or (6) plays a certain sound file.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:N/AC:L/Au:N/C:N/I:N/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pulseaudio	Pulseaudio

Configuration 1 [-]

cpe:2.3:a:pulseaudio:pulseaudio:0.9.5:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://aluigi.altervista.org/adv/pulsex-adv.txt
http://aluigi.org/poc/pulsex.zip
http://secunia.com/advisories/25431
http://secunia.com/advisories/25787
http://www.mandriva.com/security/advisories?name=MDVSA-2008:065
http://www.novell.com/linux/security/advisories/2007_13_sr.html
http://www.securityfocus.com/bid/23240
http://www.ubuntu.com/usn/usn-465-1
http://www.vupen.com/english/advisories/2007/1214
https://exchange.xforce.ibmcloud.com/vulnerabilities/33315

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-04-02T23:00:00

Updated: 2024-08-07T13:06:26.441Z

Reserved: 2007-04-02T00:00:00

Link: CVE-2007-1804

Vulnrichment

No data.

NVD

Status : Modified

Published: 2007-04-02T23:19:00.000

Modified: 2017-07-29T01:31:00.470

Link: CVE-2007-1804

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-03-29T00:00:00", "descriptions": [{"lang": "en", "value": "PulseAudio 0.9.5 allows remote attackers to cause a denial of service (daemon crash) via (1) a PA_PSTREAM_DESCRIPTOR_LENGTH value of FRAME_SIZE_MAX_ALLOW sent on TCP port 9875, which triggers a p->export assertion failure in do_read; (2) a PA_PSTREAM_DESCRIPTOR_LENGTH value of 0 sent on TCP port 9875, which triggers a length assertion failure in pa_memblock_new; or (3) an empty packet on UDP port 9875, which triggers a t assertion failure in pa_sdp_parse; and allows remote authenticated users to cause a denial of service (daemon crash) via a crafted packet on TCP port 9875 that (4) triggers a maxlength assertion failure in pa_memblockq_new, (5) triggers a size assertion failure in pa_xmalloc, or (6) plays a certain sound file."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "25431", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25431"}, {"name": "MDVSA-2008:065", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:065"}, {"name": "ADV-2007-1214", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/1214"}, {"tags": ["x_refsource_MISC"], "url": "http://aluigi.altervista.org/adv/pulsex-adv.txt"}, {"name": "pulseaudio-assert-dos(33315)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33315"}, {"name": "SUSE-SR:2007:013", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://www.novell.com/linux/security/advisories/2007_13_sr.html"}, {"name": "23240", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/23240"}, {"name": "USN-465-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/usn-465-1"}, {"tags": ["x_refsource_MISC"], "url": "http://aluigi.org/poc/pulsex.zip"}, {"name": "25787", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25787"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-1804", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "PulseAudio 0.9.5 allows remote attackers to cause a denial of service (daemon crash) via (1) a PA_PSTREAM_DESCRIPTOR_LENGTH value of FRAME_SIZE_MAX_ALLOW sent on TCP port 9875, which triggers a p->export assertion failure in do_read; (2) a PA_PSTREAM_DESCRIPTOR_LENGTH value of 0 sent on TCP port 9875, which triggers a length assertion failure in pa_memblock_new; or (3) an empty packet on UDP port 9875, which triggers a t assertion failure in pa_sdp_parse; and allows remote authenticated users to cause a denial of service (daemon crash) via a crafted packet on TCP port 9875 that (4) triggers a maxlength assertion failure in pa_memblockq_new, (5) triggers a size assertion failure in pa_xmalloc, or (6) plays a certain sound file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "25431", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25431"}, {"name": "MDVSA-2008:065", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:065"}, {"name": "ADV-2007-1214", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/1214"}, {"name": "http://aluigi.altervista.org/adv/pulsex-adv.txt", "refsource": "MISC", "url": "http://aluigi.altervista.org/adv/pulsex-adv.txt"}, {"name": "pulseaudio-assert-dos(33315)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33315"}, {"name": "SUSE-SR:2007:013", "refsource": "SUSE", "url": "http://www.novell.com/linux/security/advisories/2007_13_sr.html"}, {"name": "23240", "refsource": "BID", "url": "http://www.securityfocus.com/bid/23240"}, {"name": "USN-465-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/usn-465-1"}, {"name": "http://aluigi.org/poc/pulsex.zip", "refsource": "MISC", "url": "http://aluigi.org/poc/pulsex.zip"}, {"name": "25787", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25787"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T13:06:26.441Z"}, "title": "CVE