** Changed in: bubblewrap (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1643734
Title:
privilege escalation via ptrace (CVE-2016-8659)
To manag
This bug was fixed in the package bubblewrap - 0.1.5-1~ubuntu16.10.0
---
bubblewrap (0.1.5-1~ubuntu16.10.0) yakkety-security; urgency=medium
* SECURITY UPDATE: privilege escalation via ptrace (LP: #1643734)
- Fixed in new upstream release 0.1.3
- 0.1.4 further protects again
I verified the non-security part of this update with flatpak since
that's the only thing that uses bubblewrap.
With Ubuntu (Unity) 16.10:
sudo apt install flatpak
wget https://people.gnome.org/~alexl/keys/gnome-sdk.gpg
flatpak remote-add --user --gpg-import=gnome-sdk.gpg gnome
http://sdk.gnome.or
Hi, I'm not sure what I've done wrong here, but I've added the sleep at
line 1707 after the drop_caps call and tried to strace the child process
without success.
This is the output I got:
strace: attach: ptrace(PTRACE_ATTACH, ...): Operation not permitted
Could not attach to process. If your uid
There is no easy way to test the CVE without changes to bwrap, because
it involves ptracing the process tree while racing startup. When i
tested the fix i inserted a sleep in the code and attached to it with
strace to verify that it was possible to ptrace at that point. You can
test it in a similar
** Changed in: bubblewrap (Ubuntu)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1643734
Title:
privilege escalation via ptrace (CVE-2016-8659)
To manage n
In the context of LP: #1649330, I don't see any regressions from
bubblewrap 0.1.5-1~ubuntu16.10.0 in yakkety-proposed, but I've only
tested the simple case there within a VM. So:
bwrap --dev-bind / / --dev-bind ~ /snap bash
and then...
ls /snap
touch /snap/whatever
exit
then...
ls ~
still wor
For xenial, you need to go through the SRU team. It should go in
-updates, not -security.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1643734
Title:
privilege escalation via ptrace (CVE-2016-8659)
zesty's bubblewrap build-depends on debhelper 10 so we should lower that
for xenial (which has dh10 in backports only)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1643734
Title:
privilege escalati
** Changed in: bubblewrap (Debian)
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1643734
Title:
privilege escalation via ptrace (CVE-2016-8659)
To manage noti
Marc, thanks for the upload!
I'd like to get this version of bubblewrap into xenial also. It's needed
to get flatpak working there. Similar to how snapd was backported to
trusty into the -updates pocket, I think it makes sense for flatpak to
land in the -updates pocket. Because bubblewrap is not i
** Changed in: bubblewrap (Ubuntu Yakkety)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1643734
Title:
privilege escalation via ptrace (CVE-2016-8659)
To
** Changed in: bubblewrap (Ubuntu Yakkety)
Importance: Undecided => Medium
** Changed in: bubblewrap (Ubuntu)
Importance: Undecided => Medium
** Bug watch added: Debian Bug tracker #840605
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840605
** Also affects: bubblewrap (Debian) via
** Also affects: bubblewrap (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Changed in: bubblewrap (Ubuntu Yakkety)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad
** Tags added: upgrade-software-version xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1643734
Title:
privilege escalation via ptrace (CVE-2016-8659)
To manage notifications about this bug go
Jeremy, the updated package is now in yakkety-proposed. Please comment
here when it's tested and you're ready for us to publish it in -security
and -updates. Thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpa
I asked for the package to be removed from the upload queue. I will
build it in the -security pocket, and will push it to -proposed for a
week, as requested.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bu
Thanks Jeremy for working on this; I think you're right, a backport from
zesty makes sense. The diff is large and likely important for clients
especially in the early stages of a library; backporting 'the fix' alone
without the rest may introduce new issues; and tests are always good.
The trick is
I think it makes sense to just update this to 0.1.4 since 0.1.3 is just
the security fix and 0.1.4 is further security fixes related to the same
issue (and a few other bugfixes).
But the build tests don't work with 0.1.4 so we either need to patch
them or just go with 0.1.5 which fixes the tests a
** Description changed:
+ Impact
+ ==
+ bubblewrap 0.1.3 and 0.1.4 fix a security vulnerability. 0.1.5 has some minor
improvements but also fixes the tests.
+
+ https://github.com/projectatomic/bubblewrap/releases
+
+ Test Case
+ =
+ I'm not familiar enough with the code to have a t
Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is availabl
21 matches
Mail list logo
