Arbitrary code execution in snapcraft tour
Bug #1634415 reported by
Gianni Tedesco
on 2016-10-18
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Snapcraft |
High
|
Tim Süberkrüb | ||
Bug Description
Snapcraft tour insecurely downloads arbitrary code and executes it.
The source URLs are all HTTP, snapcraft will just download that, untar it, run commands from inside it, build code from it, and put that code in to the snap. So this exposes both the build host and any host the tour snaps may later be installed on, to arbitrary code execution.
While the functionality itself (insecurely downloading code to run) may have some uses, it's probably an unnecessary level or risk to expose every snapcraft newcomer to.
Gianni Tedesco (scara)
on 2016-10-19
| information type: | Private Security → Public Security |
| Leo Arias (elopio) wrote : | #1 |
| Changed in snapcraft: | |
| status: | New → Confirmed |
| importance: | Undecided → High |
| tags: | added: security |
| Sergio Schvezov (sergiusens) wrote : | #2 |
| Changed in snapcraft: | |
| status: | Confirmed → Fix Committed |
| assignee: | nobody → Tim Süberkrüb (tim-sueberkrueb) |
| milestone: | none → 2.31 |
Leo Arias (elopio)
on 2017-06-02
| tags: | added: bitesize |
Kyle Fazzari (kyrofa)
on 2017-06-22
| Changed in snapcraft: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
We need to switch all our examples to https.