github.com/snapcore/snapd is vulnerable to privilege escalation. The sc_open_snapd_tool
function of tool.c
does not properly validate the location of the snap-confine binary, allowing an attacker to hardlink setuid
binaries to another location when fs.protected_hardlinks
is 0.
www.openwall.com/lists/oss-security/2022/02/18/2
www.openwall.com/lists/oss-security/2022/02/23/1
github.com/snapcore/snapd/commit/54e71e7750f73a28f5a47fe04dd058360e24c0e9
lists.fedoraproject.org/archives/list/[email protected]/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/
lists.fedoraproject.org/archives/list/[email protected]/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/
ubuntu.com/security/notices/USN-5292-1
www.debian.org/security/2022/dsa-5080