Using a specially crafted fallback art property, scopes can execute arbitrary QML code in context of unity8-dash

Bug #1536296 reported by James Henstridge
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical System Image
Fix Released
High
Michał Sawicz
unity8 (Ubuntu)
Fix Released
High
Albert Astals Cid

Bug Description

In plugins/Dash/CardCreator.js we have the following code

        var fallback = components["art"] && components["art"]["fallback"] || "";
        if (fallback !== "") {
            code += 'Connections { target: artShapeLoader.item ? artShapeLoader.item.image : null; onStatusChanged: if (artShapeLoader.item.image.status === Image.Error) artShapeLoader.item.image.source = "%1"; } \n'.arg(fallback);
        }

Here components comes from the category renderer template provided by the scope, so fallback is effectively untrusted data.

If a scope sets the fallback image to something like '"; arbitrary qml code here; "' then the dash will execute that code in its context. Given that the dash is unconfined while most scopes are confined, this represents a privilege escalation.

Related branches

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2016-1573

Michał Sawicz (saviq)
Changed in unity8 (Ubuntu):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Albert Astals Cid (aacid)
Michał Sawicz (saviq)
Changed in unity8 (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

With ota9 just around the corner, we (Saviq, QA and security) decided to include this as part of ota9 instead of doing a separate emergency update.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

+1 on that, we'll be re-spinning the OTA-9 candidate once the silo lands.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity8 - 8.11+16.04.20160122-0ubuntu1

---------------
unity8 (8.11+16.04.20160122-0ubuntu1) xenial; urgency=medium

  [ Albert Astals Cid ]
  * Fix bug #1536296 added: tests/plugins/Dash/cardcreator/10.tst (LP:
    #1536296)
  * Fix card tests on the phone

  [ CI Train Bot ]
  * Update translation template

 -- Michał Sawicz <email address hidden> Fri, 22 Jan 2016 16:56:04 +0000

Changed in unity8 (Ubuntu):
status: In Progress → Fix Released
Michał Sawicz (saviq)
Changed in unity8 (Ubuntu):
status: Fix Released → Triaged
Revision history for this message
Michał Sawicz (saviq) wrote :

We need a follow-up on this, there's another image to be spinned Friday this week, we'll include the fix there.

Changed in unity8 (Ubuntu):
status: Triaged → In Progress
Changed in unity8 (Ubuntu):
status: In Progress → Fix Released
Michał Sawicz (saviq)
Changed in canonical-devices-system-image:
importance: Undecided → Critical
milestone: none → ww04-2016
status: New → Fix Committed
assignee: nobody → Michał Sawicz (saviq)
importance: Critical → High
Changed in canonical-devices-system-image:
milestone: ww04-2016 → 9.1
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

What's the status on this bug? Can I make it public now that 9.1 was published?

Changed in canonical-devices-system-image:
status: Fix Committed → Fix Released
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.