Created attachment 795586 [details]
patch for version 2.37

Hello we received the following email from canonical:

A private security bug[0] of high severity was reported by Chris Moberly
against the snapd project. You are being emailed[1] since your distribution is
affected in some manner.

This issue is embargoed and has not been disclosed publicly. We are requesting
a coordinated release date (CRD) of 2019-02-06 16:00 UTC. We ask that you keep
this issue embargoed until the CRD[1]. If you do not request another date,
Ubuntu will make this bug public on the CRD.

I'm in the process of requesting a CVE for this and will report back to this
thread when I have one.

Details from the currently private bug follows:
https://launchpad.net/bugs/1813365

The gist of the bug is that snapd has a socket in /run that has 666 permissions
and it looks at the uid of the peer cred as part of its access control. snapd
less than 2.37.1 did not correctly validate and parse the remote address which
allows an unprivileged user to use the socket API as if it was root, which in
turn allows the unprivileged user to install snaps, create users, etc.

Attached is a patch against snapd 2.37 and 2.35 which addresses the issue (the
2.35 patch just removes patching a couple of nonexistent test cases in its
testsuite but is otherwise the same).

While the details of the vulnerability are considered embargoed, a public
commit[3] to the same area of code fixed the issue in passing as part of an
unrelated bug fix, so the issue can be considered semi-public. This commit is
included in snapd 2.37.1 which is considered unaffected.

The snapd upstream team works closely with distributions to keep snapd up to
date and the issue is already in the process of being fixed in various places
(2.37.1 contains other unrelated bug fixes that are desirable and the details
of the socket issue have not been discussed publicly). Below is a summary for
each distribution.

# Arch

Arch AUR currently has snapd 2.37 and needs to update its git branch to 2.37.1:

https://aur.archlinux.org/packages/snapd/

I suspect the snapd team is in the process of doing that (perhaps Michael or
Samuele from the snapd team can comment).


# Debian

2.37.1-1 was uploaded and accepted to Debian unstable earlier today:

https://metadata.ftp-master.debian.org/changelogs/main/s/snapd/snapd_2.37.1-1_changelog

An update is needed for Debian stable.


# Fedora

The snapd upstream team reached out to Pharoah_Atem on IRC to update EPEL to
2.37.1 today, but as of now, the package is still at 2.36.3:

https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/s/


# OpenSUSE

Tumbleweed has been updated to included 2.37.1:

https://build.opensuse.org/package/show/system:snappy/snapd


# Solus

The snapd upstream team reached out to Solus on IRC to update their package to
2.37.1.


# Ubuntu

Ubuntu is preparing updates for its stable releases and will release updated
packages on the CRD.


Thanks in advance for your cooperation in coordinating a fix for this
issue. Please reach out to Michael Vogt (in CC, snapd upstream) or myself if
you have questions regarding the patches or you want access to the bug.


# Snap store

The core and snapd snaps are in the process of being updated to contain snapd
2.37.1. When the snaps are updated, systems with the "snap reexec" feature
enabled will see an automatic refresh of the core/snapd snaps with the updated
snapd from the snap being used.


[0] https://launchpad.net/bugs/1813365
[1] Since the issue is of high severity, linux-distros is not being used and
    you are being contacted directly.
[2] Please do not release a fix, make public revision control commits,
    comment in public bug reports or otherwise disclose information
    about this issue until the coordinated release date. This gives all
    affected parties a chance to release a fix at the same time.
[3] https://github.com/snapcore/snapd/pull/6443 with follow up
    https://github.com/snapcore/snapd/pull/6443