Bug 2058682 (CVE-2021-3155) - CVE-2021-3155 snapd: lax permissions of ~/snap directories in user home
Summary: CVE-2021-3155 snapd: lax permissions of ~/snap directories in user home
Keywords:
Status: NEW
Alias: CVE-2021-3155
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-02-25 15:37 UTC by Mauro Matteo Cascella
Modified: 2022-02-25 15:40 UTC (History)
4 users (show)

Fixed In Version: snapd 2.54.3
Doc Type: ---
Doc Text:
snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2022-02-25 15:37:25 UTC
snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private.

snapd bug:
https://bugs.launchpad.net/snapd/+bug/1910298

Upstream PR and commits:
https://github.com/snapcore/snapd/pull/9897
https://github.com/snapcore/snapd/pull/10992
https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85 (2.52)
https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca (2.54)


Note You need to log in before you can comment on or make changes to this bug.