This deserves a CVE and it should be credited to Zygmunt Krynicki. This bug provides a delayed attack opportunity and at a minimum allows data theft since a crafted snap with crafted name (eg, ubuntu-core-evil, or similar) would have its binaries, libraries, etc bind mounted into all other snap application's runtime environment, which can be used to execute code (ie, to ship data off) within the context of other apps when those other apps run. The scope of the attack is limited to the security policy of the installed apps and their launch (meaning that an app with privileges (eg, network-control interface) could be used in a delayed attack to escalate privileges beyond those granted to the malicious snap).
This fix can be made much simpler-- skip all the glob code and just use /snap/ubuntu-core/current. We don't support .<origin> or .sideload any more so the glob is unneeded.
This deserves a CVE and it should be credited to Zygmunt Krynicki. This bug provides a delayed attack opportunity and at a minimum allows data theft since a crafted snap with crafted name (eg, ubuntu-core-evil, or similar) would have its binaries, libraries, etc bind mounted into all other snap application's runtime environment, which can be used to execute code (ie, to ship data off) within the context of other apps when those other apps run. The scope of the attack is limited to the security policy of the installed apps and their launch (meaning that an app with privileges (eg, network-control interface) could be used in a delayed attack to escalate privileges beyond those granted to the malicious snap).
This fix can be made much simpler-- skip all the glob code and just use /snap/ubuntu- core/current. We don't support .<origin> or .sideload any more so the glob is unneeded.