bubblewrap escape via TIOCSTI ioctl

Bug #1657357 reported by Jeremy Bicha on 2017-01-18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bubblewrap (Debian)
Fix Released
bubblewrap (Ubuntu)
flatpak (Ubuntu)

Bug Description

Another bubblewrap security issue for yakkety. Changelogs are derived from Debian's. This has already been fixed in Debian and zesty.
This has been fixed in Debian and upstream in both bubblewrap and Flatpak which need to be updated at the same time.

For Flatpak, this is just backporting

For bubblewrap, there's only a few other bugfixes added in the new upstream version 0.1.7 since 0.1.5 so I think we'd be better off just taking the new version:

Originally, I mixed this bug with LP: #1656712 but it's a lot simpler now.

CVE References

Jeremy Bicha (jbicha) on 2017-01-18
information type: Public → Public Security
Changed in bubblewrap (Ubuntu):
importance: Undecided → Medium
Changed in flatpak (Ubuntu):
importance: Undecided → Medium
Mathew Hodson (mathew-hodson) wrote :

I noticed the changelog links to the wrong bug in the flatpak and bubblewrap debdiffs.

It links to an older security bug not this one.

Changed in bubblewrap (Debian):
status: Unknown → Fix Released
Jeremy Bicha (jbicha) wrote :

Thanks Mathew, I fixed that now.

Jeremy Bicha (jbicha) wrote :
Jeremy Bicha (jbicha) on 2017-01-20
description: updated
Jeremy Bicha (jbicha) wrote :

I've added a second patch to the Flatpak debdiff. Another security-related commit from 0.8.2. I had to refresh the last 3 hunks so the patch would apply cleanly.


Tyler Hicks (tyhicks) on 2017-02-06
Changed in bubblewrap (Ubuntu):
status: New → Confirmed
Changed in flatpak (Ubuntu):
status: New → Confirmed
Tyler Hicks (tyhicks) wrote :

@jbicha Thanks for the debdiffs! sbeattie reviewed the flatpak debdiff and I reviewed the bubblewrap debdiff. They've both built in the security-proposed PPA.

As for the bubblewrap changes, I'm going to sponsor them but I do want to say that I worry that we're getting in the habit of doing version bumps for bubblewrap. That's definitely not preferred but all of the changes between 1.5 and 1.7 seem somewhat tangled up with the actual security fix so I'm going to make an exception.

Thanks again for the high quality debdiffs. We really appreciate it!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package flatpak - 0.6.11-1ubuntu0.16.10.0

flatpak (0.6.11-1ubuntu0.16.10.0) yakkety-security; urgency=medium

  * SECURITY UPDATE: bubblewrap escape via TIOCSTI ioctl (LP: #1657357)
    - Fixed in d/p/Use-seccomp-to-filter-out-TIOCSTI-ioctl.patch:
      Add patch from upstream 0.8.1 to prevent contained apps from using
      TIOCSTI ioctl. This would let the app inject commands into the
      terminal from which it was invoked. Prevent the attack here
      by using seccomp to filter out TIOCSTI ioctl.
    - CVE-2017-5226
  * SECURITY UPDATE: Prevent writing to per-user installed fonts and
    Flatpak extensions (typically locales)
    - Fixed in d/p/Make-sure-all-mounted-sources-are-read-only.patch:
      Add patch from upstream 0.8.2

 -- Jeremy Bicha <email address hidden> Sat, 28 Jan 2017 06:00:41 -0500

Changed in flatpak (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bubblewrap - 0.1.7-0ubuntu0.16.10.1

bubblewrap (0.1.7-0ubuntu0.16.10.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: bubblewrap escape via TIOCSTI ioctl (LP: #1657357)
    - Fixed in new upstream release 0.1.7 by adding --new-session
      option that use setsid() before executing sandboxed code.
      Users of bubblewrap to confine untrusted programs should either
      add --new-session to the bwrap command line, or prevent the
      TIOCSTI ioctl with a seccomp filter instead (as Flatpak does).
    - New upstream release also adds --unshare-all option to easily
      sandbox all namespaces. A --share-net option can be used with
      --unshare-all to retain the network namespace.
    - CVE-2017-5226
  * debian/bubblewrap.examples: install upstream examples

 -- Jeremy Bicha <email address hidden> Thu, 19 Jan 2017 21:31:11 -0500

Changed in bubblewrap (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.