USN-2956-1: ubuntu-core-launcher vulnerability

29 April 2016

ubuntu-core-launcher vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

ubuntu-core-launcher did not properly isolate snaps from one another.

Software Description

  • ubuntu-core-launcher - Snap application launcher

Details

Zygmunt Krynicki discovered that ubuntu-core-launcher did not properly sanitize its input and contained a logic error when determining the mountpoint of bind mounts when using snaps on Ubuntu classic systems (eg, traditional desktop and server). If a user were tricked into installing a malicious snap with a crafted snap name, an attacker could perform a delayed attack to steal data or execute code within the security context of another snap. This issue did not affect Ubuntu Core systems.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
ubuntu-core-launcher - 1.0.27.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References