diff -Nru ubuntu-download-manager-1.2+16.04.20160322/debian/changelog ubuntu-download-manager-1.2+16.04.20160408/debian/changelog
--- ubuntu-download-manager-1.2+16.04.20160322/debian/changelog	2016-04-08 17:52:14.000000000 +0000
+++ ubuntu-download-manager-1.2+16.04.20160408/debian/changelog	2016-04-08 17:52:15.000000000 +0000
@@ -1,3 +1,10 @@
+ubuntu-download-manager (1.2+16.04.20160408-0ubuntu1) xenial; urgency=medium
+
+  * Disallow post-processing commands from unconfined apps (Fixes CVE-
+    2016-1579)
+
+ -- Michael Sheldon <michael.sheldon@canonical.com>  Fri, 08 Apr 2016 17:50:24 +0000
+
 ubuntu-download-manager (1.2+16.04.20160322-0ubuntu1) xenial; urgency=medium
 
   * Fix error reporting in download manager for network errors (LP:
diff -Nru ubuntu-download-manager-1.2+16.04.20160322/src/downloads/priv/ubuntu/downloads/file_download.cpp ubuntu-download-manager-1.2+16.04.20160408/src/downloads/priv/ubuntu/downloads/file_download.cpp
--- ubuntu-download-manager-1.2+16.04.20160322/src/downloads/priv/ubuntu/downloads/file_download.cpp	2016-03-22 16:24:29.000000000 +0000
+++ ubuntu-download-manager-1.2+16.04.20160408/src/downloads/priv/ubuntu/downloads/file_download.cpp	2016-04-08 17:50:22.000000000 +0000
@@ -1023,6 +1023,11 @@
         postDownloadProcess->start(command, args);
         return;
     } else if (_metadata.contains(Metadata::COMMAND_KEY)) {
+        if (isConfined()) {
+            DOWN_LOG(ERROR) << "Post processing commands are unavailable to confined applications";
+            emitError(COMMAND_ERROR);
+            return;
+        }
         // just emit processing if we DO NOT have a hash because else we
         // already emitted it.
         if (_hash.isEmpty()) {