privilege escalation via ptrace (CVE-2016-8659)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bubblewrap (Debian) |
Fix Released
|
Unknown
|
|||
bubblewrap (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Yakkety |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Impact
======
bubblewrap 0.1.3 and 0.1.4 fix a security vulnerability. 0.1.5 has some minor improvements but also fixes the tests.
https:/
Test Case
=========
I'm not familiar enough with the code to have a test case for this.
Regression Potential
=======
Low because bubblewrap is currently only used by Flatpak. The Flatpak developers very strongly recommend updating bubblewrap to at least 0.1.4 but 0.1.5 fixes a few more issues.
See LP: #1649330 where there is some interest in using bubblewrap for some snap apps.
Other Info
==========
I just copied the Debian packaging from 0.1.5-1. The Debian packaging only updates debian/copyright and makes improvements to the build tests and autopkgtests.
Original Bug Report
===================
The bubblewrap package in yakkety (16.10) has a local privilege escalation vulnerability that's been fixed in upstream for a while. Debian has moved on to 0.1.3, but they had a 0.1.2-2 for a while that patched the vulnerability at a loss of functionality.
https:/
https:/
Note: I don't use Ubuntu, but software I maintain depends on bubblewrap, and having old known insecure packages is bad for my users.
CVE References
description: | updated |
tags: | added: upgrade-software-version xenial |
Changed in bubblewrap (Ubuntu Yakkety): | |
status: | New → Confirmed |
Changed in bubblewrap (Ubuntu Yakkety): | |
importance: | Undecided → Medium |
Changed in bubblewrap (Ubuntu): | |
importance: | Undecided → Medium |
Changed in bubblewrap (Ubuntu Yakkety): | |
status: | Confirmed → Fix Committed |
Changed in bubblewrap (Debian): | |
status: | Unknown → Fix Released |
Changed in bubblewrap (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in bubblewrap (Ubuntu): | |
status: | Fix Committed → Fix Released |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res