Security News > 2022 > February > Linux Snap package tool fixes make-me-root bugs
The snap-confine tool in the Linux world's Snap software packaging system can be potentially exploited by ordinary users to gain root powers, says Qualys.
Snap was developed by Ubuntu maker Canonical, and can be used with Ubuntu and on other Linux distributions, if one so wishes, to install applications and services.
CVE-2021-44731, a race condition exploitable in default installations of Ubuntu Desktop, and near-default installations of Ubuntu Server - the default server installation plus one of the Featured Server Snaps offered during installation.
Snap packages are most closely associated with Ubuntu, as we've reported over the years.
The two flaws are addressed in Ubuntu versions 21.10, 20.04, 18.04 and 16.04 and 14.04 by patching snap-confine to version 2.54.3, with Ubuntu itself noting on its advisory page: "In general, a standard system update will make all the necessary changes."
Snap is one of a few competitors in the app packaging world, as The Register reported last year, and the idea is to just make it easier for developers to put their application into a parcel that can be released and installed on multiple distributions.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/02/19/linux_snap_ubuntu/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-17 | CVE-2021-44731 | Race Condition vulnerability in multiple products A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. | 7.8 |