Candidate: CVE-2017-10600
CRD:
PublicDate: 2017-07-11 17:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10600
 https://github.com/CanonicalLtd/ubuntu-image/pull/135
 https://forum.snapcraft.io/t/ownership-bug-in-ubuntu-image/1285/1
Description:
 ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files
 in the resulting image with the uid of the invoking user. When the
 resulting image is booted, a local attacker with the same uid as the image
 creator has unintended access to cloud-init and snapd directories.
Ubuntu-Description:
 ubuntu-image 1.0 when invoked as non-root on systems with e2fsprogs >= 1.43
 creates file permissions in the resulting image with the UID of the invoking
 user. When the resulting image is booted, a local attacker with the same UID
 as the image creator can alter installed snap packages and signatures to
 downgrade or potentially replace snap packages.
Notes:
 jdstrand> this issue only affects Ubuntu Core and not snapd on Ubuntu classic
 jdstrand> while snapd is not affected, an updated snapd will attempt to
  correct permissions on refresh. Because this only affects Ubuntu Core, that
  update will happen via the snap store and not included as a separate security
  update for the Ubuntu archive.
 jdstrand> Ubuntu 16.04 LTS has e2fsprogs 1.42.13
Bugs:
Priority: high
Discovered-by:
Assigned-to: jdstrand
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L [5.9 MEDIUM]

Priority_ubuntu-image_xenial: negligible
Patches_ubuntu-image:
 upstream: https://github.com/CanonicalLtd/ubuntu-image/pull/135
upstream_ubuntu-image: released (1.1)
precise/esm_ubuntu-image: DNE
trusty_ubuntu-image: DNE
trusty/esm_ubuntu-image: DNE
vivid/ubuntu-core_ubuntu-image: DNE
xenial_ubuntu-image: ignored
esm-infra/xenial_ubuntu-image: ignored
yakkety_ubuntu-image: released (1.0+16.10ubuntu1.1)
zesty_ubuntu-image: released (1.0+17.04ubuntu1.1)
devel_ubuntu-image: released (1.1+17.10ubuntu1)