Debian
bubblewrap package

  1. Bug #1657357
  2. Comment #15

Comment 15 for bug 1657357

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bubblewrap - 0.1.7-0ubuntu0.16.10.1

---------------
bubblewrap (0.1.7-0ubuntu0.16.10.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: bubblewrap escape via TIOCSTI ioctl (LP: #1657357)
    - Fixed in new upstream release 0.1.7 by adding --new-session
      option that use setsid() before executing sandboxed code.
      Users of bubblewrap to confine untrusted programs should either
      add --new-session to the bwrap command line, or prevent the
      TIOCSTI ioctl with a seccomp filter instead (as Flatpak does).
    - New upstream release also adds --unshare-all option to easily
      sandbox all namespaces. A --share-net option can be used with
      --unshare-all to retain the network namespace.
    - CVE-2017-5226
  * debian/bubblewrap.examples: install upstream examples

 -- Jeremy Bicha <email address hidden> Thu, 19 Jan 2017 21:31:11 -0500