group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1576699] Re: ubuntu-core-launcher uses incorrect glob, doesn't check for exactly one match

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1576699@xxxxxxxxxxxxxxxxxx>
Date: Fri, 29 Apr 2016 19:02:16 -0000
Reply-to: Bug 1576699 <1576699@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package ubuntu-core-launcher - 1.0.28

---------------
ubuntu-core-launcher (1.0.28) yakkety; urgency=medium

  * SECURITY UPDATE: delayed attack snap data theft and privilege escalation
    when using Snappy on traditional Ubuntu (classic) systems (LP: #1576699)
    - src/main.c: remove glob code and hardcode /snap/ubuntu-core/current
      instead. The glob code both used an improper glob and performed an
      incorrect check due to a typo which allowed a snap named ubuntu-core-...
      to be bind mounted into application runtimes instead of the ubuntu-core
      OS snap. Ubuntu Core removed .<origin> and .sideload from the SNAP path
      so the glob can simply be dropped.
    - CVE-2016-1580
  * debian/usr.bin.ubuntu-core-launcher:
    - only allow mounting /snap/ubuntu-core/*/... to safeguard against this in
      the future
    - add lib32 and libx32 to match setup_snappy_os_mounts()

 -- Jamie Strandboge <jamie@xxxxxxxxxx>  Fri, 29 Apr 2016 11:17:42 -0500

** Changed in: ubuntu-core-launcher (Ubuntu Yakkety)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1576699

Title:
  ubuntu-core-launcher uses incorrect glob, doesn't check for exactly
  one match

Status in ubuntu-core-launcher package in Ubuntu:
  Fix Released
Status in ubuntu-core-launcher source package in Xenial:
  Fix Released
Status in ubuntu-core-launcher source package in Yakkety:
  Fix Released

Bug description:
  A review of ubuntu-core-launcher code has found that
  setup_snappy_os_mounts() uses a glob with a potential for security
  exploit if the attacker can convince an user to install a malicious
  snap having a name starting with "ubuntu-core".

  Due to the glob the launcher may, at random, depending on glob result
  ordering, choose to mount that snap instead of the real ubuntu-core
  snap into the filesystem namespace of all newly started application
  processes.

  The bug is possible due to incorrect glob and due to incorrect size
  check.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-core-launcher/+bug/1576699/+subscriptions