snapd

userd: xdg-open of help URLs no longer work

Bug #1998538 reported by Ken VanDine on 2022-12-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snapd	New	Undecided	Sergio Costas

Bug Description

help URLs no longer work, this feature landed in https://github.com/snapcore/snapd/pull/6493 and I can no longer find the logic to build the file path to pass to xdg-open in userd.

See original description

CVE References

2020-11934

Ken VanDine (ken-vandine) on 2022-12-01

description:

updated

Michael Vogt (mvo) on 2022-12-05

Changed in snapd:
assignee:	nobody → Sergio Costas (rastersoft-gmail)

Revision history for this message

Sergio Costas (rastersoft-gmail) wrote on 2023-01-17:

Fix sent to https://github.com/snapcore/snapd/pull/12408

Revision history for this message

James Henstridge (jamesh) wrote on 2023-02-23:

The code in question was removed as it enabled a sandbox escape, as described in bug 1880085 and CVE-2020-11934. Adding paths controlled by the snap to XDG_DATA_DIRS makes it possible to override desktop files and mime associations.

The proof of concept vulnerability on that bug happens to exploit the help: URI scheme, so even limiting the XDG_DATA_DIRS change to that scheme would be a problem.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.