Bug#923875: unblock: bubblewrap/0.3.1-4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#923875: unblock: bubblewrap/0.3.1-4
From: Simon McVittie <smcv@debian.org>
Date: Wed, 6 Mar 2019 16:38:52 +0000
Message-id: <[🔎] 20190306163852.GA32059@espresso.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 923875@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package bubblewrap and/or speed up its migration. This
version fixes a potential security vulnerability reported by Jakub Wilk
(no CVE ID available yet) when not run in a systemd-logind session. I
believe the impact is usually only DoS, but it could be worse in some
cases.

Revision -4, uploaded today, should be basically equivalent to revision
-3, which has been in unstable for 3 days. It has more test coverage, and
uses the fix that was merged upstream instead of the similar fix that I
initially proposed.

unblock bubblewrap/0.3.1-4

Thanks,
    smcv

diffstat for bubblewrap-0.3.1 bubblewrap-0.3.1

 changelog                                                               |   19 ++
 control                                                                 |    2 
 patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch |   68 ++++++++
 patches/debian/Use-Python-3-for-test-demo-code.patch                    |    2 
 patches/series                                                          |    2 
 patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch |   81 ++++++++++
 upstream/metadata                                                       |    8 
 7 files changed, 180 insertions(+), 2 deletions(-)

diff -Nru bubblewrap-0.3.1/debian/changelog bubblewrap-0.3.1/debian/changelog
--- bubblewrap-0.3.1/debian/changelog	2018-10-03 15:23:27.000000000 +0100
+++ bubblewrap-0.3.1/debian/changelog	2019-03-06 14:43:44.000000000 +0000
@@ -1,3 +1,22 @@
+bubblewrap (0.3.1-4) unstable; urgency=medium
+
+  * d/p/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch:
+    Replace with the version that was applied upstream
+  * d/p/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch:
+    Add a test to check that the above patch works as intended
+
+ -- Simon McVittie <smcv@debian.org>  Wed, 06 Mar 2019 14:43:44 +0000
+
+bubblewrap (0.3.1-3) unstable; urgency=medium
+
+  * d/p/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch:
+    Avoid denial of service and potential symlink attacks on systems not
+    using systemd-logind (Closes: #923557)
+  * Standards-Version: 4.3.0 (no changes required)
+  * d/upstream/metadata: Add DEP-12 metadata
+
+ -- Simon McVittie <smcv@debian.org>  Sat, 02 Mar 2019 13:03:29 +0000
+
 bubblewrap (0.3.1-2) unstable; urgency=medium
 
   [ Iain Lane ]
diff -Nru bubblewrap-0.3.1/debian/control bubblewrap-0.3.1/debian/control
--- bubblewrap-0.3.1/debian/control	2018-10-03 15:23:27.000000000 +0100
+++ bubblewrap-0.3.1/debian/control	2019-03-06 14:43:44.000000000 +0000
@@ -16,7 +16,7 @@
  pkg-config,
  python3 <!nocheck>,
  xsltproc,
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
 Homepage: https://github.com/projectatomic/bubblewrap
 Vcs-Git: https://salsa.debian.org/debian/bubblewrap.git
 Vcs-Browser: https://salsa.debian.org/debian/bubblewrap
diff -Nru bubblewrap-0.3.1/debian/patches/debian/Use-Python-3-for-test-demo-code.patch bubblewrap-0.3.1/debian/patches/debian/Use-Python-3-for-test-demo-code.patch
--- bubblewrap-0.3.1/debian/patches/debian/Use-Python-3-for-test-demo-code.patch	2018-10-03 15:23:27.000000000 +0100
+++ bubblewrap-0.3.1/debian/patches/debian/Use-Python-3-for-test-demo-code.patch	2019-03-06 14:43:44.000000000 +0000
@@ -19,7 +19,7 @@
  import os, select, subprocess, sys, json
  
