360: Oh Snap! Command Not Found vulnerability found

Originally published at: https://tuxdigital.com/podcasts/destination-linux/dl-360/

Download as MP3 Sponsored by Kolide: If a device isn’t secure, it can’t access your apps. It’s device trust for Okta. Visit Kolide - Device Trust for Okta to learn more and watch a demo.Sponsored by LINBIT: Visit LINBIT - Open Source Block Storage to learn how LINBIT’s OSS, based on DRBD® and LINSTOR®, can be used for Kubernetes, CloudStack, OpenNebula, and more.Support the show…

When I read the aquasec article, it doesn’t sound like they are talking about either the apt command or apt-get and friends. To me it sounds like they are saying that within the command-not-found database that 26% of the apt packages listed don’t have a corresponding snap package that either exists or is claimed by someone.

They are saying that for those cases, the door is open for someone to upload a malicious snap package, that has the same name as a deb package.

1 Like