• PulseAudio vulnerability

    From bugz_ubuntu@21:4/110 to Ubuntu Users on Tue May 12 20:10:04 2020
    pulseaudio vulnerability

    A security issue affects these releases of Ubuntu and its
    derivatives:

    * Ubuntu 20.04 LTS
    * Ubuntu 19.10
    * Ubuntu 18.04 LTS
    * Ubuntu 16.04 LTS

    Summary

    PulseAudio could allow unintended access to snap packages.

    Software Description

    * pulseaudio - PulseAudio sound server

    Details

    PulseAudio in Ubuntu contains additional functionality to mediate
    audio recording for snap packages and it was discovered that this
    functionality did not mediate PulseAudio module unloading. An
    attacker-controlled snap with only the audio-playback interface
    connected could exploit this to bypass access controls and record
    audio.

    Update instructions

    The problem can be corrected by updating your system to the
    following package versions:

    Ubuntu 20.04 LTS
    pulseaudio - 1:13.99.1-1ubuntu3.2

    Ubuntu 19.10
    pulseaudio - 1:13.0-1ubuntu1.2

    Ubuntu 18.04 LTS
    pulseaudio - 1:11.1-1ubuntu7.7

    Ubuntu 16.04 LTS
    pulseaudio - 1:8.0-0ubuntu3.12

    To update your system, please follow these instructions:
    https://wiki.ubuntu.com/Security/Upgrades.

    After a standard system update you need to restart your session to
    make all the necessary changes.

    References

    * CVE-2020-11931
    * LP: 1877102

    --- Mystic BBS v1.12 A45 (Linux/64)
    * Origin: BZ&BZ BBS (21:4/110)
  • From bugz_ubuntu@21:4/110 to Ubuntu Users on Fri Sep 18 00:10:04 2020
    pulseaudio vulnerability

    A security issue affects these releases of Ubuntu and its
    derivatives:

    * Ubuntu 16.04 LTS

    Summary

    PulseAudio could be made to crash or run programs as your login if
    it received specially crafted input.

    Software Description

    * pulseaudio - PulseAudio sound server

    Details

    Ratchanan Srirattanamet discovered that an Ubuntu-specific patch
    caused PulseAudio to incorrectly handle memory under certain error
    conditions in the Bluez 5 module. An attacker could use this issue
    to cause PulseAudio to crash, resulting in a denial of service, or
    possibly execute arbitrary code. (CVE-2020-15710)

    Update instructions

    The problem can be corrected by updating your system to the
    following package versions:

    Ubuntu 16.04 LTS
    libpulse-mainloop-glib0 - 1:8.0-0ubuntu3.14
    libpulse0 - 1:8.0-0ubuntu3.14
    pulseaudio - 1:8.0-0ubuntu3.14
    pulseaudio-module-bluetooth - 1:8.0-0ubuntu3.14
    pulseaudio-utils - 1:8.0-0ubuntu3.14

    To update your system, please follow these instructions:
    https://wiki.ubuntu.com/Security/Upgrades.

    In general, a standard system update will make all the necessary
    changes.

    References

    * CVE-2020-15710

    --- Mystic BBS v1.12 A46 (Linux/64)
    * Origin: BZ&BZ BBS (21:4/110)