Using a specially crafted fallback art property, scopes can execute arbitrary QML code in context of unity8-dash
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical System Image |
Fix Released
|
High
|
Michał Sawicz | ||
unity8 (Ubuntu) |
Fix Released
|
High
|
Albert Astals Cid |
Bug Description
In plugins/
var fallback = components["art"] && components[
if (fallback !== "") {
code += 'Connections { target: artShapeLoader.item ? artShapeLoader.
}
Here components comes from the category renderer template provided by the scope, so fallback is effectively untrusted data.
If a scope sets the fallback image to something like '"; arbitrary qml code here; "' then the dash will execute that code in its context. Given that the dash is unconfined while most scopes are confined, this represents a privilege escalation.
Related branches
- Michał Sawicz: Approve (code)
-
Diff: 755 lines (+464/-66)13 files modifiedplugins/Dash/CardCreator.js (+34/-30)
plugins/Dash/CardCreatorCache.qml (+1/-1)
plugins/Dash/listviewwithpageheader.cpp (+18/-9)
plugins/Dash/listviewwithpageheader.h (+1/-0)
tests/plugins/Dash/cardcreator/10.res (+142/-0)
tests/plugins/Dash/cardcreator/10.tst (+2/-1)
tests/plugins/Dash/cardcreator/11.res (+217/-0)
tests/plugins/Dash/cardcreator/11.tst (+3/-0)
tests/plugins/Dash/cardcreator/3.res (+1/-1)
tests/plugins/Dash/cardcreator/6.res (+1/-1)
tests/plugins/Dash/cardcreatortest.cpp (+21/-22)
tests/plugins/Dash/listviewwithpageheadertest.cpp (+23/-0)
tests/plugins/Dash/listviewwithpageheadertest.qml (+0/-1)
CVE References
Changed in unity8 (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Albert Astals Cid (aacid) |
Changed in unity8 (Ubuntu): | |
status: | Triaged → In Progress |
Changed in unity8 (Ubuntu): | |
status: | Fix Released → Triaged |
Changed in unity8 (Ubuntu): | |
status: | In Progress → Fix Released |
Changed in canonical-devices-system-image: | |
importance: | Undecided → Critical |
milestone: | none → ww04-2016 |
status: | New → Fix Committed |
assignee: | nobody → Michał Sawicz (saviq) |
importance: | Critical → High |
Changed in canonical-devices-system-image: | |
milestone: | ww04-2016 → 9.1 |
Changed in canonical-devices-system-image: | |
status: | Fix Committed → Fix Released |
information type: | Private Security → Public |
This is CVE-2016-1573