touch-packages team mailing list archive

Thread
Date

[Bug 1456628] Re: DBUS API doesn't prevent confined apps from passing paths to files without access

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Wed, 03 Jun 2015 19:48:33 -0000
Reply-to: Bug 1456628 <1456628@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This does not constitute an emergency update and as such it should
follow any other criteria for OTA. It is marked Critical, so it seems a
candidate, but it shouldn't be rushed (ie, it should follow landing
procedures, QA signoff, etc). I think if the timing is ok with the
release team, targeting OTA-4 is fine, but if it isn't, OTA-5 is ok.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to content-hub in Ubuntu.
https://bugs.launchpad.net/bugs/1456628

Title:
  DBUS API doesn't prevent confined apps from passing paths to files
  without access

Status in the base for Ubuntu mobile products:
  Confirmed
Status in content-hub package in Ubuntu:
  Fix Released
Status in content-hub source package in Vivid:
  Fix Released

Bug description:
  The DBUS API only requires a file path for a content item, it doesn't
  actually require the confined app have access to the file to create a
  transfer.  This could allow a malicious application using the DBUS API
  to export file:///etc/passwd which would then send a copy of that file
  to another app.

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1456628/+subscriptions