 diff --git a/tests/test-run.sh b/tests/test-run.sh
-index b883b82..5efaed0 100755
+index 9a20de6..cfadf91 100755
 --- a/tests/test-run.sh
 +++ b/tests/test-run.sh
 @@ -193,7 +193,7 @@ fi
diff -Nru bubblewrap-0.3.1/debian/patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch bubblewrap-0.3.1/debian/patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch
--- bubblewrap-0.3.1/debian/patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch	1970-01-01 01:00:00.000000000 +0100
+++ bubblewrap-0.3.1/debian/patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch	2019-03-06 14:43:44.000000000 +0000
@@ -0,0 +1,68 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Sat, 2 Mar 2019 12:09:03 +0000
+Subject: Don't create our own temporary mount point for pivot_root
+
+An attacker could pre-create /tmp/.bubblewrap-$UID and make it a
+non-directory, non-symlink (in which case mounting our tmpfs would fail,
+causing denial of service), or make it a symlink under their control
+(potentially allowing bad things if the protected_symlinks sysctl is
+not enabled).
+
+Instead, temporarily mount the tmpfs on a directory that we are sure
+exists and is not attacker-controlled. /tmp (the directory itself, not
+a subdirectory) will do.
+
+Bug: https://github.com/projectatomic/bubblewrap/issues/304
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557
+Signed-off-by: Simon McVittie <smcv@debian.org>
+Forwarded: https://github.com/projectatomic/bubblewrap/pull/305
+Reviewed-by: cgwalters
+---
+ bubblewrap.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/bubblewrap.c b/bubblewrap.c
+index b319f1c..fa78129 100644
+--- a/bubblewrap.c
++++ b/bubblewrap.c
+@@ -1977,7 +1977,7 @@ main (int    argc,
+       char **argv)
+ {
+   mode_t old_umask;
+-  cleanup_free char *base_path = NULL;
++  const char *base_path = NULL;
+   int clone_flags;
+   char *old_cwd = NULL;
+   pid_t pid;
+@@ -2117,15 +2117,12 @@ main (int    argc,
+     die_with_error ("Can't open /proc");
+ 
+   /* We need *some* mountpoint where we can mount the root tmpfs.
+-     We first try in /run, and if that fails, try in /tmp. */
+-  base_path = xasprintf ("/run/user/%d/.bubblewrap", real_uid);
+-  if (ensure_dir (base_path, 0755))
+-    {
+-      free (base_path);
+-      base_path = xasprintf ("/tmp/.bubblewrap-%d", real_uid);
+-      if (ensure_dir (base_path, 0755))
+-        die_with_error ("Creating root mountpoint failed");
+-    }
++   * Because we use pivot_root, it won't appear to be mounted from
++   * the perspective of the sandboxed process, so we can use anywhere
++   * that is sure to exist, that is sure to not be a symlink controlled
++   * by someone malicious, and that we won't immediately need to
++   * access ourselves. */
++  base_path = "/tmp";
+ 
+   __debug__ (("creating new namespace\n"));
+ 
+@@ -2315,7 +2312,8 @@ main (int    argc,
+   /* We create a subdir "$base_path/newroot" for the new root, that
+    * way we can pivot_root to base_path, and put the old root at
+    * "$base_path/oldroot". This avoids problems accessing the oldroot
+-   * dir if the user requested to bind mount something over / */
++   * dir if the user requested to bind mount something over / (or
++   * over /tmp, now that we use that for base_path). */
+ 
+   if (mkdir ("newroot", 0755))
+     die_with_error ("Creating newroot failed");
diff -Nru bubblewrap-0.3.1/debian/patches/series bubblewrap-0.3.1/debian/patches/series
