Details of VAR-202011-0279

ID

VAR-202011-0279

CVE

CVE-2020-15710

TITLE

PulseAudio Double release vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-013629

DESCRIPTION

Potential double free in Bluez 5 module of PulseAudio could allow a local attacker to leak memory or crash the program. The modargs variable may be freed twice in the fail condition in src/modules/bluetooth/module-bluez5-device.c and src/modules/bluetooth/module-bluez5-device.c. Fixed in 1:8.0-0ubuntu3.14. PulseAudio There is a double release vulnerability in.Information is obtained and denial of service (DoS) It may be put into a state. ========================================================================== Ubuntu Security Notice USN-4519-1 September 17, 2020 pulseaudio vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: PulseAudio could be made to crash or run programs as your login if it received specially crafted input. Software Description: - pulseaudio: PulseAudio sound server Details: Ratchanan Srirattanamet discovered that an Ubuntu-specific patch caused PulseAudio to incorrectly handle memory under certain error conditions in the Bluez 5 module. An attacker could use this issue to cause PulseAudio to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-15710) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: libpulse-mainloop-glib0 1:8.0-0ubuntu3.14 libpulse0 1:8.0-0ubuntu3.14 pulseaudio 1:8.0-0ubuntu3.14 pulseaudio-module-bluetooth 1:8.0-0ubuntu3.14 pulseaudio-utils 1:8.0-0ubuntu3.14 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/4519-1 CVE-2020-15710 Package Information: https://launchpad.net/ubuntu/+source/pulseaudio/1:8.0-0ubuntu3.14

Trust: 1.71

sources: NVD: CVE-2020-15710 // JVNDB: JVNDB-2020-013629 // PACKETSTORM: 159224

IOT TAXONOMY

category:

['other device']

sub_category:

general

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu3.4	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu2	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu3.9	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu3.8	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu3.11	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu4	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu1	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu3.6	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu3.10	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu3	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu3.2	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu3.12	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu3.7	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu3.5	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu3.3	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1\:8.0-0ubuntu3.1	Trust: 1.0
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	-	Trust: 0.8
vendor:	pulseaudio	model:	pulseaudio	scope:	eq	version:	1:8.0	Trust: 0.8

sources: JVNDB: JVNDB-2020-013629 // NVD: CVE-2020-15710

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-15710
value:	MEDIUM
Trust: 1.0
security@ubuntu.com:	CVE-2020-15710
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-15710
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202009-1179
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2020-15710
severity:	LOW
baseScore:	3.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2020-15710
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	4.2
version:	3.1
Trust: 1.0
security@ubuntu.com:	CVE-2020-15710
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	1.0
impactScore:	4.2
version:	3.1
Trust: 1.0
NVD:	CVE-2020-15710
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2020-013629 // CNNVD: CNNVD-202009-1179 // NVD: CVE-2020-15710 // NVD: CVE-2020-15710

PROBLEMTYPE DATA

problemtype:	CWE-415	Trust: 1.0
problemtype:	Double release (CWE-415) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-013629 // NVD: CVE-2020-15710

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202009-1179

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202009-1179

PATCH

title:

Top Page

url:

https://www.freedesktop.org/wiki/Software/PulseAudio/

Trust: 0.8

sources: JVNDB: JVNDB-2020-013629

EXTERNAL IDS

db:	NVD	id:	CVE-2020-15710	Trust: 2.6
db:	JVNDB	id:	JVNDB-2020-013629	Trust: 0.8
db:	PACKETSTORM	id:	159224	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.3205	Trust: 0.6
db:	CNNVD	id:	CNNVD-202009-1179	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2020-013629 // PACKETSTORM: 159224 // CNNVD: CNNVD-202009-1179 // NVD: CVE-2020-15710

REFERENCES

url:	https://launchpad.net/bugs/1884738	Trust: 2.4
url:	https://ubuntu.com/usn-4519-1	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15710	Trust: 1.5
url:	https://www.auscert.org.au/bulletins/esb-2020.3205/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/pulseaudio-memory-corruption-via-bluez-5-module-33362	Trust: 0.6
url:	https://packetstormsecurity.com/files/159224/ubuntu-security-notice-usn-4519-1.html	Trust: 0.6
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1
url:	https://usn.ubuntu.com/4519-1	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/pulseaudio/1:8.0-0ubuntu3.14	Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2020-013629 // PACKETSTORM: 159224 // CNNVD: CNNVD-202009-1179 // NVD: CVE-2020-15710

CREDITS

Ubuntu

Trust: 0.7

sources: PACKETSTORM: 159224 // CNNVD: CNNVD-202009-1179

SOURCES

db:	OTHER	id:	-
db:	JVNDB	id:	JVNDB-2020-013629
db:	PACKETSTORM	id:	159224
db:	CNNVD	id:	CNNVD-202009-1179
db:	NVD	id:	CVE-2020-15710

LAST UPDATE DATE

2025-01-30T22:09:20.295000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2020-013629	date:	2021-07-08T08:28:00
db:	CNNVD	id:	CNNVD-202009-1179	date:	2020-12-02T00:00:00
db:	NVD	id:	CVE-2020-15710	date:	2024-11-21T05:06:04.507

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2020-013629	date:	2021-07-08T00:00:00
db:	PACKETSTORM	id:	159224	date:	2020-09-18T17:15:44
db:	CNNVD	id:	CNNVD-202009-1179	date:	2020-09-18T00:00:00
db:	NVD	id:	CVE-2020-15710	date:	2020-11-19T03:15:12.490