A review of ubuntu-core-launcher code has found that setup_snappy_os_mounts() uses a glob with a potential for security exploit if the attacker can convince an user to install a malicious having a name starting with "ubuntu-core-".
Due to the glob the launcher may, at random, depending on glob result ordering, choose to mount that snap instead of the real ubuntu-core snap into the filesystem namespace of all newly started application processes.
The bug is possible due to incorrect glob and due to incorrect size check.
A review of ubuntu- core-launcher code has found that setup_snappy_ os_mounts( ) uses a glob with a potential for security exploit if the attacker can convince an user to install a malicious having a name starting with "ubuntu-core-".
Due to the glob the launcher may, at random, depending on glob result ordering, choose to mount that snap instead of the real ubuntu-core snap into the filesystem namespace of all newly started application processes.
The bug is possible due to incorrect glob and due to incorrect size check.