This bug was fixed in the package snapd - 2.46~pre1.gitaf15176 --------------- snapd (2.46~pre1.gitaf15176) groovy; urgency=medium
* New git snapshot for the upcoming 2.46 release -- Michael Vogt <[email protected]> Fri, 07 Aug 2020 09:15:31 +0200 ** Changed in: snapd (Ubuntu Groovy) Status: Triaged => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1880085 Title: snap userd's OpenURL method allows sandox escape Status in snapd: In Progress Status in snapd package in Ubuntu: Fix Released Status in snapd source package in Trusty: Won't Fix Status in snapd source package in Xenial: Fix Released Status in snapd source package in Bionic: Fix Released Status in snapd source package in Eoan: Fix Released Status in snapd source package in Focal: Fix Released Status in snapd source package in Groovy: Fix Released Bug description: snap userd's OpenURL implementation alters the value of $XDG_DATA_DIRS to include a directory controlled by the calling snap before calling /usr/bin/xdg-open: https://github.com/snapcore/snapd/blob/7f678b92/usersession/userd/launcher.go#L109-L113 This allows the snap to control how the URL will be opened, including having executables provided by the snap run outside of confinement. Attached is an example snap demonstrating the exploit. It works as follows: 1. the snap provides a single command plugging the desktop interface that calls "xdg-open help://whatever" 2. userd invokes the host system /usr/bin/xdg-open with $SNAP/usr/share/applications at the start of $XDG_DATA_DIRS. 3. under $SNAP/usr/share/applications, we have a yelp.desktop file whose Exec line points to an "outside-sandbox.sh" script shipped with the snap, and a mimeapps.list file to set it as the default handler for the "help:" scheme. 4. the "outside-sandbox.sh" script is executed without confinement and writes a file /tmp/foo.txt This file can be seen in the host system /tmp rather than the snap's private /tmp, demonstrating that it was run outside the sandbox. Note that this isn't restricted to the "help:" URI scheme: it's just more likely to succeed, since users are unlikely to override the default handler. To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1880085/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : [email protected] Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
