Note:
This project will be discontinued after December 13, 2021. [more]
2019-05-29
bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code.
Products | Bubblewrap |
Type | Improper Input Validation (CWE-20) |
First patch | - None (likely due to unavailable code) |
Links |
• https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e
• https://security.gentoo.org/glsa/202006-18 • https://access.redhat.com/errata/RHSA-2019:1833 • https://github.com/projectatomic/bubblewrap/issues/304 • https://bugzilla.redhat.com/show_bug.cgi?id=1695963 |