Multiple CVEs in xenial

Thanks Reiner for the debdiff.

I noticed that upstream provides Long Term Support versions: 0.9.38.x, which is the same branch in Xenial. According to the SRU policy, new upstream micro releases could be pushed as updates if they introduce only bug fixes, especially for Ubuntu LTS releases. https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases

If you find that it is more beneficial and it is easier for you to push the whole micro release instead of cherry picking fixes, go for it.

I have now prepared an update to 0.9.38.10 (firejail LTS-branch update), which contains only security- and other bug fixes.
It is available in this PPA: https://launchpad.net/~deki/+archive/ubuntu/lp-1655136

Please include it in Xenial.

Thanks, Reiner! I've changed the bug status to "Fix committed", as you have provided the fix.

It should be "Fix Committed" only once it is uploaded to the official archive (and that afaik needs to be done by a member of the security team, as not all ubuntu devs can upload to xenial-security).

Thanks for working on this. I've got a few minor comments on the debdiff though:

- The version number should be 0.9.38-1ubuntu0.1.
- Can you please update the Maintainer field in debian/control (see https://wiki.ubuntu.com/DebianMaintainerField).
- There is a preferred format for the changelog entry - could you please update that? (see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging).
- It should target the security pocket (xenial-security).

Thanks for the review Chris.
I attached an updated debdiff with your proposed changes.

Although, isn't that patch "obsoleted" by the new upstream micro release Reiner proposed with https://launchpadlibrarian.net/302732117/firejail_0.9.38-1_0.9.38.10-0ubuntu1.diff.gz (see ppa:deki/lp-1655136)

ACK on the debdiff with the minimal fixes in comment #7, it is currently building and will be released as a security update.

Once it it released, if desired, the new 0.9.38.10 package can then be submitted to go through the SRU process.

Thanks!

This bug was fixed in the package firejail - 0.9.38-1ubuntu0.1

---------------
firejail (0.9.38-1ubuntu0.1) xenial-security; urgency=low

  * SECURITY UPDATE: sandbox escape via TIOCSTI ioctl (LP: #1655136)
    - debian/patches/CVE-2016-9016.patch: cherry-picked from upstream
      0.9.38-LTS branch (commit 19302eb)
    - CVE-2016-9016
  * SECURITY UPDATE: truncate /etc/resolv.conf as non-root user (LP: #1655136)
    - debian/patches/CVE-2016-10118.patch: cherry-picked from upstream
      0.9.38-LTS branch (commit 4f4e59c)
    - CVE-2016-10118
  * SECURITY UPDATE: local privilege escalation to root (LP: #1655136)
    - debian/patches/CVE-2017-5180.patch: cherry-picked from upstream
      0.9.38-LTS branch (commit ad97545)
    - CVE-2017-5180

 -- Reiner Herrmann <email address hidden> Tue, 17 Jan 2017 20:16:26 +0100