Arbitrary code execution in snapcraft tour

Bug #1634415 reported by Gianni Tedesco on 2016-10-18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Tim Süberkrüb

Bug Description

Snapcraft tour insecurely downloads arbitrary code and executes it.

The source URLs are all HTTP, snapcraft will just download that, untar it, run commands from inside it, build code from it, and put that code in to the snap. So this exposes both the build host and any host the tour snaps may later be installed on, to arbitrary code execution.

While the functionality itself (insecurely downloading code to run) may have some uses, it's probably an unnecessary level or risk to expose every snapcraft newcomer to.

Gianni Tedesco (scara) on 2016-10-19
information type: Private Security → Public Security
Leo Arias (elopio) wrote :

We need to switch all our examples to https.

Changed in snapcraft:
status: New → Confirmed
importance: Undecided → High
tags: added: security
Sergio Schvezov (sergiusens) wrote :
Changed in snapcraft:
status: Confirmed → Fix Committed
assignee: nobody → Tim Süberkrüb (tim-sueberkrueb)
milestone: none → 2.31
Leo Arias (elopio) on 2017-06-02
tags: added: bitesize
Kyle Fazzari (kyrofa) on 2017-06-22
Changed in snapcraft:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers