control: tags -1 +patch I've tried to fix only CVE-2019-11502 as a challenge. The debdiff patch is added.
I hope it will help to fix.
diff -Nru snapd-2.37.4/debian/changelog snapd-2.37.4/debian/changelog --- snapd-2.37.4/debian/changelog 2019-03-01 02:21:26.000000000 +0900 +++ snapd-2.37.4/debian/changelog 2019-06-09 13:49:16.000000000 +0900 @@ -1,3 +1,12 @@ +snapd (2.37.4-1.1) unstable; urgency=medium + + [ Kentaro Hayashi ] + * Non-maintainer upload. + * d/patches/CVE-2019-11502.patch: fix unintended access to a private /tmp + directory. (Closes: #928052) + + -- Kentaro Hayashi <haya...@clear-code.com> Sun, 09 Jun 2019 13:49:16 +0900 + snapd (2.37.4-1) unstable; urgency=medium * New upstream release diff -Nru snapd-2.37.4/debian/patches/CVE-2019-11502.patch snapd-2.37.4/debian/patches/CVE-2019-11502.patch --- snapd-2.37.4/debian/patches/CVE-2019-11502.patch 1970-01-01 09:00:00.000000000 +0900 +++ snapd-2.37.4/debian/patches/CVE-2019-11502.patch 2019-06-09 13:49:16.000000000 +0900 @@ -0,0 +1,58 @@ +From bdbfeebef03245176ae0dc323392bb0522a339b1 Mon Sep 17 00:00:00 2001 +From: Zygmunt Krynicki <zygmunt.kryni...@canonical.com> +Date: Mon, 4 Mar 2019 18:40:11 +0100 +Subject: [PATCH] cmd/snap-confine: chown private /tmp parent to root.root +Origin: https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1 +Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928052 +Forwarded: not-needed + +When snap-confine creates a private /tmp directory for a given snap it +first creates a temporary directory in /tmp/ named after the snap, along +with a random name. Inside that directory it creates a /tmp directory +with permissions appropriate for a future /tmp, namely 1777. + +Up until recently the that directory was owned by the user who first +invoked snap-confine. Since the directory is reused by all the users on +the system this logic makes no sense. + +This patch changes the related logic so that the private /tmp directory +is owned by root, just like the real one. + +Signed-off-by: Zygmunt Krynicki <zygmunt.kryni...@canonical.com> + +Drop this patch when this package is upgraded to 2.38 or newer version. +This patch includes two commit: + +* https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1 +* https://github.com/snapcore/snapd/commit/1d7b5d8bea96139d3d9b301e6c06534d8fc95eff + +--- a/cmd/snap-confine/mount-support.c ++++ b/cmd/snap-confine/mount-support.c +@@ -62,8 +62,6 @@ + // TODO: fold this into bootstrap + static void setup_private_mount(const char *snap_name) + { +- uid_t uid = getuid(); +- gid_t gid = getgid(); + char tmpdir[MAX_BUF] = { 0 }; + + // Create a 0700 base directory, this is the base dir that is +@@ -71,8 +69,7 @@ + // + // Under that basedir, we put a 1777 /tmp dir that is then bind + // mounted for the applications to use +- sc_must_snprintf(tmpdir, sizeof(tmpdir), "/tmp/snap.%d_%s_XXXXXX", uid, +- snap_name); ++ sc_must_snprintf(tmpdir, sizeof(tmpdir), "/tmp/snap.%s_XXXXXX", snap_name); + if (mkdtemp(tmpdir) == NULL) { + die("cannot create temporary directory essential for private /tmp"); + } +@@ -99,7 +96,7 @@ + // MS_PRIVATE needs linux > 2.6.11 + sc_do_mount("none", "/tmp", NULL, MS_PRIVATE, NULL); + // do the chown after the bind mount to avoid potential shenanigans +- if (chown("/tmp/", uid, gid) < 0) { ++ if (chown("/tmp/", 0, 0) < 0) { + die("cannot change ownership of /tmp"); + } + // chdir to original directory diff -Nru snapd-2.37.4/debian/patches/series snapd-2.37.4/debian/patches/series --- snapd-2.37.4/debian/patches/series 2019-03-01 02:21:26.000000000 +0900 +++ snapd-2.37.4/debian/patches/series 2019-06-09 13:43:42.000000000 +0900 @@ -6,3 +6,4 @@ 0006-systemd-disable-snapfuse-system.patch 0007-i18n-use-dummy-localizations-to-avoid-dependencies.patch 0010-man-page-sections.patch +CVE-2019-11502.patch
