[Call for testing] Announcing out-of-schedule Ubuntu Touch 20.04 OTA-7
-
We're going to release Ubuntu Touch 20.04 OTA-7 earlier than schedule to fix a number of security issues affecting Pulseaudio, our audio server. One of the issue affects privacy of Ubuntu Touch users, and thus we've decided to release an out-of-schedule update.
The issues are as follow:
- Confined applications can remove the Trust Store permission system module from Pulseaudio, allowing such applications to access the phone's microphone without user knowing, amongst a number of privileged actions.
- Confined applications are able to crash Pulseaudio by performing a volume control on a specific virtual device when a Bluetooth headset is connected.
Both of the issues are specific to the way Ubuntu Touch patches and uses Pulseaudio. However, the second issue has a potential to affect some Ubuntu 16.04 installations running non-default configuration (newer versions are not affected). As such, we've coordinated with Canonical on the timing before making this announcement.
Due to the way our release pipeline works, Ubuntu Touch 20.04 OTA-7 will also contain a number of fixes which are not related to the aforementioned issues. Thus, we'll release an RC for 20.04 OTA-7 in upcoming days and we'll announce a call-for-testing. We plan to release Ubuntu Touch 20.04 OTA-7 on Friday 29 November 2024.
Updated: Ubuntu Touch 20.04 OTA-7 RC is out, which should have version 2024-W47. Please take some time to switch your spare/development phone to the 20.04 RC channel and test this OTA.
-
A arubislander pinned this topic
-
@peat_psuwit Hello and thank you for this information. In concrete terms, the risk would concern fraudulent applications that would use the microphone? Has the case already been seen? Thank you
-
@Kinuk We've not encountered any application trying to exploit this yet. That said, because Pulseaudio (the audio server) doesn't log a successful attempt at loading/unloading modules, should any application try to exploit this, there would be no evidence that we can see. This is one of the reason we've decided to roll out this update as soon as possible.
-
@peat_psuwit, Ok, thank you for your quick feedback.
-
@peat_psuwit I'm on the Volla 22.
No apparent malfunction. -
@domubpkm same for me on opo5, thanks for the work!
-
Hmmm... Not sure if this is related or different bug, but I bought new BT headset last week (Xiaomi Redmi Buds 6) and I can crash Lomiri while paring the headset to the phone with approx 50/50 chance
Notes:
- The isue was present before current OTA7 RC update
- This is on Xiaomi Redmi Note 9 with update from RC 2024-W47
-
@Boldos Then it is unrelated.
-
Device Android 10 - joyeuse - 2024-w47
https://devices.ubuntu-touch.io/device/joyeuse/booting - ok
incoming and outgoing calls - ok
mobile data- ok
sms - ok
bluetooth audio - ok
