ubuntu-core-launcher uses incorrect glob, doesn't check for exactly one match

This was introduced in r83 in https://code.launchpad.net/~mvo/ubuntu-core-launcher/snappy-on-ubuntu/+merge/278938.

Great catch! The fix in comment #1 is not correct since we don't need to use glob() any longer.

I asked the store team to blacklist any "ubuntu-core.*" names in the store to counter this.

Nessita told me there is no support to blacklist based on prefix or regexp (which is unfortunate). So we could make all snaps manual approval for now until this issue is solved. Not sure if that big hammer is needed given that you need to convince people first to run "sudo snap install ubuntu-core-evil" to exploit this. But I leave that decision to the experts :)

Tyler is right, the glob is no longer required. I just aimed for a minimal path to highlight the problem.

This deserves a CVE and it should be credited to Zygmunt Krynicki. This bug provides a delayed attack opportunity and at a minimum allows data theft since a crafted snap with crafted name (eg, ubuntu-core-evil, or similar) would have its binaries, libraries, etc bind mounted into all other snap application's runtime environment, which can be used to execute code (ie, to ship data off) within the context of other apps when those other apps run. The scope of the attack is limited to the security policy of the installed apps and their launch (meaning that an app with privileges (eg, network-control interface) could be used in a delayed attack to escalate privileges beyond those granted to the malicious snap).

This fix can be made much simpler-- skip all the glob code and just use /snap/ubuntu-core/current. We don't support .<origin> or .sideload any more so the glob is unneeded.

This is CVE-2016-1580

FYI, I asked the store team to put all apps under manual review. Once the USN is published, we'll lift that.

This bug was fixed in the package ubuntu-core-launcher - 1.0.27.1

---------------
ubuntu-core-launcher (1.0.27.1) xenial-security; urgency=medium

  * SECURITY UPDATE: delayed attack snap data theft and privilege escalation
    when using Snappy on traditional Ubuntu (classic) systems (LP: #1576699)
    - src/main.c: remove glob code and hardcode /snap/ubuntu-core/current
      instead. The glob code both used an improper glob and performed an
      incorrect check due to a typo which allowed a snap named ubuntu-core-...
      to be bind mounted into application runtimes instead of the ubuntu-core
      OS snap. Ubuntu Core removed .<origin> and .sideload from the SNAP path
      so the glob can simply be dropped.
    - CVE-2016-1580
  * debian/usr.bin.ubuntu-core-launcher:
    - only allow mounting /snap/ubuntu-core/*/... to safeguard against this in
      the future
    - add lib32 and libx32 to match setup_snappy_os_mounts()

 -- Jamie Strandboge <email address hidden> Fri, 29 Apr 2016 10:06:19 -0500

1.0.28 uploaded to yakkety.

http://www.ubuntu.com/usn/usn-2956-1/

FYI, now that the USN is published, I asked the store team to lift manual review.

This bug was fixed in the package ubuntu-core-launcher - 1.0.28

---------------
ubuntu-core-launcher (1.0.28) yakkety; urgency=medium

  * SECURITY UPDATE: delayed attack snap data theft and privilege escalation
    when using Snappy on traditional Ubuntu (classic) systems (LP: #1576699)
    - src/main.c: remove glob code and hardcode /snap/ubuntu-core/current
      instead. The glob code both used an improper glob and performed an
      incorrect check due to a typo which allowed a snap named ubuntu-core-...
      to be bind mounted into application runtimes instead of the ubuntu-core
      OS snap. Ubuntu Core removed .<origin> and .sideload from the SNAP path
      so the glob can simply be dropped.
    - CVE-2016-1580
  * debian/usr.bin.ubuntu-core-launcher:
    - only allow mounting /snap/ubuntu-core/*/... to safeguard against this in
      the future
    - add lib32 and libx32 to match setup_snappy_os_mounts()

 -- Jamie Strandboge <email address hidden> Fri, 29 Apr 2016 11:17:42 -0500