USN-2956-1: ubuntu-core-launcher vulnerability
29 April 2016
ubuntu-core-launcher did not properly isolate snaps from one another.
- ubuntu-core-launcher - Snap application launcher
Zygmunt Krynicki discovered that ubuntu-core-launcher did not properly
sanitize its input and contained a logic error when determining the
mountpoint of bind mounts when using snaps on Ubuntu classic systems (eg,
traditional desktop and server). If a user were tricked into installing a
malicious snap with a crafted snap name, an attacker could perform a
delayed attack to steal data or execute code within the security context of
another snap. This issue did not affect Ubuntu Core systems.