=== modified file 'debian/changelog'
--- debian/changelog	2017-01-18 07:54:30 +0000
+++ debian/changelog	2017-01-28 10:16:16 +0000
@@ -1,3 +1,19 @@
+flatpak (0.6.11-1ubuntu0.16.10.0) yakkety-security; urgency=medium
+
+  * SECURITY UPDATE: bubblewrap escape via TIOCSTI ioctl (LP: #1657357)
+    - Fixed in d/p/Use-seccomp-to-filter-out-TIOCSTI-ioctl.patch:
+      Add patch from upstream 0.8.1 to prevent contained apps from using
+      TIOCSTI ioctl. This would let the app inject commands into the
+      terminal from which it was invoked. Prevent the attack here
+      by using seccomp to filter out TIOCSTI ioctl.
+    - CVE-2017-5226
+  * Prevent writing to per-user installed fonts and Flatpak extensions
+    (typically locales)
+    - Fixed in d/p/Make-sure-all-mounted-sources-are-read-only.patch:
+      Add patch from upstream 0.8.2
+
+ -- Jeremy Bicha <jbicha@ubuntu.com>  Sat, 28 Jan 2017 06:00:41 -0500
+
 flatpak (0.6.11-1) unstable; urgency=medium
 
   * New upstream release

=== added file 'debian/patches/Make-sure-all-mounts-are-read-only.patch'
--- debian/patches/Make-sure-all-mounts-are-read-only.patch	1970-01-01 00:00:00 +0000
+++ debian/patches/Make-sure-all-mounts-are-read-only.patch	2017-01-28 10:13:19 +0000
@@ -0,0 +1,104 @@
+From 7db0ac595ceb071d759918f7227ecda1d01347fa Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Thu, 26 Jan 2017 17:05:23 +0100
+Subject: [PATCH] Run: Make sure all mounted sources are read-only
+
+It turned out that some sources where bind-mounted read-write
+which should have been read-only:
+
+ * Extensions
+ * Fonts
+ * resolv.conf
+ * localtime
+ * machine-id
+
+Many of these are not generally writable by the user, but
+some are, which is pretty bad. For instance if the an
+app is user-installed it will be able to write to its
+locale data.
+
+We fix this by using --ro-bind where needed.
+
+(cherry picked from commit bc5ea57226059f89d811be04a13fc218c8f06c12)
+---
+ common/flatpak-run.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index b717f4f..6abff17 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -2197,7 +2197,7 @@ flatpak_run_add_extension_args (GPtrArray    *argv_array,
+         }
+ 
+       add_args (argv_array,
+-                "--bind", ext->files_path, full_directory,
++                "--ro-bind", ext->files_path, full_directory,
+                 NULL);
+ 
+       if (g_file_test (real_ref, G_FILE_TEST_EXISTS))
+@@ -3087,7 +3087,7 @@ add_font_path_args (GPtrArray *argv_array)
+   if (g_file_test (SYSTEM_FONTS_DIR, G_FILE_TEST_EXISTS))
+     {
+       add_args (argv_array,
+-                "--bind", SYSTEM_FONTS_DIR, "/run/host/fonts",
++                "--ro-bind", SYSTEM_FONTS_DIR, "/run/host/fonts",
+                 NULL);
+     }
+ 
+@@ -3098,13 +3098,13 @@ add_font_path_args (GPtrArray *argv_array)
+   if (g_file_query_exists (user_font1, NULL))
+     {
+       add_args (argv_array,
+-                "--bind", flatpak_file_get_path_cached (user_font1), "/run/host/user-fonts",
++                "--ro-bind", flatpak_file_get_path_cached (user_font1), "/run/host/user-fonts",
+                 NULL);
+     }
+   else if (g_file_query_exists (user_font2, NULL))
+     {
+       add_args (argv_array,
+-                "--bind", flatpak_file_get_path_cached (user_font2), "/run/host/user-fonts",
++                "--ro-bind", flatpak_file_get_path_cached (user_font2), "/run/host/user-fonts",
+                 NULL);
+     }
+ }
+@@ -3251,7 +3251,7 @@ add_monitor_path_args (gboolean use_session_helper,
+                                                         NULL, NULL))
+     {
+       add_args (argv_array,
+-                "--bind", monitor_path, "/run/host/monitor",
++                "--ro-bind", monitor_path, "/run/host/monitor",
+                 NULL);
+       add_args (argv_array,
+                 "--symlink", "/run/host/monitor/localtime", "/etc/localtime",
+@@ -2687,7 +2687,7 @@ add_monitor_path_args (gboolean use_sess
+       ssize_t symlink_size;
+ 
+       add_args (argv_array,
+-                "--bind", "/etc/resolv.conf", "/run/host/monitor/resolv.conf",
++                "--ro-bind", "/etc/resolv.conf", "/run/host/monitor/resolv.conf",
+                 NULL);
+ 
+       symlink_size = readlink ("/etc/localtime", localtime, sizeof (localtime) - 1);
+@@ -2701,7 +2701,7 @@ add_monitor_path_args (gboolean use_sess
+       else
+         {
+           add_args (argv_array,
+-                    "--bind", "/etc/localtime", "/etc/localtime",
++                    "--ro-bind", "/etc/localtime", "/etc/localtime",
+                     NULL);
+         }
+     }
+@@ -3883,9 +3883,9 @@ flatpak_run_setup_base_argv (GPtrArray      *argv_array,
+             NULL);
+ 
+   if (g_file_test ("/etc/machine-id", G_FILE_TEST_EXISTS))
+-    add_args (argv_array, "--bind", "/etc/machine-id", "/etc/machine-id", NULL);
++    add_args (argv_array, "--ro-bind", "/etc/machine-id", "/etc/machine-id", NULL);
+   else if (g_file_test ("/var/lib/dbus/machine-id", G_FILE_TEST_EXISTS))
+-    add_args (argv_array, "--bind", "/var/lib/dbus/machine-id", "/etc/machine-id", NULL);
++    add_args (argv_array, "--ro-bind", "/var/lib/dbus/machine-id", "/etc/machine-id", NULL);
+ 
+   etc = g_file_get_child (runtime_files, "etc");
+   if (g_file_query_exists (etc, NULL))
+

