Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 833584 (CVE-2021-3155, CVE-2021-4120, CVE-2021-44730, CVE-2021-44731)

Summary: <app-containers/snapd-2.54.3: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~1 [noglsa]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-02-18 02:02:30 UTC 
From https://www.openwall.com/lists/oss-security/2022/02/17/2:
========================================================================
Summary
========================================================================

We recently audited snap-confine (a SUID-root program that is installed
by default on Ubuntu) and discovered two vulnerabilities (two Local
Privilege Escalations, from any user to root): CVE-2021-44730 and
CVE-2021-44731.

  "Snap is a software packaging and deployment system developed by
  Canonical for operating systems that use the Linux kernel. The
  packages, called snaps, and the tool for using them, snapd, work
  across a range of Linux distributions and allow upstream software
  developers to distribute their applications directly to users. Snaps
  are self-contained applications running in a sandbox with mediated
  access to the host system." (Wikipedia)

  "snap-confine is a program used internally by snapd to construct the
  execution environment for snap applications." (man snap-confine)

Discovering and exploiting a vulnerability in snap-confine has been
extremely challenging (especially in a default installation of Ubuntu),
because snap-confine uses a very defensive programming style, AppArmor
profiles, seccomp filters, mount namespaces, and two Go helper programs.
Eventually, we discovered two vulnerabilities:

- CVE-2021-44730, a hardlink attack that is exploitable in a non-default
  configuration only (when the kernel's fs.protected_hardlinks is 0);

- CVE-2021-44731, a race condition that is exploitable in default
  installations of Ubuntu Desktop, and near-default installations of
  Ubuntu Server (the default installation, plus one of the "Featured
  Server Snaps" that are offered during the installation; for example,
  "heroku" or "microk8s").

While working on snap-confine, we also discovered several
vulnerabilities in related packages and libraries: CVE-2021-3996 and
CVE-2021-3995 in util-linux (libmount and umount), CVE-2021-3998 and
CVE-2021-3999 in the glibc (realpath() and getcwd()), and CVE-2021-3997
in systemd (systemd-tmpfiles). We partially published these secondary
vulnerabilities in January 2022, shortly after their patches became
available:

  https://www.openwall.com/lists/oss-security/2022/01/10/2
  https://www.openwall.com/lists/oss-security/2022/01/24/2
  https://www.openwall.com/lists/oss-security/2022/01/24/4

If you enjoy puzzle games like Lemmings (which turns 31 this year!),
then we hope that you will enjoy this advisory.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-18 14:07:11 UTC 
CVE-2021-3155 (

snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1

https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85
https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca

CVE-2021-4120:

snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
Comment 2 Larry the Git Cow gentoo-dev 2022-02-18 18:20:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46f127f94639382842e87b71f8edaadfe2ef0fd2

commit 46f127f94639382842e87b71f8edaadfe2ef0fd2
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-02-18 18:19:14 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-02-18 18:20:33 +0000

    app-containers/snapd: Remove vulnerable version
    
    Bug: https://bugs.gentoo.org/833584
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/snapd/Manifest            |   3 -
 app-containers/snapd/snapd-2.53.4.ebuild | 180 -------------------------------
 app-containers/snapd/snapd-2.54.1.ebuild | 180 -------------------------------
 app-containers/snapd/snapd-2.54.2.ebuild | 180 -------------------------------
 4 files changed, 543 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b954000843bde5a248db161bbfd178ef58f1f06b

commit b954000843bde5a248db161bbfd178ef58f1f06b
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-02-18 18:17:14 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-02-18 18:20:32 +0000

    app-containers/snapd: Bump to version 2.54.3
    
    Bug: https://bugs.gentoo.org/833584
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/snapd/Manifest            |   1 +
 app-containers/snapd/snapd-2.54.3.ebuild | 180 +++++++++++++++++++++++++++++++
 2 files changed, 181 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-02-18 18:21:59 UTC 
Thanks Zac!