CVE-2019-12439
- Source
- https://cve.org/CVERecord?id=CVE-2019-12439
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12439.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-12439
- Downstream
- Related
- Published
- 2019-05-29T15:29:00.377Z
- Modified
- 2026-03-01T08:05:43.282511Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDGRUNTIMEDIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code.
- References
-
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html
- https://access.redhat.com/errata/RHSA-2019:1833
- https://bugzilla.redhat.com/show_bug.cgi?id=1695963
- https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e
- https://github.com/projectatomic/bubblewrap/issues/304
- https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3
- https://security.gentoo.org/glsa/202006-18
- https://bugzilla.redhat.com/show_bug.cgi?id=1695963
- https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e
Affected packages
Git / github.com/containers/bubblewrap
Affected ranges
- Type
- GIT
- Repo
- https://github.com/containers/bubblewrap
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.1.2
v0.*
v0.1.0
v0.1.1
v0.1.3
v0.1.4
v0.1.5
v0.1.7
v0.1.8
v0.2.0
v0.2.1
v0.3.0
v0.3.1
v0.3.2
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12439.json"
vanir_signatures
[
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "163138480516088060973123991537078844772",
"length": 10855.0
},
"source": "https://github.com/containers/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e",
"signature_type": "Function",
"id": "CVE-2019-12439-0814091c",
"target": {
"file": "bubblewrap.c",
"function": "main"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"283179917051261630896667241276398686681",
"156835895842063204426592657645357554064",
"111535406409657270217145089257984278610",
"113780544056907384740793531340704701702",
"137732832239418312694642623703253456288",
"124682311427914636375661048704732540145",
"170496425584988668139365274346094921978",
"172801237529990720369066095369241666423",
"217023891360866399185816632672554550288",
"174097707395110539665399886529019003634",
"297473727901272319493434324414327787637",
"276028077305428303997258195433187177581",
"246543047571715569257987064028953445438",
"74241571744933200156231765948065868072",
"229410691217233813825979016078530512815",
"42059878739010556504832711124538710956",
"44532719681789361639233861930549587264",
"198386674756433031549864431927558446003"
]
},
"source": "https://github.com/containers/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e",
"signature_type": "Line",
"id": "CVE-2019-12439-776902b2",
"target": {
"file": "bubblewrap.c"
}
}
]