Snap is nightmare of Linux Security - dirty_sock exploit


#1

snapd serves up a REST API attached to a local UNIX_AF socket. Access control to restricted API functions is accomplished by querying the UID associated with any connections made to that socket. User-controlled socket peer data can be affected to overwrite a UID variable during string parsing in a for-loop. This allows any user to access any API function.

With access to the API, there are multiple methods to obtain root. The exploits linked above demonstrate two possibilities.


[SOLVED]Application Launcher Problem
Manjaro-specific packages which need an update
#2

that’s why I don’t rate snap or flatpak. both platforms are open to exploitation through malicious code being added to their respective application container files and also do nothing to prevent stale versions of applications which contain vulnerabilities that have not been patched.


#3

Current version of snapd package in Manjaro Stable is 2.37-1.0.

The Ubuntu documentation about it is really weird. It seems they say we need at least 2.37.1 of snapd installed on our system in order to be protected against this vulnerability. But they also seems to say that if the core snap is at 2.37.1, we are already protected, even if snapd provided by the distro is not at 2.37.1??

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapSocketParsing

Hum, that is a mess. I can’t tell if we are affected or not. My lacks of knowledge about Snap packages (I just don’t use it personally) doesn’t really help to figure that out.

But anyway, the version on Manjaro is outdated, so it is due for an update.

I’ll request an update since it is packaged by Manjaro devs.

EDIT: Requested


#4

Protection / Remediation
Patch your system! The snapd team fixed this right away after my disclosure.

I’ve seen worse “nightmare” than this… :expressionless:


#5

I wouldn’t use either as I prefer to use official repositories of whatever distro I’m using. Steam doesn’t need it as they are doing just fine as Steam games just work on many different distros.


#6

Don’t use snaps or flatpaks and NEVER will. Nice idea I guess but it’s not for me or most other competent linux users I would say.


#7

Universal packages are useless on rolling release distributions like Manjaro, Archlinux (and its family), or Gentoo and Funtoo.

It is only useful on fixed release ones in order to get fresher packages without waiting for next major distribution release.


#8

I only found snaps helpful when current AUR package is out of date, impossible to compile or broken somehow. Usually such situations are temporary so most of time AUR packages are better then snaps, but it’s sometimes good to have alternative.

I agree, snaps and flatpacks most of time have no sense on rolling systems and moreover on Arch based systems where we have biggest abundance of software then anywhere else.


#9

Could theoretically be useful for the opposite reason: to be able to use applications that requires older versions of libraries when the current one in the distro are too new and not backward compatible with the ones required by the application.

It is a situation that could happen with proprietary software when upstream only supports some fixed release distros (like DaVinci Resolve that only supports CentOS officially).

I’ve never encountered such a situation in my personal use though. At worst, it uses “compat” packages so it can get the legacy software it needs to work correctly.

Outside of that, yeah, like michald said above, it could be useful sometime when AUR fails for a reason or another. Fortunately for me, I neved had to go for Snaps or Flatpaks because of that.