** Changed in: content-hub (Ubuntu Vivid)
Importance: Undecided => Critical
** Changed in: content-hub (Ubuntu Vivid)
Status: New => In Progress
** Changed in: content-hub (Ubuntu Vivid)
Assignee: (unassigned) => Ken VanDine (ken-vandine)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to content-hub in Ubuntu.
https://bugs.launchpad.net/bugs/1456628
Title:
DBUS API doesn't prevent confined apps from passing paths to files
without access
Status in content-hub package in Ubuntu:
Fix Released
Status in content-hub source package in Vivid:
Fix Released
Bug description:
The DBUS API only requires a file path for a content item, it doesn't
actually require the confined app have access to the file to create a
transfer. This could allow a malicious application using the DBUS API
to export file:///etc/passwd which would then send a copy of that file
to another app.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/content-hub/+bug/1456628/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
