Puredata do not check return values of set*id() family functions, leading to potential privilege escalations.
Timeline
- 24/07/2023: Puredata maintainers contacted
- 25/07/2023: Maintainers first response
- 23/11/2023: Patch issued by maintainers
- 20/09/2024: CVE-2023-47480 published
Pure Data
Pure Data (or just “Pd”) is an open source visual programming language for multimedia. Pure Data is developed by Miller Puckette since 1996 and you can find it on his official website
This is yet another occurence of not checking security-related functions that I have been working on. See the below for further explanations:
- On checking set*id() return values
- CVE-2023-40303: unchecked return values of set*id() family functions in GNU inetutils
The security impact is quite moderate as it is not easy to trigger setuid() to fail and that Pure Data is not a widely-used program on Linux distributions.
It has been fixed by Umläute and the decision taken was to abort execution if the setuid() call fails.