Security News > 2022 > February > Linux Snap package tool fixes make-me-root bugs

Linux Snap package tool fixes make-me-root bugs
2022-02-19 00:15

The snap-confine tool in the Linux world's Snap software packaging system can be potentially exploited by ordinary users to gain root powers, says Qualys.

Snap was developed by Ubuntu maker Canonical, and can be used with Ubuntu and on other Linux distributions, if one so wishes, to install applications and services.

CVE-2021-44731, a race condition exploitable in default installations of Ubuntu Desktop, and near-default installations of Ubuntu Server - the default server installation plus one of the Featured Server Snaps offered during installation.

Snap packages are most closely associated with Ubuntu, as we've reported over the years.

The two flaws are addressed in Ubuntu versions 21.10, 20.04, 18.04 and 16.04 and 14.04 by patching snap-confine to version 2.54.3, with Ubuntu itself noting on its advisory page: "In general, a standard system update will make all the necessary changes."

Snap is one of a few competitors in the app packaging world, as The Register reported last year, and the idea is to just make it easier for developers to put their application into a parcel that can be released and installed on multiple distributions.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/02/19/linux_snap_ubuntu/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-02-17 CVE-2021-44731 Race Condition vulnerability in multiple products
A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap.
local
high complexity
canonical fedoraproject debian CWE-362
7.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 17 374 2505 1534 665 5078