Notified of dependency vulnerability, but dependency not installed in Snap

I received a USN last night warning that my snap has rsync vulnerabilities. However, I can’t verify that my snap has it.

I ran snap run --shell ... and didn’t see rsync. My dependency list in the snapcraft.yaml file also doesn’t have rsync. I did build the snap with an Ubuntu that had the old rsync installed, but I don’t see any trace of it in my snap.

Am I still vulnerable? Is there another way I can check that I’m vulnerable?

EDIT: how can I tell that this vulnerability is real and not just appearing as metadata in the manifest.yaml file from when we built the snap?

For reference, here are the CVE’s:

CVE-2016-9840
CVE-2016-9841
CVE-2016-9842
CVE-2016-9843

You can look in /snap/<name>/current/snap/manifest.yaml. You will probably notice it is listed in stage-packages somewhere.

You’re right. It’s in the manifest.yaml and dpkg.list file of the same folder.

Do you have an idea as to why the manifest would have it but I wouldn’t be able to see it in the shell?

EDIT

Sorry for the confusion, but the snapcraft.yaml file I was looking at was not the one that was used to build the snap with the security issue.

Let me reword my question: how can I tell that this vulnerability is real and not just appearing as metadata in the manifest.yaml file from when we built the snap?

@zjoseal Can you share your snap and manifest.yaml?

I’m not allowed to, sorry.

If you’re using the Build Service at build.snapcraft.io or the Launchpad Builders at launchpad.net then the manifest.yaml will be accurate for the stage-packages that were actually staged into your snap. It might be that you remove some of the files after this step such as with the stage or prime keywords, but the manifest will still report the packages that provided those files as included.

@zjoseal: can you check if your manifest sets primed-stage-packages and if that list also includes the package in question?

Note, evaluating this in the notification service is planned but not yet implemented. It is for this cycle.

@jdstrand Thanks for the update, I wasn’t sure! :slight_smile:

@zjoseal If the package is in stage-packages but not in primed-stage-packages, it is because snapcraft recently starting tracking that you have included a stage package (or dependency) as part of the build, but did not ship it in the final snap. Eventually, as @jdstrand indicated, the notifications should be restricted to the packages detected as having been shipped in the snap (primed-stage-packages).

If the package in question is still listed in primed-stage-packages but was not shipped in the snap, please do let us know!

Have a great day!

Hmmm. The rsync package is only under stage-packages, but I couldn’t fine a primed-stage-packages string anywhere in the manifest.yaml. How should I interpret this? Does this mean that none of my packages were shipped in the final snap?

Oh wait, I see -* under rootfs-stage-packages:. Does this mean that all of the stage-packages are under the prime-stage-packages?

  rootfs-stage-packages:
    build-packages: []
    installed-packages: []
    installed-snaps: []
    plugin: nil
    prime:
    - -*
    source: empty-kthxbai
    stage: []
    stage-packages:

Which version of snapcraft are you running?

I was thinking that primed-stage-packages feature was in the snapcraft version that it is published to the stable channel (v3.9), but it is not. It is available in candidate (v3.10) or edge. Sorry about the confusion!

@cjp256 (cc @sergiusens, @jdstrand) FYI the notification service is now evaluating the primed-stage-packages section if present in the snap manifest.yaml. For compatibility, it is still inspecting stage-packages whenever primed-stage-packages does not exist at all.

@zjoseal from now on, you should not receive this type of notifications for packages that are not eventually present in your snap.

2 Likes