2260027 – (CVE-2022-4964) CVE-2022-4964 pipewire: grants microphone access even when the snap interface for audio-record

Bug 2260027 (CVE-2022-4964) - CVE-2022-4964 pipewire: grants microphone access even when the snap interface for audio-record

Summary: CVE-2022-4964 pipewire: grants microphone access even when the snap interface...

Keywords:
Status:	NEW
Alias:	CVE-2022-4964
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2260028 2260029
Blocks:	2260030
TreeView+	depends on / blocked

Reported:	2024-01-24 07:11 UTC by Rohit Keshri
Modified:	2024-01-26 15:24 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2024-01-24 07:11:56 UTC

Ubuntu's pipewire-pulse in snap grants microphone access even when the snap interface for audio-record is not set.

https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1995707/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4964
https://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/1779
https://gitlab.freedesktop.org/pipewire/wireplumber/-/merge_requests/567

Comment 1 Rohit Keshri 2024-01-24 07:13:53 UTC

Created pipewire tracking bugs for this issue:

Affects: fedora-all [bug 2260028]


Created pipewire0.2 tracking bugs for this issue:

Affects: fedora-all [bug 2260029]

Comment 3 Sandipan Roy 2024-01-25 04:22:51 UTC

This issue does not impact any Red Hat products since snapd is neither supported nor shipped in RHEL (Red Hat Enterprise Linux).

Note You need to log in before you can comment on or make changes to this bug.