[PATCH 4/4] overlord/snapmgr: Bump vulnerable snap version check

Backport of the following upstream patch:
From 2baff9272354bca07ae4d4256b8af0aae0d35a4a Mon Sep 17 00:00:00 2001

Backport of the following upstream patch:
From 2baff9272354bca07ae4d4256b8af0aae0d35a4a Mon Sep 17 00:00:00 2001
From: Alex Murray <alex.murray@canonical.com>
Date: Mon, 26 Sep 2022 16:34:48 +0930
Subject: [PATCH 4/4] overlord/snapmgr: Bump vulnerable snap version check

This should ensure that any older versions of snapd that are vulnerable to this
new CVE-2022-3328 are uninstalled on upgrade to the fixed version.

Signed-off-by: Alex Murray <alex.murray@canonical.com>
Gbp-Pq: Name 0019-cve-2022-3328-3.patch

diff --git a/overlord/snapstate/snapmgr.go b/overlord/snapstate/snapmgr.go
index d7b8ff413dd5e31a2c144a83081a3198aa07e2ad..b452dd4082df1eee0dcd08855978454bc6071e02 100644 (file)
--- a/overlord/snapstate/snapmgr.go
+++ b/overlord/snapstate/snapmgr.go
@@ -579,7 +579,7 @@ func (m *SnapManager) EnsureAutoRefreshesAreDelayed(delay time.Duration) ([]*sta
 
 func (m *SnapManager) ensureVulnerableSnapRemoved(name string) error {
        var removedYet bool
-       key := fmt.Sprintf("%s-snap-cve-2021-44731-vuln-removed", name)
+       key := fmt.Sprintf("%s-snap-cve-2022-3328-vuln-removed", name)
        if err := m.state.Get(key, &removedYet); err != nil && err != state.ErrNoState {
                return err
        }
@@ -606,8 +606,8 @@ func (m *SnapManager) ensureVulnerableSnapRemoved(name string) error {
                if err != nil {
                        return err
                }
-               // res is < 0 if "ver" is lower than "2.54.3"
-               res, err := strutil.VersionCompare(ver, "2.54.3")
+               // res is < 0 if "ver" is lower than "2.57.6"
+               res, err := strutil.VersionCompare(ver, "2.57.6")
                if err != nil {
                        return err
                }
@@ -677,7 +677,7 @@ func (m *SnapManager) ensureVulnerableSnapConfineVersionsRemovedOnClassic() erro
 
        // we have to remove vulnerable versions of both the core and snapd snaps
        // only when we now have fixed versions installed / active
-       // the fixed version is 2.54.3, so if the version of the current core/snapd
+       // the fixed version is 2.57.6, so if the version of the current core/snapd
        // snap is that or higher, then we proceed (if we didn't already do this)
 
        if err := m.ensureVulnerableSnapRemoved("snapd"); err != nil {

diff --git a/overlord/snapstate/snapstate_test.go b/overlord/snapstate/snapstate_test.go
index 5eb8326f73e9ec8dd620a7eb30305ef646b08c04..63226e47c007643ae61803b2484035c828fec25f 100644 (file)
--- a/overlord/snapstate/snapstate_test.go
+++ b/overlord/snapstate/snapstate_test.go
@@ -2696,11 +2696,11 @@ func (s *snapmgrTestSuite) testEnsureRemovesVulnerableSnap(c *C, snapName string
        // make the currently installed snap info file fixed but an old version
        // vulnerable
        fixedInfoFile := `
-VERSION=2.54.3+git1.g479e745-dirty
+VERSION=2.57.6+git1.g479e745-dirty
 SNAPD_APPARMOR_REEXEC=0
 `
        vulnInfoFile := `
-VERSION=2.54.2+git1.g479e745-dirty
+VERSION=2.57.5+git1.g479e745-dirty
 SNAPD_APPARMOR_REEXEC=0
 `
 
@@ -2781,7 +2781,7 @@ SNAPD_APPARMOR_REEXEC=0
 
        // and we set the appropriate key in the state
        var removeDone bool
-       st.Get(snapName+"-snap-cve-2021-44731-vuln-removed", &removeDone)
+       st.Get(snapName+"-snap-cve-2022-3328-vuln-removed", &removeDone)
        c.Assert(removeDone, Equals, true)
 }
 
@@ -2864,7 +2864,7 @@ func (s *snapmgrTestSuite) TestEnsureSkipsCheckingBothCoreAndSnapdSnapsInfoFileW
        c.Assert(ensureErr, ErrorMatches, fmt.Sprintf(`cannot open snapd info file "%s".*`, infoFileFor("snapd")))
 
        st.Lock()
-       st.Set("snapd-snap-cve-2021-44731-vuln-removed", true)
+       st.Set("snapd-snap-cve-2022-3328-vuln-removed", true)
        st.Unlock()
 
        // still unhappy about core file missing
@@ -2873,7 +2873,7 @@ func (s *snapmgrTestSuite) TestEnsureSkipsCheckingBothCoreAndSnapdSnapsInfoFileW
 
        // but with core state flag set too, we are now happy
        st.Lock()
-       st.Set("core-snap-cve-2021-44731-vuln-removed", true)
+       st.Set("core-snap-cve-2022-3328-vuln-removed", true)
        st.Unlock()
 
        ensureErr = s.snapmgr.Ensure()
@@ -2899,7 +2899,7 @@ func (s *snapmgrTestSuite) testEnsureSkipsCheckingSnapdInfoFileWhenStateSet(c *C
        // now it should stop trying to check if state says so
        st := s.state
        st.Lock()
-       st.Set(snapName+"-snap-cve-2021-44731-vuln-removed", true)
+       st.Set(snapName+"-snap-cve-2022-3328-vuln-removed", true)
        st.Unlock()
 
        ensureErr = s.snapmgr.Ensure()