Program Container", "references": [{"name": "25431", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/25431"}, {"name": "MDVSA-2008:065", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:065"}, {"name": "ADV-2007-1214", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2007/1214"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://aluigi.altervista.org/adv/pulsex-adv.txt"}, {"name": "pulseaudio-assert-dos(33315)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33315"}, {"name": "SUSE-SR:2007:013", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://www.novell.com/linux/security/advisories/2007_13_sr.html"}, {"name": "23240", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/23240"}, {"name": "USN-465-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/usn-465-1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://aluigi.org/poc/pulsex.zip"}, {"name": "25787", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/25787"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-1804", "datePublished": "2007-04-02T23:00:00", "dateReserved": "2007-04-02T00:00:00", "dateUpdated": "2024-08-07T13:06:26.441Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pulseaudio:pulseaudio:0.9.5:*:*:*:*:*:*:*", "matchCriteriaId": "C541CE27-6036-429D-8FCE-6BC7562A925B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PulseAudio 0.9.5 allows remote attackers to cause a denial of service (daemon crash) via (1) a PA_PSTREAM_DESCRIPTOR_LENGTH value of FRAME_SIZE_MAX_ALLOW sent on TCP port 9875, which triggers a p->export assertion failure in do_read; (2) a PA_PSTREAM_DESCRIPTOR_LENGTH value of 0 sent on TCP port 9875, which triggers a length assertion failure in pa_memblock_new; or (3) an empty packet on UDP port 9875, which triggers a t assertion failure in pa_sdp_parse; and allows remote authenticated users to cause a denial of service (daemon crash) via a crafted packet on TCP port 9875 that (4) triggers a maxlength assertion failure in pa_memblockq_new, (5) triggers a size assertion failure in pa_xmalloc, or (6) plays a certain sound file."}, {"lang": "es", "value": "PulseAudio 0.9.5 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (ca\u00edda del demonio) mediante (1) un valor PA_PSTREAM_DESCRIPTOR_LENGTH de FRAME_SIZE_MAX_ALLOW enviado al puerto TCP 9875, que dispara un fallo de aserci\u00f3n p->exportar en do_read; (2) un valor PA_PSTREAM_DESCRIPTOR_LENGTH de 0 enviado al puerto TCP 9875, lo cual dispara un fallo de aserci\u00f3n de longitud en pa_memblock_new; o (3) un paquete UDP vac\u00edo al puerto 9875, lo cual dispara un fallo de aserci\u00f3n t en pa_sdp_parse; y permite a usuarios autenticados remotamente provocar una denegaci\u00f3n de servicio (ca\u00edda del demonio) mediante un paquete manipulado al puerto TCP 9875 que dispara un fallo de aserci\u00f3n de longitud m\u00e1xima (maxlength) en pa_memblockq_new, (5) dispara un fallo de aserci\u00f3n de tama\u00f1o en pa_xmalloc, o (6) reproduce un determinado archivo de sonido."}], "id": "CVE-2007-1804", "lastModified": "2017-07-29T01:31:00.470", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-04-02T23:19:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://aluigi.altervista.org/adv/pulsex-adv.txt"}, {"source": "cve@mitre.org", "url": "http://aluigi.org/poc/pulsex.zip"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/25431"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/25787"}, {"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:065"}, {"source": "cve@mitre.org", "url": "http://www.novell.com/linux/security/advisories/2007_13_sr.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/23240"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/usn-465-1"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2007/1214"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33315"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}