I was reading an article about CVE-2020-27348 earlier, which is quite a nasty bug affecting a lot of snap packages.
My desktop runs Ubuntu 18.04 at the moment, and so does my partner’s laptop. I also have a Debian buster laptop but I’ve never installed snapd there. So it’s just my desktop and my partner’s laptop I’m concerned about.
If you run Ubuntu 20.04 or later I think there’s probably more concern, as I understand the software centre offers snap versions of things by default.
Anyway, I couldn’t recall ever installing a snap on purpose on my desktop except for a short while ago when I intentionally installed signal-desktop. But in fact I have quite a few snaps installed.
$ snap list Name Version Rev Tracking Publisher Notes core 16-2.48.2 1058 latest/stable canonical✓ core core18 20201210 1944 latest/stable canonical✓ base gnome-3-26-1604 126.96.36.19900529 100 latest/stable/… canonical✓ - gnome-3-28-1804 3.28.0-19-g98f9e67.98f9e67 145 latest/stable canonical✓ - gnome-3-34-1804 0+git.3556cb3 66 latest/stable canonical✓ - gnome-calculator 3.38.0+git7.c840c69c 826 latest/stable/… canonical✓ - gnome-characters v3.34.0+git9.eeab5f2 570 latest/stable/… canonical✓ - gnome-logs 3.34.0 100 latest/stable/… canonical✓ - gnome-system-monitor 3.36.0-12-g35f88a56d7 148 latest/stable/… canonical✓ - gtk-common-themes 0.1-50-gf7627e4 1514 latest/stable/… canonical✓ - signal-desktop 1.39.5 345 latest/stable snapcrafters -
I don’t know why gnome-calculator is there. It doesn’t appear to be the binary that’s run when I start the calculator.
So are any of them a security risk? Well…
$ grep -l \$LD_LIBRARY_PATH /snap/*/current/snap/snapcraft.yaml /snap/gnome-calculator/current/snap/snapcraft.yaml /snap/gnome-characters/current/snap/snapcraft.yaml /snap/gnome-logs/current/snap/snapcraft.yaml /snap/gnome-system-monitor/current/snap/snapcraft.yaml
Those are all the snaps on my system which include the value of the (empty) environment variable
LD_LIBRARY_PATH, so are likely vulnerable to this.
But does this really end up with an empty item in the
$ which gnome-system-monitor /snap/bin/gnome-system-monitor $ gnome-system-monitor & $ pgrep -f gnome-system-monitor 8259 $ tr '\0' '\n' < /proc/8259/environ | grep ^LD_LIBR | grep -q :: && echo "oh dear" oh dear
Yes it really does.
(The tr is necessary above because the /proc/*/environ file is a NUL-separated string, so that modifies it to be one variable per line, then looks for the
LD_LIBRARY_PATH line, and checks if it has an empty entry
So yeah, my gnome-system-monitor is a local code execution vector.
As are my gnome-characters, gnome-logs and that gnome-calculator if I ever uninstall the non-snap version.
That CVE seems to have been published on 3 December 2020. I hope that the affected snaps will be fixed soon.
I don’t like that the CVE says the impact is:
If a user were tricked into installing a malicious snap or downloading a malicious library, under certain circumstances an attacker could exploit this to affect strict mode snaps that have access to the library and were launched from the directory containing the library.
My first thought upon reading is, “I’m safe, I haven’t been tricked into downloading any malicious snaps!” But I do have snaps that aren’t malicious, they are just insecure. The hardest part of the exploit is indeed getting a malicious file (a library) into my filesystem in a directory where I will run a snap from.