Snap publishers will receive emails periodically from the store indicating stage-packages that their snap revisions were built with that are now out of date and can be updated to resolve Ubuntu Security Notices (USN’s) which are associated with CVE’s.
However, it is also possible for anyone to perform this same check and see what packages a snap was built with that have USN’s associated with them, provided two things.
- They have access to the snap file (either through
snap download
from the store or possibly from their own machine. - That the snap file was built with a manifest.yaml, which is produced by snapcraft by default when the snap is built in launchpad or on snapcraft.io/build, or via the GitHub Action for snapcraft or if the snapcraft option
--enable-manifest
is specified or finally if the environment variableSNAPCRAFT_BUILD_INFO=1
is defined when snapcraft is run to build the snap.
To check the USN’s for a snap, one has to install the review-tools
snap, which provides a command, check-notices
, to do this, and it produces JSON output. For example:
$ review-tools.check-notices somesnap_80.snap
{
"somesnap": {
"80": {
"libglib2.0-0": [
"4759-1",
"4764-1"
],
"libtiff5": [
"4755-1"
]
}
}
}
The referenced numbers are USN numbers, information about which can be found at http://ubuntu.com/security/notices/ (or directly with the USN number at http://ubuntu.com/security/notices/USN-4759-1 for the libglib2.0-0
package in the example above).
Database prefetch
If you are doing this at the same time for multiple snaps, you can pre-fetch and cache the USN database that is used for this:
$ cd $HOME/snap/review-tools/common
$ review-tools.fetch-usn-db database.json.bz2
And then use check-notices
with the --no-fetch
argument:
$ review-tools.check-notices --no-fetch somesnap_80.snap
Note
The fact that a snap was built with, or includes, a package that had a USN issued for it, does not automatically mean that the snap is vulnerable. The vulnerable part of the package may not actually be used by the snap, or snap confinement may protect the snap from being attacked and abused the same way that an attacker using the vulnerability may do with traditional unconfined Linux packages.