Comment 14 for bug 1657357

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 0.6.11-1ubuntu0.16.10.0

---------------
flatpak (0.6.11-1ubuntu0.16.10.0) yakkety-security; urgency=medium

  * SECURITY UPDATE: bubblewrap escape via TIOCSTI ioctl (LP: #1657357)
    - Fixed in d/p/Use-seccomp-to-filter-out-TIOCSTI-ioctl.patch:
      Add patch from upstream 0.8.1 to prevent contained apps from using
      TIOCSTI ioctl. This would let the app inject commands into the
      terminal from which it was invoked. Prevent the attack here
      by using seccomp to filter out TIOCSTI ioctl.
    - CVE-2017-5226
  * SECURITY UPDATE: Prevent writing to per-user installed fonts and
    Flatpak extensions (typically locales)
    - Fixed in d/p/Make-sure-all-mounted-sources-are-read-only.patch:
      Add patch from upstream 0.8.2

 -- Jeremy Bicha <email address hidden> Sat, 28 Jan 2017 06:00:41 -0500