The pa_make_secure_dir function in core-util.c in PulseAudio 0.9.10 and 0.9.19 allows local users to change the ownership and permissions of arbitrary files via a symlink attack on a /tmp/.esd-##### temporary file.
So what happens? well first touch /home/$user$/test.txt, then make a symlink in the tmp dir called .esd-0 "0 is the uid for root" to /home/$user$/test.txt. now sudo su and run pulseaudio. exit your root shell and check out /home/$user$/test.txt and you will see its ownership has changed from the user you created it under to root:root.
The worst you could do with this little guy is DoS the server and maybe have a little fun :D