USN-4661-1: Snapcraft vulnerability

Please see USN-4661-1 and ann-snapcraft-4-4-4-library-injection-vulnerability-on-built-snaps for details on this security update.

itszn discovered that Snapcraft includes the current directory when configuring LD_LIBRARY_PATH for application commands. If a user were tricked into installing a malicious snap or downloading a malicious library, under certain circumstances an attacker could exploit this to affect strict mode snaps that have access to the library and were launched from the directory containing the library. Thanks itszn for reporting this issue and helping us make Snapcraft better.

The Snapcraft team and the Ubuntu Security team worked together to release a security update for the Snapcraft deb as well as the Snapcraft snap. Thus, we encourage snap publishers to rebuild their snaps using the latest Snapcraft version. Instructions on how to do it can be found in the USN-4661-1 security notice.

Thanks!

Thank you for the heads up, @emitorino. A few more details on how to rebuild:

If you’re using https://snapcraft.io/build, just visit the “builds” tab of your snap and hit “Trigger new build”:

build rebuild.jpg2678×644 97.6 KB

If you’re using native Launchpad to build your snaps, just visit the snap info page and hit “Request builds”:

launchpad-rebuild.jpg2966×958 441 KB

Once built they’ll be released to the channel they always release to (e.g. edge). You’ll need to test them and release them to stable (or any other channel) as you see fit, just like any other release.

FYI, a corresponding update was made to the review-tools to send a snap USN notification for snaps built with an affected snapcraft. In some cases, the composition of the email was wrong:

• https://launchpad.net/bugs/1906827
• https://launchpad.net/bugs/1906831

A fix is being prepared for both of these issues.