Comment 0 for bug 1576699

A review of ubuntu-core-launcher code has found that setup_snappy_os_mounts() uses a glob with a potential for security exploit if the attacker can convince an user to install a malicious having a name starting with "ubuntu-core-".

Due to the glob the launcher may, at random, depending on glob result ordering, choose to mount that snap instead of the real ubuntu-core snap into the filesystem namespace of all newly started application processes.

The bug is possible due to incorrect glob and due to incorrect size check.