touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #82226
[Bug 1456628] Re: DBUS API doesn't prevent confined apps from passing paths to files without access
do we need to poke this into the next image?
** Changed in: canonical-devices-system-image
Status: New => Confirmed
** Changed in: canonical-devices-system-image
Assignee: (unassigned) => Bill Filler (bfiller)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to content-hub in Ubuntu.
https://bugs.launchpad.net/bugs/1456628
Title:
DBUS API doesn't prevent confined apps from passing paths to files
without access
Status in the base for Ubuntu mobile products:
Confirmed
Status in content-hub package in Ubuntu:
In Progress
Status in content-hub source package in Vivid:
Fix Released
Bug description:
The DBUS API only requires a file path for a content item, it doesn't
actually require the confined app have access to the file to create a
transfer. This could allow a malicious application using the DBUS API
to export file:///etc/passwd which would then send a copy of that file
to another app.
To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1456628/+subscriptions