An Ubuntu-specific modification to Pulseaudio to provide security mediation
for Snap-packaged applications was found to have a bypass of intended
access restriction for snaps which plugs any of pulseaudio, audio-playback
or audio-record via unloading the pulseaudio snap policy module. This issue
affects: pulseaudio 1:8.0 versions prior to 1:8.0-0ubuntu3.12; 1:11.1
versions prior to 1:11.1-1ubuntu7.7; 1:13.0 versions prior to
1:13.0-1ubuntu1.2; 1:13.99.1 versions prior to 1:13.99.1-1ubuntu3.2;
jdstrandsemi-public on 2020-04-16
the snap policy module is not included upstream and currently only
exists in Ubuntu. This module was added in 1:12.2-0ubuntu2 in 18.10.
pulseaudio 1:8.0-0ubuntu3.11 on 16.04 LTS added enforcing mediation
pulseaudio 1:11.1-1ubuntu7.5 on 18.04 LTS added enforcing mediation
initial CVSS calculation: attackVector: local, attackComplexity: low
priviliegesRequired: low, userInteraction: none, scope: unchanged,
confidentialityImpact: low, integrityImpact: none, availabilityImpact: none
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (1:8.0-0ubuntu3.12)
Ubuntu 18.04 LTS (Bionic Beaver):released (1:11.1-1ubuntu7.7)
Ubuntu 19.10 (Eoan Ermine):released (1:13.0-1ubuntu1.2)
Ubuntu 20.04 LTS (Focal Fossa):released (1:13.99.1-1ubuntu3.2)
Ubuntu 20.10 (Groovy Gorilla):pending (1:13.99.1-1ubuntu5)
More Information

Updated: 2020-05-29 19:14:47 UTC (commit 2d0d387aa141e969cc1ddbb230ab2faa3ee568d5)