Using a specially crafted fallback art property, scopes can execute arbitrary QML code in context of unity8-dash

Bug #1536296 reported by James Henstridge
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical System Image
Fix Released
High
Michał Sawicz
unity8 (Ubuntu)
Fix Released
High
Albert Astals Cid

Bug Description

In plugins/Dash/CardCreator.js we have the following code

        var fallback = components["art"] && components["art"]["fallback"] || "";
        if (fallback !== "") {
            code += 'Connections { target: artShapeLoader.item ? artShapeLoader.item.image : null; onStatusChanged: if (artShapeLoader.item.image.status === Image.Error) artShapeLoader.item.image.source = "%1"; } \n'.arg(fallback);
        }

Here components comes from the category renderer template provided by the scope, so fallback is effectively untrusted data.

If a scope sets the fallback image to something like '"; arbitrary qml code here; "' then the dash will execute that code in its context. Given that the dash is unconfined while most scopes are confined, this represents a privilege escalation.

Related branches

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2016-1573

Michał Sawicz (saviq)
Changed in unity8 (Ubuntu):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Albert Astals Cid (aacid)
Michał Sawicz (saviq)
Changed in unity8 (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

With ota9 just around the corner, we (Saviq, QA and security) decided to include this as part of ota9 instead of doing a separate emergency update.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

+1 on that, we'll be re-spinning the OTA-9 candidate once the silo lands.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity8 - 8.11+16.04.20160122-0ubuntu1

---------------
unity8 (8.11+16.04.20160122-0ubuntu1) xenial; urgency=medium

  [ Albert Astals Cid ]
  * Fix bug #1536296 added: tests/plugins/Dash/cardcreator/10.tst (LP:
    #1536296)
  * Fix card tests on the phone

  [ CI Train Bot ]
  * Update translation template

 -- Michał Sawicz <email address hidden> Fri, 22 Jan 2016 16:56:04 +0000

Changed in unity8 (Ubuntu):
status: In Progress → Fix Released
Michał Sawicz (saviq)
Changed in unity8 (Ubuntu):
status: Fix Released → Triaged
Revision history for this message
Michał Sawicz (saviq) wrote :

We need a follow-up on this, there's another image to be spinned Friday this week, we'll include the fix there.

Changed in unity8 (Ubuntu):
status: Triaged → In Progress
Changed in unity8 (Ubuntu):
status: In Progress → Fix Released
Michał Sawicz (saviq)
Changed in canonical-devices-system-image:
importance: Undecided → Critical
milestone: none → ww04-2016
status: New → Fix Committed
assignee: nobody → Michał Sawicz (saviq)
importance: Critical → High
Changed in canonical-devices-system-image:
milestone: ww04-2016 → 9.1
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

What's the status on this bug? Can I make it public now that 9.1 was published?

Changed in canonical-devices-system-image:
status: Fix Committed → Fix Released
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers