Snap kernel build process installs unauthenticated packages
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snap-core18 |
Fix Released
|
Undecided
|
Tyler Hicks |
Bug Description
With reference to the source code of:
https:/
and
https:/
The xenial link seems to be the snapcraft 'pc-kernel:
Inside these Makefiles, it uses a number of hardcoded http URLS. One is a PPA URL to launchpad, which should be paramaterised (I can't hit it from a corporate network), and the other is a paramaterised URL hard-coded to use 'http'.
After setting these http endpoints, it then calls 'apt-get update' with ' --allow-
If how I interpret this is correct, this would allow the build to be susceptible to MITM attacks, or mirror or cache tampering.
The pramaterised endpoint is `ftpmaster.
CVE References
information type: | Private Security → Private |
Changed in snap-core18: | |
status: | In Progress → Fix Released |
information type: | Private → Public Security |
Hello Sachi - Thanks for reporting this issue! We agree that the use of the --allow- insecure- repositories and --allow- unauthenticated options is poor form and should not be used in the makefiles for building kernel snaps.
In practice, I think that this would be difficult to attack since the traffic between the builders and launchpad itself should be well controlled. There's obviously no sense in leaving that attack vector open so we'll get it fixed up. As you correctly pointed out, fixing it also benefits end-users that attempt to use the affected makefile target.
Thanks again! We'll be working to fix this issue.