=== added file 'debian/patches/Use-seccomp-to-filter-out-TIOCSTI-ioctl.patch'
--- debian/patches/Use-seccomp-to-filter-out-TIOCSTI-ioctl.patch	1970-01-01 00:00:00 +0000
+++ debian/patches/Use-seccomp-to-filter-out-TIOCSTI-ioctl.patch	2017-01-28 10:13:19 +0000
@@ -0,0 +1,35 @@
+From: Alexander Larsson <alexl@redhat.com>
+Date: Tue, 17 Jan 2017 16:36:56 +0100
+Subject: Use seccomp to filter out TIOCSTI ioctl
+
+This would otherwise let the sandbox add input to the controlling tty.
+
+Origin: upstream, 0.8.1, commit:902fb713990a8f968ea4350c7c2a27ff46f1a6c4
+Bug: CVE-2017-5226
+Bug-Ubuntu: https://launchpad.net/bugs/1657357
+---
+ common/flatpak-run.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index 027c4a5..eff5a7b 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -26,6 +26,7 @@
+ #include <unistd.h>
+ #include <sys/utsname.h>
+ #include <sys/socket.h>
++#include <sys/ioctl.h>
+ #include <grp.h>
+ 
+ #ifdef ENABLE_SECCOMP
+@@ -3519,6 +3520,9 @@ setup_seccomp (GPtrArray  *argv_array,
+     {SCMP_SYS (mount)},
+     {SCMP_SYS (pivot_root)},
+     {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
++
++    /* Don't allow faking input to the controlling tty (CVE-2017-5226) */
++    {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_EQ, (int)TIOCSTI)},
+   };
+ 
+   struct

=== modified file 'debian/patches/series'
--- debian/patches/series	2017-01-18 07:54:30 +0000
+++ debian/patches/series	2017-01-28 10:13:19 +0000
@@ -1,1 +1,3 @@
 debian/Try-gtk-3.0-version-of-the-icon-cache-utility-first.patch
+Use-seccomp-to-filter-out-TIOCSTI-ioctl.patch
+Make-sure-all-mounts-are-read-only.patch