touch-packages team mailing list archive

Thread
Date

[Bug 1456628] Re: DBUS API doesn't prevent confined apps from passing paths to files without access

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Pat McGowan <pat.mcgowan@xxxxxxxxxxxxx>
Date: Wed, 03 Jun 2015 18:43:13 -0000
Reply-to: Bug 1456628 <1456628@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

do we need to poke this into the next image?

** Changed in: canonical-devices-system-image
       Status: New => Confirmed

** Changed in: canonical-devices-system-image
     Assignee: (unassigned) => Bill Filler (bfiller)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to content-hub in Ubuntu.
https://bugs.launchpad.net/bugs/1456628

Title:
  DBUS API doesn't prevent confined apps from passing paths to files
  without access

Status in the base for Ubuntu mobile products:
  Confirmed
Status in content-hub package in Ubuntu:
  In Progress
Status in content-hub source package in Vivid:
  Fix Released

Bug description:
  The DBUS API only requires a file path for a content item, it doesn't
  actually require the confined app have access to the file to create a
  transfer.  This could allow a malicious application using the DBUS API
  to export file:///etc/passwd which would then send a copy of that file
  to another app.

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1456628/+subscriptions