883795 – (CVE-2022-3328) <app-containers/snapd-2.57.6: root privilege escalation

Bug 883795 (CVE-2022-3328) - <app-containers/snapd-2.57.6: root privilege escalation

Summary: <app-containers/snapd-2.57.6: root privilege escalation

Status:	RESOLVED FIXED

Alias:	CVE-2022-3328

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://www.qualys.com/2022/11/30/cve...
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2022-12-01 00:48 UTC by John Helmert III
Modified:	2022-12-01 04:43 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2022-41973, CVE-2022-41974
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-12-01 00:48:54 UTC

"We discovered a race condition (CVE-2022-3328) in snap-confine, a
SUID-root program installed by default on Ubuntu. In this advisory, we
tell the story of this vulnerability (which was introduced in February
2022 by the patch for CVE-2021-44731) and detail how we exploited it in
Ubuntu Server (a local privilege escalation, from any user to root) by
combining it with two vulnerabilities in multipathd (an authorization
bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973):

https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt"

"Patches are available at:

https://github.com/snapcore/snapd/releases/tag/2.57.6
https://github.com/snapcore/snapd/commits/release/2.57"

Please bump to 2.57.6.

Comment 1 Larry the Git Cow gentoo-dev

2022-12-01 03:45:47 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=567c437733417399551df986d3f85b9758568eb1

commit 567c437733417399551df986d3f85b9758568eb1
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-12-01 03:45:09 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-12-01 03:45:42 +0000

    app-containers/snapd: drop 2.57.2-r1, 2.57.4, 2.57.5
    
    Bug: https://bugs.gentoo.org/883795
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/snapd/Manifest               |   3 -
 app-containers/snapd/snapd-2.57.2-r1.ebuild | 178 ----------------------------
 app-containers/snapd/snapd-2.57.4.ebuild    | 178 ----------------------------
 app-containers/snapd/snapd-2.57.5.ebuild    | 178 ----------------------------
 4 files changed, 537 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=207fb8f24450d6adacaab692c5fcc733657f6eb7

commit 207fb8f24450d6adacaab692c5fcc733657f6eb7
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-12-01 03:44:22 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-12-01 03:45:42 +0000

    app-containers/snapd: add 2.57.6
    
    Bug: https://bugs.gentoo.org/883795
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/snapd/Manifest            |   1 +
 app-containers/snapd/snapd-2.57.6.ebuild | 178 +++++++++++++++++++++++++++++++
 2 files changed, 179 insertions(+)

Comment 2 John Helmert III archtester

2022-12-01 04:43:25 UTC

Thanks, all done!