touch-packages team mailing list archive

Thread
Date

[Bug 1392380] Re: OA gives out all tokens to any app

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Pat McGowan <pat.mcgowan@xxxxxxxxxxxxx>
Date: Thu, 04 Dec 2014 21:48:56 -0000
Reply-to: Bug 1392380 <1392380@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Confirming as this security issue was agreed to be fixed in first update

** Changed in: canonical-devices-system-image
   Importance: Undecided => High

** Changed in: canonical-devices-system-image
       Status: New => Confirmed

** Changed in: canonical-devices-system-image
    Milestone: None => ww51-2014

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to signon in Ubuntu.
https://bugs.launchpad.net/bugs/1392380

Title:
  OA gives out all tokens to any app

Status in the base for Ubuntu mobile products:
  Confirmed
Status in signon package in Ubuntu:
  Fix Released
Status in signon source package in Utopic:
  Confirmed
Status in signon source package in Vivid:
  Fix Released
Status in signon package in Ubuntu RTM:
  In Progress

Bug description:
  The attached app will steal all your tokens. All it takes is the
  "accounts" permission in the apparmor file.

  Here's the code: https://pastebin.canonical.com/120398/

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1392380/+subscriptions