CVE-2024-29069

Name of the Vulnerable Software and Affected Versions snapd versions prior to 2.62

Description The issue is related to the improper checking of symbolic link destinations when extracting a snap. This could allow an attacker to convince a user to install a malicious snap, which in turn could cause snapd to write out the contents of the symbolic link destination into a world-readable directory. As a result, an unprivileged user could gain access to privileged information. The snap format is a squashfs file-system image that can contain symbolic links and other file types. Various file entries within the snap squashfs image, such as icons and desktop files, are directly read by snapd when it is extracted.

Recommendations To resolve the issue, update to version 2.62 or later. As a temporary workaround, consider restricting the installation of snaps from untrusted sources to minimize the risk of exploitation. Avoid using snaps that contain symbolic links at paths that could be used to write out the contents of the symbolic link destination into a world-readable directory.