Canonical System Image

DBUS API doesn't prevent confined apps from passing paths to files without access

Bug #1456628 reported by Ken VanDine
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical System Image
Fix Released
Critical
Bill Filler
Canonical System Image ww22-2015 "ota4"
content-hub (Ubuntu)
Fix Released
Critical
Ken VanDine
Vivid
Fix Released
Critical
Ken VanDine

Bug Description

The DBUS API only requires a file path for a content item, it doesn't actually require the confined app have access to the file to create a transfer. This could allow a malicious application using the DBUS API to export file:///etc/passwd which would then send a copy of that file to another app.

Related branches

lp:~ken-vandine/content-hub/lp1456628
Michael Sheldon (community): Approve
Diff: 489 lines (+192/-27)
16 files modified
CMakeLists.txt (+1/-0)
debian/apparmor/content-hub-testability (+15/-0)
debian/content-hub-testability.install (+1/-0)
debian/control (+4/-0)
debian/rules (+4/-0)
debian/tests/aa-check (+41/-0)
debian/tests/control (+3/-0)
src/com/ubuntu/content/CMakeLists.txt (+2/-0)
src/com/ubuntu/content/detail/service.h (+1/-1)
src/com/ubuntu/content/detail/transfer.cpp (+19/-2)
src/com/ubuntu/content/detail/transfer.h (+4/-2)
src/com/ubuntu/content/utils.cpp (+51/-7)
tests/peers/exporter/CMakeLists.txt (+2/-0)
tests/peers/exporter/autoexporter.cpp (+21/-12)
tests/peers/exporter/autoexporter.h (+4/-0)
tests/peers/exporter/exporter.cpp (+19/-3)
lp:~ken-vandine/content-hub/15.04-lp1456628
Michael Sheldon (community): Approve
Diff: 489 lines (+192/-27)
16 files modified
CMakeLists.txt (+1/-0)
debian/apparmor/content-hub-testability (+15/-0)
debian/content-hub-testability.install (+1/-0)
debian/control (+4/-0)
debian/rules (+4/-0)
debian/tests/aa-check (+41/-0)
debian/tests/control (+3/-0)
src/com/ubuntu/content/CMakeLists.txt (+2/-0)
src/com/ubuntu/content/detail/service.h (+1/-1)
src/com/ubuntu/content/detail/transfer.cpp (+19/-2)
src/com/ubuntu/content/detail/transfer.h (+4/-2)
src/com/ubuntu/content/utils.cpp (+51/-7)
tests/peers/exporter/CMakeLists.txt (+2/-0)
tests/peers/exporter/autoexporter.cpp (+21/-12)
tests/peers/exporter/autoexporter.h (+4/-0)
tests/peers/exporter/exporter.cpp (+19/-3)
lp:ubuntu/wily/content-hub
lp:ubuntu/vivid-security/content-hub

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2015-1327

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package content-hub - 0.0+15.04.20150331-0ubuntu1.0

---------------
content-hub (0.0+15.04.20150331-0ubuntu1.0) vivid-security; urgency=medium

  * SECURITY UPDATE: file disclosure via unchecked AppArmor profile
    (LP: #1456628)
    - debian/patches/lp1456628.patch: Don't allow exporting of files that
      aren't allowed by the source apparmor profile
    - CVE-2015-1327

 -- Ken VanDine <email address hidden> Mon, 01 Jun 2015 11:17:27 -0400

Changed in content-hub (Ubuntu):
status: New → Fix Released
Ken VanDine (ken-vandine)
information type: Private Security → Public Security
Ken VanDine (ken-vandine)
Changed in content-hub (Ubuntu Vivid):
assignee: nobody → Ken VanDine (ken-vandine)
importance: Undecided → Critical
status: New → In Progress
Launchpad Janitor (janitor)
Changed in content-hub (Ubuntu Vivid):
status: In Progress → Fix Released
Ken VanDine (ken-vandine)
Changed in content-hub (Ubuntu):
status: Fix Released → In Progress
assignee: nobody → Ken VanDine (ken-vandine)
Bill Filler (bfiller)
Changed in canonical-devices-system-image:
milestone: none → ww24-2015
importance: Undecided → Critical
Revision history for this message
Pat McGowan (pat-mcgowan) wrote :

do we need to poke this into the next image?

Changed in canonical-devices-system-image:
assignee: nobody → Bill Filler (bfiller)
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package content-hub - 0.0+15.10.20150603-0ubuntu1

---------------
content-hub (0.0+15.10.20150603-0ubuntu1) wily; urgency=medium

  [ Ken VanDine ]
  * SECURITY UPDATE: file disclosure via unchecked AppArmor profile (LP:
    #1456628) Don't allow exporting of files that aren't allowed by the
    source apparmor profile CVE-2015-1327 (LP: #1456628)

 -- CI Train Bot <email address hidden> Wed, 03 Jun 2015 17:45:36 +0000

Changed in content-hub (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This does not constitute an emergency update and as such it should follow any other criteria for OTA. It is marked Critical, so it seems a candidate, but it shouldn't be rushed (ie, it should follow landing procedures, QA signoff, etc). I think if the timing is ok with the release team, targeting OTA-4 is fine, but if it isn't, OTA-5 is ok.

Pat McGowan (pat-mcgowan)
Changed in canonical-devices-system-image:
status: Confirmed → Fix Released
milestone: ww24-2015 → ww22-2015
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.