UBUNTU-CVE-2020-27348

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2020-27348

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-27348.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2020-27348

Related

Published

2020-12-03T18:16:00Z

Modified

2020-12-03T18:16:00Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L CVSS Calculator
6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L CVSS Calculator

Summary

[none]

Details

In some conditions, a snap package built by snapcraft includes the current directory in LDLIBRARYPATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43.1+16.04.1, and prior to 2.43.1+18.04.1.

References

Affected packages

Ubuntu:16.04:LTS / snapcraft

Package

Name: snapcraft
Purl: pkg:deb/ubuntu/snapcraft?arch=src?distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.43.1+16.04.1

Affected versions

0.*

0.3

0.4

0.5

0.6

1.*

1.0

2.*

2.0

2.0.1

2.1

2.1.1

2.2

2.2.1

2.2.2

2.3.1

2.3.2

2.4

2.5

2.6

2.6.1

2.7

2.8

2.8.1

2.8.2

2.8.3

2.8.4

2.8.8b

2.9

2.10.1

2.11

2.12

2.12.1

2.13.1

2.14

2.15.1

2.16

2.17

2.18.1

2.19

2.20

2.21

2.22.1

2.23

2.24

2.25

2.26

2.27

2.27.1

2.28

2.29

2.31

2.33

2.34

2.35

2.39.2

2.39.3

2.39.3+really2.35

2.40

2.41

2.42

2.42.1

2.43

2.43.1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "2.43.1+16.04.1",
            "binary_name": "snapcraft"
        },
        {
            "binary_version": "2.43.1+16.04.1",
            "binary_name": "snapcraft-examples"
        },
        {
            "binary_version": "2.43.1+16.04.1",
            "binary_name": "snapcraft-parser"
        }
    ]
}

Ubuntu:18.04:LTS / snapcraft

Package

Name: snapcraft
Purl: pkg:deb/ubuntu/snapcraft?arch=src?distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.43.1+18.04.1

Affected versions

2.*

2.34+17.10

2.39.2+18.04.2

2.40+18.04.1

2.40+18.04.3

2.41+18.04.1

2.41+18.04.2

2.42+18.04.2

2.42.1+18.04

2.43+18.04

2.43.1+18.04

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "2.43.1+18.04.1",
            "binary_name": "snapcraft"
        },
        {
            "binary_version": "2.43.1+18.04.1",
            "binary_name": "snapcraft-examples"
        },
        {
            "binary_version": "2.43.1+18.04.1",
            "binary_name": "snapcraft-parser"
        }
    ]
}