I reviewed snapd-glib version 0.14-0ubuntu1 as checked into yakkety. This
shouldn't be considered a full security audit; in fact, it was entirely
too hasty due to external time pressures.
Most calls appeared to check for error returns. I found a few instances
that didn't:
- send_request() doesn't check error return from
snapd_auth_data_get_macaroon() but hands the result directly to
g_string_append_printf(); 'Macaroon root="(null)"' is the possible
outcome. Is this tolerable?
- send_request() doesn't check error return from
snapd_auth_data_get_discharges() but hands the result directly to a
for loop that will sigsegv
It's an insane pity this handles HTTP directly. Chunked encoding has
been the source of many vulnerabilities. Maybe investigate if a library
such as yahttp or other choices are available to outsource the potential
trouble. This is probably not a big deal here, since the point is to talk
to a more-privileged tool. Still, HTTP is subtle.
I'd like to spend more time reviewing this in the next cycle, but I think
in the meantime we can accept it for yakkety without undue risk.
Security team ACK for promoting snapd-glib to main.
Thanks
** Changed in: snapd-glib (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620159
Title:
[MIR] snapd-glib
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd-glib/+bug/1620159/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
