Bug 1213682

Summary: VUL-0: pipewire: an app which only has permission to access one stream can also access other streams
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: rfrohl
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/373459/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2023-07-26 13:02:21 UTC 
Due to a lack of permission check, an app which only has permission to access one stream can access another. For instance an app without camera access might be able to access it.

References:
https://gitlab.freedesktop.org/pipewire/wireplumber/-/issues/218
https://gitlab.freedesktop.org/wtaymans/pipewire/-/commit/0a214bf6b32ae72ec8b88d8446dde8b2f18a2852
Comment 1 Gianluca Gabrielli 2023-07-26 13:06:54 UTC 
Please submit the fix for the following affected packages:

 - openSUSE:Factory/pipewire
 - SUSE:ALP:Source:Standard:1.0/pipewire
 - SUSE:SLE-15-SP4:Update/pipewire
 - SUSE:SLE-15-SP5:Update/pipewire
 - SUSE:SLE-15-SP3:Update/pipewire
 - SUSE:SLE-15-SP2:Update/pipewire

Upstream patch: https://gitlab.freedesktop.org/wtaymans/pipewire/-/commit/0a214bf6b32ae72ec8b88d8446dde8b2f18a2852
Comment 2 Antonio Larrosa 2023-07-26 16:13:23 UTC 
I've submitted the fix for SLE-15-SP5 and tomorrow I'll check whether SP2/SP3/SP4/ALP are affected and fix them too. The fix was already submitted to Factory in 0.3.75 (it's currently in Staging:L) but I'll update the changelog to include the references to this issue and the related CVE when it's available.
Comment 6 Maintenance Automation 2023-08-01 12:30:12 UTC 
SUSE-SU-2023:3097-1: An update that has one fix can now be installed.

Category: security (moderate)
Bug References: 1213682
Sources used:
openSUSE Leap 15.4 (src): pipewire-0.3.6-150200.3.9.1
SUSE Package Hub 15 15-SP4 (src): pipewire-0.3.6-150200.3.9.1
SUSE Package Hub 15 15-SP5 (src): pipewire-0.3.6-150200.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2023-08-03 20:30:05 UTC 
SUSE-SU-2023:3185-1: An update that has one fix can now be installed.

Category: security (moderate)
Bug References: 1213682
Sources used:
openSUSE Leap 15.4 (src): pipewire-0.3.24-150300.4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-08-09 12:30:01 UTC 
SUSE-SU-2023:3257-1: An update that has one fix can now be installed.

Category: security (moderate)
Bug References: 1213682
Sources used:
openSUSE Leap 15.5 (src): pipewire-0.3.64-150500.3.3.1
Desktop Applications Module 15-SP5 (src): pipewire-0.3.64-150500.3.3.1
SUSE Package Hub 15 15-SP5 (src): pipewire-0.3.64-150500.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-08-09 12:30:03 UTC 
SUSE-SU-2023:3256-1: An update that has one fix can now be installed.

Category: security (moderate)
Bug References: 1213682
Sources used:
openSUSE Leap 15.4 (src): pipewire-0.3.49-150400.3.3.1
Desktop Applications Module 15-SP4 (src): pipewire-0.3.49-150400.3.3.1
SUSE Package Hub 15 15-SP4 (src): pipewire-0.3.49-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Robert Frohl 2024-05-22 20:23:29 UTC 
done, closing