Candidate: CVE-2016-8659
PublicDate: 2017-02-13 18:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8659
 https://github.com/projectatomic/bubblewrap/issues/107
Description:
 Bubblewrap before 0.1.3 sets the PR_SET_DUMPABLE flag, which might allow
 local users to gain privileges by attaching to the process, as demonstrated
 by sending commands to a PrivSep socket.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840605
 https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1643734
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.0 HIGH]

Patches_bubblewrap:
upstream_bubblewrap: released (0.1.2-2)
precise_bubblewrap: DNE
trusty_bubblewrap: DNE
trusty/esm_bubblewrap: DNE
vivid/stable-phone-overlay_bubblewrap: DNE
vivid/ubuntu-core_bubblewrap: DNE
xenial_bubblewrap: DNE
yakkety_bubblewrap: released (0.1.5-1~ubuntu16.10.0)
devel_bubblewrap: not-affected (0.1.6-2)