CVE-2019-7304

Priority
Description
snapd 2.28 through 2.37 incorrectly validated and parsed the remote socket
address when performing access controls on its UNIX socket. A local attacker
could use this to access privileged socket APIs and obtain administrator
privileges.
Notes
 jdstrand> introduced in https://github.com/snapcore/snapd/pull/4626
 jdstrand> original CRD was 2019-02-06 16:00:00 UTC but delayed due to delayed
  Fedora update
Assigned-to
jdstrand
Package
Source: snapd (LP Ubuntu Debian)
Upstream:released (2.37.1-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (2.34.2~14.04.1)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.34.2ubuntu0.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.34.2+18.04.1)
Ubuntu 18.10 (Cosmic Cuttlefish):released (2.35.5+18.10.1)
Ubuntu 19.04 (Disco Dingo):not-affected (2.37.2+19.04)
More Information

Updated: 2019-03-19 12:31:19 UTC (commit 15472795df7e9de45b82f2d36b8b419b939f97b2)