From 99bfc5b89112e303442bc38a746297934b4955af Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Mon, 26 Sep 2022 16:34:48 +0930 Subject: [PATCH] [PATCH 4/4] overlord/snapmgr: Bump vulnerable snap version check Backport of the following upstream patch: From 2baff9272354bca07ae4d4256b8af0aae0d35a4a Mon Sep 17 00:00:00 2001 Backport of the following upstream patch: From 2baff9272354bca07ae4d4256b8af0aae0d35a4a Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Mon, 26 Sep 2022 16:34:48 +0930 Subject: [PATCH 4/4] overlord/snapmgr: Bump vulnerable snap version check This should ensure that any older versions of snapd that are vulnerable to this new CVE-2022-3328 are uninstalled on upgrade to the fixed version. Signed-off-by: Alex Murray Gbp-Pq: Name 0019-cve-2022-3328-3.patch --- overlord/snapstate/snapmgr.go | 8 ++++---- overlord/snapstate/snapstate_test.go | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/overlord/snapstate/snapmgr.go b/overlord/snapstate/snapmgr.go index d7b8ff41..b452dd40 100644 --- a/overlord/snapstate/snapmgr.go +++ b/overlord/snapstate/snapmgr.go @@ -579,7 +579,7 @@ func (m *SnapManager) EnsureAutoRefreshesAreDelayed(delay time.Duration) ([]*sta func (m *SnapManager) ensureVulnerableSnapRemoved(name string) error { var removedYet bool - key := fmt.Sprintf("%s-snap-cve-2021-44731-vuln-removed", name) + key := fmt.Sprintf("%s-snap-cve-2022-3328-vuln-removed", name) if err := m.state.Get(key, &removedYet); err != nil && err != state.ErrNoState { return err } @@ -606,8 +606,8 @@ func (m *SnapManager) ensureVulnerableSnapRemoved(name string) error { if err != nil { return err } - // res is < 0 if "ver" is lower than "2.54.3" - res, err := strutil.VersionCompare(ver, "2.54.3") + // res is < 0 if "ver" is lower than "2.57.6" + res, err := strutil.VersionCompare(ver, "2.57.6") if err != nil { return err } @@ -677,7 +677,7 @@ func (m *SnapManager) ensureVulnerableSnapConfineVersionsRemovedOnClassic() erro // we have to remove vulnerable versions of both the core and snapd snaps // only when we now have fixed versions installed / active - // the fixed version is 2.54.3, so if the version of the current core/snapd + // the fixed version is 2.57.6, so if the version of the current core/snapd // snap is that or higher, then we proceed (if we didn't already do this) if err := m.ensureVulnerableSnapRemoved("snapd"); err != nil { diff --git a/overlord/snapstate/snapstate_test.go b/overlord/snapstate/snapstate_test.go index 5eb8326f..63226e47 100644 --- a/overlord/snapstate/snapstate_test.go +++ b/overlord/snapstate/snapstate_test.go @@ -2696,11 +2696,11 @@ func (s *snapmgrTestSuite) testEnsureRemovesVulnerableSnap(c *C, snapName string // make the currently installed snap info file fixed but an old version // vulnerable fixedInfoFile := ` -VERSION=2.54.3+git1.g479e745-dirty +VERSION=2.57.6+git1.g479e745-dirty SNAPD_APPARMOR_REEXEC=0 ` vulnInfoFile := ` -VERSION=2.54.2+git1.g479e745-dirty +VERSION=2.57.5+git1.g479e745-dirty SNAPD_APPARMOR_REEXEC=0 ` @@ -2781,7 +2781,7 @@ SNAPD_APPARMOR_REEXEC=0 // and we set the appropriate key in the state var removeDone bool - st.Get(snapName+"-snap-cve-2021-44731-vuln-removed", &removeDone) + st.Get(snapName+"-snap-cve-2022-3328-vuln-removed", &removeDone) c.Assert(removeDone, Equals, true) } @@ -2864,7 +2864,7 @@ func (s *snapmgrTestSuite) TestEnsureSkipsCheckingBothCoreAndSnapdSnapsInfoFileW c.Assert(ensureErr, ErrorMatches, fmt.Sprintf(`cannot open snapd info file "%s".*`, infoFileFor("snapd"))) st.Lock() - st.Set("snapd-snap-cve-2021-44731-vuln-removed", true) + st.Set("snapd-snap-cve-2022-3328-vuln-removed", true) st.Unlock() // still unhappy about core file missing @@ -2873,7 +2873,7 @@ func (s *snapmgrTestSuite) TestEnsureSkipsCheckingBothCoreAndSnapdSnapsInfoFileW // but with core state flag set too, we are now happy st.Lock() - st.Set("core-snap-cve-2021-44731-vuln-removed", true) + st.Set("core-snap-cve-2022-3328-vuln-removed", true) st.Unlock() ensureErr = s.snapmgr.Ensure() @@ -2899,7 +2899,7 @@ func (s *snapmgrTestSuite) testEnsureSkipsCheckingSnapdInfoFileWhenStateSet(c *C // now it should stop trying to check if state says so st := s.state st.Lock() - st.Set(snapName+"-snap-cve-2021-44731-vuln-removed", true) + st.Set(snapName+"-snap-cve-2022-3328-vuln-removed", true) st.Unlock() ensureErr = s.snapmgr.Ensure() -- 2.30.2