Your submission was sent successfully! Close

CVE-2017-14178

Published: 2 February 2018

In snapd 2.27 through 2.29.2 the 'snap logs' command could be made to call journalctl without match arguments and therefore allow unprivileged, unauthenticated users to bypass systemd-journald's access restrictions.

Notes

AuthorNote
jdstrand
2.29.3 upstream was released on 2017-11-27
Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
snapd
Launchpad, Ubuntu, Debian
artful
Released (2.29.4.2+17.10)
precise Does not exist

trusty Does not exist
(trusty was released [2.29.4.2~14.04])
upstream
Released (2.29.3)
xenial
Released (2.29.4.2)
zesty
Released (2.29.4.2+17.04)
Patches:
Introduced by

https://github.com/snapcore/snapd/pull/3630

Fixed by https://github.com/snapcore/snapd/pull/4194
break-fix: https://github.com/snapcore/snapd/pull/3630 https://github.com/snapcore/snapd/pull/4194
upstream: https://github.com/snapcore/snapd/pull/4196 (2.29)