Bug 1219138 (CVE-2022-4964)

Summary:	VUL-0: CVE-2022-4964: pipewire: microphone access is allowed via pipewire-pulse module on snap application even when the snap interface for audio-record is not set
Product:	[Novell Products] SUSE Security Incidents	Reporter:	SMASH SMASH <smash_bz>
Component:	Incidents	Assignee:	Antonio Larrosa <alarrosa>
Status:	RESOLVED WONTFIX	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	andrea.mattiazzo, gnome-bugs, meissner, xiaoguang.wang, yfjiang
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/392074/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-4964:3.3:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-01-24 11:41:12 UTC

Ubuntu's pipewire-pulse in snap grants microphone access even when the snap interface for audio-record is not set.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4964
https://www.cve.org/CVERecord?id=CVE-2022-4964
https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1995707/
https://bugzilla.redhat.com/show_bug.cgi?id=2260027

Patch:
https://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/1779

Comment 1 Andrea Mattiazzo 2024-01-24 11:44:41 UTC

Tracking as affected:
- SUSE:ALP:Source:Standard:1.0/pipewire        
- SUSE:SLE-15-SP3:Update/pipewire
- SUSE:SLE-15-SP4:Update/pipewire              
- SUSE:SLE-15-SP5:Update/pipewire              
- openSUSE:Factory/pipewire

Comment 4 Antonio Larrosa 2024-01-31 09:46:23 UTC

This doesn't affect SLE nor openSUSE products since we don't support snap.

Comment 5 Andrea Mattiazzo 2024-01-31 11:34:03 UTC

Ok, will close it as unaffected.