[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
This bug was fixed in the package bubblewrap - 0.1.7-0ubuntu0.16.10.1 --- bubblewrap (0.1.7-0ubuntu0.16.10.1) yakkety-security; urgency=medium * SECURITY UPDATE: bubblewrap escape via TIOCSTI ioctl (LP: #1657357) - Fixed in new upstream release 0.1.7 by adding --new-session option that use setsid() before executing sandboxed code. Users of bubblewrap to confine untrusted programs should either add --new-session to the bwrap command line, or prevent the TIOCSTI ioctl with a seccomp filter instead (as Flatpak does). - New upstream release also adds --unshare-all option to easily sandbox all namespaces. A --share-net option can be used with --unshare-all to retain the network namespace. - CVE-2017-5226 * debian/bubblewrap.examples: install upstream examples -- Jeremy Bicha Thu, 19 Jan 2017 21:31:11 -0500 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
This bug was fixed in the package flatpak - 0.6.11-1ubuntu0.16.10.0 --- flatpak (0.6.11-1ubuntu0.16.10.0) yakkety-security; urgency=medium * SECURITY UPDATE: bubblewrap escape via TIOCSTI ioctl (LP: #1657357) - Fixed in d/p/Use-seccomp-to-filter-out-TIOCSTI-ioctl.patch: Add patch from upstream 0.8.1 to prevent contained apps from using TIOCSTI ioctl. This would let the app inject commands into the terminal from which it was invoked. Prevent the attack here by using seccomp to filter out TIOCSTI ioctl. - CVE-2017-5226 * SECURITY UPDATE: Prevent writing to per-user installed fonts and Flatpak extensions (typically locales) - Fixed in d/p/Make-sure-all-mounted-sources-are-read-only.patch: Add patch from upstream 0.8.2 -- Jeremy Bicha Sat, 28 Jan 2017 06:00:41 -0500 ** Changed in: flatpak (Ubuntu) Status: Confirmed => Fix Released ** Changed in: bubblewrap (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
@jbicha Thanks for the debdiffs! sbeattie reviewed the flatpak debdiff and I reviewed the bubblewrap debdiff. They've both built in the security-proposed PPA. As for the bubblewrap changes, I'm going to sponsor them but I do want to say that I worry that we're getting in the habit of doing version bumps for bubblewrap. That's definitely not preferred but all of the changes between 1.5 and 1.7 seem somewhat tangled up with the actual security fix so I'm going to make an exception. Thanks again for the high quality debdiffs. We really appreciate it! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
** Changed in: bubblewrap (Ubuntu) Status: New => Confirmed ** Changed in: flatpak (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
I've added a second patch to the Flatpak debdiff. Another security- related commit from 0.8.2. I had to refresh the last 3 hunks so the patch would apply cleanly. https://github.com/flatpak/flatpak/commit/7db0ac595c ** Patch removed: "flatpak-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+attachment/4806561/+files/flatpak-yakkety-lp1657357.debdiff ** Patch added: "flatpak-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+attachment/4810032/+files/flatpak-yakkety-lp1657357.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
** Description changed: - Another bubblewrap security issue. This has been fixed in Debian and - upstream in both bubblewrap and Flatpak which need to be updated at the - same time. + Another bubblewrap security issue for yakkety. Changelogs are derived from Debian's. This has already been fixed in Debian and zesty. + This has been fixed in Debian and upstream in both bubblewrap and Flatpak which need to be updated at the same time. - I've been wanting to update Flatpak to 0.8 anyway (LP: #1656712) since - December but was waiting to get bubblewrap taken care of first to make - it simpler. Now I guess we'll do it all together. + For Flatpak, this is just backporting + https://github.com/flatpak/flatpak/commit/902fb7139 - There are three affected packages in yakkety: - - bubblewrap - - flatpak - - ostree (new version needed for new flatpak) + For bubblewrap, there's only a few other bugfixes added in the new upstream version 0.1.7 since 0.1.5 so I think we'd be better off just taking the new version: + https://github.com/projectatomic/bubblewrap/releases + https://github.com/projectatomic/bubblewrap/commits/master - I'll attach debdiffs here for them. - - I propose we do like the last bubblewrap update and build these as - security updates but age them for 7 days first like SRUs. + Originally, I mixed this bug with LP: #1656712 but it's a lot simpler + now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
** Patch added: "flatpak-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+attachment/4806561/+files/flatpak-yakkety-lp1657357.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
** Patch removed: "flatpak-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+attachment/4806063/+files/flatpak-yakkety-lp1657357.debdiff ** Patch removed: "bubblewrap-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+attachment/4806062/+files/bubblewrap-yakkety-lp1657357.debdiff ** Patch removed: "ostree-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+attachment/4805727/+files/ostree-yakkety-lp1657357.debdiff ** Patch added: "bubblewrap-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+attachment/4806559/+files/bubblewrap-yakkety-lp1657357.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
** Patch removed: "flatpak-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1657357/+attachment/4805728/+files/flatpak-yakkety-lp1657357.debdiff ** Patch removed: "bubblewrap-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1657357/+attachment/4805729/+files/bubblewrap-yakkety-lp1657357.debdiff ** Patch added: "bubblewrap-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1657357/+attachment/4806062/+files/bubblewrap-yakkety-lp1657357.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
** Patch added: "flatpak-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1657357/+attachment/4806063/+files/flatpak-yakkety-lp1657357.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
Thanks Mathew, I fixed that now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
** Changed in: bubblewrap (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
I noticed the changelog links to the wrong bug in the flatpak and bubblewrap debdiffs. It links to an older security bug not this one. ** Bug watch added: Debian Bug tracker #850702 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850702 ** Also affects: bubblewrap (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850702 Importance: Unknown Status: Unknown ** Changed in: bubblewrap (Ubuntu) Importance: Undecided => Medium ** Changed in: flatpak (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
** Patch added: "bubblewrap-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+attachment/4805726/+files/bubblewrap-yakkety-lp1657357.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
** Patch added: "flatpak-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+attachment/4805728/+files/flatpak-yakkety-lp1657357.debdiff ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2017-5226 ** Information type changed from Public to Public Security ** Patch removed: "bubblewrap-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+attachment/4805726/+files/bubblewrap-yakkety-lp1657357.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
** Patch added: "ostree-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+attachment/4805727/+files/ostree-yakkety-lp1657357.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1657357] Re: bubblewrap escape via TIOCSTI ioctl
** Patch added: "bubblewrap-yakkety-lp1657357.debdiff" https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+attachment/4805729/+files/bubblewrap-yakkety-lp1657357.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs