| Name | CVE-2022-4964 |
| Description | Ubuntu's pipewire-pulse in snap grants microphone access even when the snap interface for audio-record is not set. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| pipewire (PTS) | buster | 0.2.5-1 | vulnerable |
| bullseye | 0.3.19-4 | vulnerable |
| bookworm | 0.3.65-3+deb12u1 | vulnerable |
| sid, trixie | 1.0.5-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| pipewire | source | (unstable) | 1.0.2-1 | unimportant | | |
Notes
https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1995707/
https://gitlab.freedesktop.org/pipewire/pipewire/-/commit/d568dcd64f64454289e1f35ed07a11749f95b04e
In Debian pipewire is not built with snap support until 1.0.2-1 (including at same time the fix
for CVE-2022-4964; earlier versions did not include snap feature support)