==========================================================================
Ubuntu Security Notice USN-4661-1
December 03, 2020

snapcraft vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 18.04 LTS
– Ubuntu 16.04 LTS

Summary:

An intended access restriction could be bypassed in snaps built with
Snapcraft

Software Description:
– snapcraft: easily craft snaps

Details:

It was discovered that Snapcraft includes the current directory when
configuring LD_LIBRARY_PATH for application commands. If a user were
tricked into installing a malicious snap or downloading a malicious
library, under certain circumstances an attacker could exploit this to
affect strict mode snaps that have access to the library and when
launched from the directory containing the library.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
snapcraft 2.43.1+18.04.1

Ubuntu 16.04 LTS:
snapcraft 2.43.1+16.04.1

For users of the snap package, Snapcraft will automatically refresh
itself to Snapcraft 4.4.4 which is unaffected. For users of the deb
package, on Ubuntu 16.04 LTS and 18.04 LTS, please perform a standard
system update. In either case, once Snapcraft has been updated, you need
to rebuild any packages built with the affected Snapcraft.

References:
https://usn.ubuntu.com/4661-1
CVE-2020-27348, https://launchpad.net/bugs/1901572

Package Information:
https://launchpad.net/ubuntu/+source/snapcraft/2.43.1+18.04.1
https://launchpad.net/ubuntu/+source/snapcraft/2.43.1+16.04.1

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCgAdFiEET5B4c0UgisHPJeML4cb9mBt1GIMFAl/JQ3EACgkQ4cb9mBt1
GIPKwg//fjlprtZB3riyt0P9ucwgNCTmFvzCmI3mzwapHj/XImASYg4/Vnu/m3ch
Tkm+c0v1mrGiAFGoVpJepulmhARKx2b19IPowvdMM6pjppr/TVwHW0H8hv2dPiUT
Sbnhen/16Uz8Sonwp/pqvj/vd723GGq6SILUTRyQYidoiTABrVFMTe5jq9Gg66FW
BWXzJMxuZR2ZKJr+dtsnwSoJruaged9q6qX+tPEqVKQ1N+cTwblnbhD1qbsK+A8u
vpBaD6QF8zFDDC71PEnx1zTQlKYAPp2yiznoZKsIExIlB7LP7m3C4NkDXbO+vzJl
Fdwk7463TYw3O6sHJ6fWB60iSqoUdmqRthCVypQznGzYSNinax54UG2x6w3F5ca8
imUdLNKp0FdVFzM57AsXVnmkZ0x7kMYWZPz29HUicM2PHalFWreW6GedEsczIyTz
p6gJxfLcKWMc1jY6CGLTn7mps27MSJzPYNFWl97GQ7ZYmUj+h3robjeEgBPbOqvB
LrysgmBJECW8Ee0jsdfKFRe/qfJjDYsOP66rRRh3MDQ1Gs/LNH5j6QubX9zeFOMi
as5vfvdqrwV+/rFg/hQogaNNmjz/+WyK78NriOQfGQeRn/U5K/kpSZabNWqunj1W
UVp80B0Ih+igdWjYDAAqMBwPn+vyCjHhVD10L7vQILjKDManbQk=
=ZvN0
—–END PGP SIGNATURE—–
—