It would be good to have verified publisher accounts who have a track record of providing secure snaps and have a high trust rating, this way users can further determine who can be trusted on this platform.
I suggest this because exploitation of Snaps is still plausible, and the examples are recent:
-
CVE-2024-1724 (July 2024): A flaw in Snap’s handling of the
$HOME/bindirectory allowed malicious snaps with the ‘home’ permission to escape the sandbox and execute arbitrary code. This vulnerability was patched promptly. GLD -
CVE-2024-29068 and CVE-2024-29069 (August 2024): Discovered by Zeyad Gouda, these vulnerabilities involved improper validation during snap extraction. Malicious snaps could cause denial of service or unauthorized data writes, potentially exposing sensitive information. Updates were released to address these issues. Ubuntu
-
CVE-2023-1523 (May 2023): A flaw in the Snap sandbox allowed strict mode snaps to inject commands into the controlling terminal, leading to arbitrary command execution outside the sandbox. This issue was mitigated in subsequent updates. Ubuntu
-
CVE-2021-44731 (February 2022): A local privilege escalation vulnerability in
snap-confinepermitted unprivileged users to gain root access. This critical flaw was patched following its discovery. Qualys Blog -
CVE-2021-3155 and CVE-2021-4120 (February 2022): These vulnerabilities involved improper permission management and validation in Snap, potentially exposing sensitive information and allowing policy rule injection. They were addressed in updates released at that time.
For fairness below I have listed similar issues in Flatpak which just goes to show none of these systems are completely impervious to attackers currently.
-
CVE-2024-32462 (April 2024): A sandbox escape vulnerability where a malicious Flatpak application could execute arbitrary code outside its sandbox by exploiting the
--commandargument. This issue was addressed in Flatpak versions 1.10.9, 1.12.9, 1.14.6, and 1.15.8. NVD -
CVE-2024-42472 (August 2024): A flaw allowing a malicious Flatpak application using persistent directories to access and write files outside its intended scope, compromising system integrity and confidentiality. This vulnerability was fixed in Flatpak versions 1.14.10 and 1.15.10. NVD
-
USN-7046-1 (September 2024): A security notice from Ubuntu highlighting vulnerabilities in Flatpak and Bubblewrap that could allow unauthorized file access. Users were advised to update to the latest versions to mitigate these risks. Ubuntu
-
RHSA-2024:3961 (June 2024): A Red Hat security advisory addressing a sandbox escape vulnerability in Flatpak, urging users to apply the provided updates to secure their systems. Red Hat Access
-
RHSA-2024:3980 (June 2024): Another Red Hat advisory concerning a sandbox escape via the RequestBackground portal, recommending updates to Flatpak to resolve the issue. Red Hat Access