James Henstridge

**Name of the Vulnerable Software and Affected Versions** provd versions prior to 0.1.5 **Description** An issue was discovered in provd with a setuid binary, which allows a local attacker to escalate their privilege. **Recommendations** For versions prior to 0.1.5, update to version 0.1.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the setuid binary to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** pipewire-pulse in Ubuntu snap (affected versions not specified) **Description** The issue concerns the pipewire-pulse in Ubuntu snap, which grants microphone access even when the snap interface for audio-record is not set. This could potentially allow unauthorized access to the microphone. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PulseAudio versions 1:13.99.3-1ubuntu2, 1:13.99.2-1ubuntu2.1, 1:13.99.1-1ubuntu3.8, 1:11.1-1ubuntu7.11, and 1:8.0-0ubuntu3.15 **Description** An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if `SCM CREDENTIALS` were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by an attacker to expose sensitive information. **Recommendations** For version 1:13.99.3-1ubuntu2, update to this version or later to fix the issue. For version 1:13.99.2-1ubuntu2.1, update to this version or later to fix the issue. For version 1:13.99.1-1ubuntu3.8, update to this version or later to fix the issue. For version 1:11.1-1ubuntu7.11, update to this version or later to fix the issue. For version 1:8.0-0ubuntu3.15, update to this version or later to fix the issue.

**Name of the Vulnerable Software and Affected Versions** snapd versions prior to 2.45.1ubuntu0.2 snapd versions prior to 2.45.1+18.04.2 snapd versions prior to 2.45.1+20.04.2 **Description** It was discovered that `snapctl user-open` allowed altering the `$XDG DATA DIRS` environment variable when calling the system `xdg-open`. The `OpenURL()` function in `usersession/userd/launcher.go` would alter `$XDG DATA DIRS` to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system `xdg-open` script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. **Recommendations** For versions prior to 2.45.1ubuntu0.2, update to version 2.45.1ubuntu0.2 or later. For versions prior to 2.45.1+18.04.2, update to version 2.45.1+18.04.2 or later. For versions prior to 2.45.1+20.04.2, update to version 2.45.1+20.04.2 or later.

**Name of the Vulnerable Software and Affected Versions** pulseaudio versions 1:8.0 through 1:8.0-0ubuntu3.11 pulseaudio versions 1:11.1 through 1:11.1-1ubuntu7.6 pulseaudio versions 1:13.0 through 1:13.0-1ubuntu1.1 pulseaudio versions 1:13.99.1 through 1:13.99.1-1ubuntu3.1 **Description** The issue is related to an Ubuntu-specific modification to Pulseaudio, which provides security mediation for Snap-packaged applications. It was found that there is a bypass of intended access restriction for snaps that plug any of pulseaudio, audio-playback, or audio-record via unloading the pulseaudio snap policy module. **Recommendations** For pulseaudio versions 1:8.0 through 1:8.0-0ubuntu3.11, update to version 1:8.0-0ubuntu3.12 or later. For pulseaudio versions 1:11.1 through 1:11.1-1ubuntu7.6, update to version 1:11.1-1ubuntu7.7 or later. For pulseaudio versions 1:13.0 through 1:13.0-1ubuntu1.1, update to version 1:13.0-1ubuntu1.2 or later. For pulseaudio versions 1:13.99.1 through 1:13.99.1-1ubuntu3.1, update to version 1:13.99.1-1ubuntu3.2 or later.