touch-packages team mailing list archive

Thread
Date

[Bug 1456628] Re: DBUS API doesn't prevent confined apps from passing paths to files without access

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Ken VanDine <ken.vandine@xxxxxxxxxxxxx>
Date: Wed, 03 Jun 2015 17:39:56 -0000
Reply-to: Bug 1456628 <1456628@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to content-hub in Ubuntu.
https://bugs.launchpad.net/bugs/1456628

Title:
  DBUS API doesn't prevent confined apps from passing paths to files
  without access

Status in content-hub package in Ubuntu:
  Fix Released
Status in content-hub source package in Vivid:
  New

Bug description:
  The DBUS API only requires a file path for a content item, it doesn't
  actually require the confined app have access to the file to create a
  transfer.  This could allow a malicious application using the DBUS API
  to export file:///etc/passwd which would then send a copy of that file
  to another app.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/content-hub/+bug/1456628/+subscriptions