touch-packages team mailing list archive

Thread
Date

[Bug 1456628] Re: DBUS API doesn't prevent confined apps from passing paths to files without access

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1456628@xxxxxxxxxxxxxxxxxx>
Date: Wed, 03 Jun 2015 17:58:10 -0000
Reply-to: Bug 1456628 <1456628@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package content-hub -
0.0+15.04.20150331-0ubuntu1.0

---------------
content-hub (0.0+15.04.20150331-0ubuntu1.0) vivid-security; urgency=medium

  * SECURITY UPDATE: file disclosure via unchecked AppArmor profile
    (LP: #1456628)
    - debian/patches/lp1456628.patch: Don't allow exporting of files that
      aren't allowed by the source apparmor profile
    - CVE-2015-1327

 -- Ken VanDine <ken.vandine@xxxxxxxxxxxxx>  Mon, 01 Jun 2015 11:17:27
-0400

** Changed in: content-hub (Ubuntu Vivid)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to content-hub in Ubuntu.
https://bugs.launchpad.net/bugs/1456628

Title:
  DBUS API doesn't prevent confined apps from passing paths to files
  without access

Status in content-hub package in Ubuntu:
  Fix Released
Status in content-hub source package in Vivid:
  Fix Released

Bug description:
  The DBUS API only requires a file path for a content item, it doesn't
  actually require the confined app have access to the file to create a
  transfer.  This could allow a malicious application using the DBUS API
  to export file:///etc/passwd which would then send a copy of that file
  to another app.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/content-hub/+bug/1456628/+subscriptions