Your submission was sent successfully! Close

CVE-2020-11931

Published: 16 April 2020

An Ubuntu-specific modification to Pulseaudio to provide security mediation for Snap-packaged applications was found to have a bypass of intended access restriction for snaps which plugs any of pulseaudio, audio-playback or audio-record via unloading the pulseaudio snap policy module. This issue affects: pulseaudio 1:8.0 versions prior to 1:8.0-0ubuntu3.12; 1:11.1 versions prior to 1:11.1-1ubuntu7.7; 1:13.0 versions prior to 1:13.0-1ubuntu1.2; 1:13.99.1 versions prior to 1:13.99.1-1ubuntu3.2;

Priority

Medium

CVSS 3 base score: 3.3

Status

Package Release Status
pulseaudio
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 20.04 LTS (Focal Fossa)
Released (1:13.99.1-1ubuntu3.2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:11.1-1ubuntu7.7)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1:8.0-0ubuntu3.12)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
jdstrand
semi-public on 2020-04-16
the snap policy module is not included upstream and currently only
exists in Ubuntu. This module was added in 1:12.2-0ubuntu2 in 18.10.
pulseaudio 1:8.0-0ubuntu3.11 on 16.04 LTS added enforcing mediation
pulseaudio 1:11.1-1ubuntu7.5 on 18.04 LTS added enforcing mediation
initial CVSS calculation: attackVector: local, attackComplexity: low
priviliegesRequired: low, userInteraction: none, scope: unchanged,
confidentialityImpact: low, integrityImpact: none, availabilityImpact: none

References

Bugs