OA gives out all tokens to any app
Bug #1392380 reported by
Michael Zanetti
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical System Image |
Fix Released
|
High
|
David Barth | ||
signon (Ubuntu) |
Fix Released
|
Critical
|
Alberto Mardegan | ||
Utopic |
Won't Fix
|
Undecided
|
Unassigned | ||
Vivid |
Fix Released
|
Critical
|
Alberto Mardegan | ||
signon (Ubuntu RTM) |
Fix Released
|
Undecided
|
Alberto Mardegan | ||
ubuntu-touch-meta (Ubuntu RTM) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The attached app will steal all your tokens. All it takes is the "accounts" permission in the apparmor file.
Here's the code: https:/
Related branches
lp:~mardy/signon/rtm-fixes
Approved
for merging
into
lp:~online-accounts/signon/rtm-14.09
- David Barth (community): Approve
-
Diff: 909 lines (+506/-196)17 files modifieddebian/changelog (+6/-0)
lib/plugins/SignOn/uisessiondata_priv.h (+2/-0)
src/signond/accesscontrolmanagerhelper.cpp (+1/-1)
src/signond/signondaemonadaptor.cpp (+1/-1)
src/signond/signonidentity.cpp (+8/-30)
src/signond/signonidentityinfo.cpp (+12/-0)
src/signond/signonidentityinfo.h (+2/-0)
src/signond/signonsessioncore.cpp (+6/-2)
tests/libsignon-qt-tests/ssotestclient.cpp (+127/-161)
tests/libsignon-qt-tests/ssotestclient.h (+1/-1)
tests/libsignon-qt-tests/testauthsession.cpp (+1/-0)
tests/signond-tests/.gitignore (+1/-0)
tests/signond-tests/signond-tests.pri (+2/-0)
tests/signond-tests/signond-tests.pro (+1/-0)
tests/signond-tests/timeouts.cpp (+2/-0)
tests/signond-tests/tst_access_control_manager_helper.cpp (+320/-0)
tests/signond-tests/tst_access_control_manager_helper.pro (+13/-0)
lp:~dbarth/ubuntu-seeds/ubuntu-touch.utopic-signon-apparmor-extension
Rejected
for merging
into
lp:~ubuntu-core-dev/ubuntu-seeds/ubuntu-touch.vivid
- Łukasz Zemczak: Disapprove
- Ubuntu Core Development Team: Pending requested
-
Diff: 25 lines (+0/-2)2 files modifieddesktop (+0/-1)
touch (+0/-1)
CVE References
summary: |
- OA gives out all tokes to any app + OA gives out all tokens to any app |
Changed in ubuntu-system-settings-online-accounts: | |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
information type: | Private Security → Public Security |
tags: | added: application-confinement |
Changed in signon (Ubuntu Vivid): | |
status: | Confirmed → Fix Released |
Changed in signon (Ubuntu RTM): | |
assignee: | nobody → Alberto Mardegan (mardy) |
status: | New → In Progress |
Changed in canonical-devices-system-image: | |
milestone: | ww51-2014 → ww05-2015 |
Changed in ubuntu-touch-meta (Ubuntu RTM): | |
status: | Fix Released → New |
Changed in canonical-devices-system-image: | |
status: | Confirmed → In Progress |
milestone: | ww05-2015 → ww07-2015 |
Changed in canonical-devices-system-image: | |
assignee: | nobody → David Barth (dbarth) |
milestone: | ww07-2015 → ww09-2015 |
Changed in canonical-devices-system-image: | |
status: | In Progress → Fix Released |
Changed in signon (Ubuntu RTM): | |
status: | In Progress → Fix Released |
Changed in signon (Ubuntu Utopic): | |
importance: | Critical → Undecided |
status: | Confirmed → Won't Fix |
To post a comment you must log in.
Do you have signon- apparmor- extension installed?