--- bubblewrap-0.3.1/debian/patches/series	2018-10-03 15:23:27.000000000 +0100
+++ bubblewrap-0.3.1/debian/patches/series	2019-03-06 14:43:44.000000000 +0000
@@ -1,4 +1,6 @@
 tests-Handle-systems-without-merged-usr.patch
 man-page-Describe-chdir-not-nonexistent-cwd.patch
 Make-lockdata-long-enough-on-32-bit-with-64-bit-file-poin.patch
+Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch
+tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch
 debian/Use-Python-3-for-test-demo-code.patch
diff -Nru bubblewrap-0.3.1/debian/patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch bubblewrap-0.3.1/debian/patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch
--- bubblewrap-0.3.1/debian/patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch	1970-01-01 01:00:00.000000000 +0100
+++ bubblewrap-0.3.1/debian/patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch	2019-03-06 14:43:44.000000000 +0000
@@ -0,0 +1,81 @@
+From: Simon McVittie <smcv@collabora.com>
+Date: Tue, 5 Mar 2019 08:36:55 +0000
+Subject: tests: Ensure that tmpfs with oldroot/newroot doesn't appear in
+ container
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Forwarded: https://github.com/projectatomic/bubblewrap/pull/305
+Reviewed-by: cgwalters
+---
+ tests/test-run.sh | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/tests/test-run.sh b/tests/test-run.sh
+index b883b82..9a20de6 100755
+--- a/tests/test-run.sh
++++ b/tests/test-run.sh
+@@ -80,7 +80,7 @@ if ! $RUN true; then
+     skip Seems like bwrap is not working at all. Maybe setuid is not working
+ fi
+ 
+-echo "1..38"
++echo "1..43"
+ 
+ # Test help
+ ${BWRAP} --help > help.txt
+@@ -256,4 +256,55 @@ if $RUN -- --dev-bind /dev /dev sh -c 'echo should not have run'; then
+ fi
+ echo "ok - options like --dev-bind are defanged by --"
+ 
++if command -v mktemp > /dev/null; then
++    tempfile="$(mktemp /tmp/bwrap-test-XXXXXXXX)"
++    echo "hello" > "$tempfile"
++    $BWRAP --bind / / cat "$tempfile" > stdout
++    assert_file_has_content stdout hello
++    echo "ok - bind-mount of / exposes real /tmp"
++    $BWRAP --bind / / --bind /tmp /tmp cat "$tempfile" > stdout
++    assert_file_has_content stdout hello
++    echo "ok - bind-mount of /tmp exposes real /tmp"
++    if [ -d /mnt ]; then
++        $BWRAP --bind / / --bind /tmp /mnt cat "/mnt/${tempfile#/tmp/}" > stdout
++        assert_file_has_content stdout hello
++        echo "ok - bind-mount of /tmp onto /mnt exposes real /tmp"
++    else
++        echo "ok - # SKIP /mnt does not exist"
++    fi
++else
++    echo "ok - # SKIP mktemp not found"
++    echo "ok - # SKIP mktemp not found"
++    echo "ok - # SKIP mktemp not found"
++fi
++
++if $RUN test -d /tmp/oldroot; then
++    assert_not_reached "/tmp/oldroot should not be visible"
++fi
++if $RUN test -d /tmp/newroot; then
++    assert_not_reached "/tmp/newroot should not be visible"
++fi
++
++echo "hello" > input.$$
++$BWRAP --bind / / --bind "$(pwd)" /tmp cat /tmp/input.$$ > stdout
++assert_file_has_content stdout hello
++if $BWRAP --bind / / --bind "$(pwd)" /tmp test -d /tmp/oldroot; then
++    assert_not_reached "/tmp/oldroot should not be visible"
++fi
++if $BWRAP --bind / / --bind "$(pwd)" /tmp test -d /tmp/newroot; then
++    assert_not_reached "/tmp/newroot should not be visible"
++fi
++echo "ok - we can mount another directory onto /tmp"
++
++echo "hello" > input.$$
++$RUN --bind "$(pwd)" /tmp/here cat /tmp/here/input.$$ > stdout
++assert_file_has_content stdout hello
++if $RUN --bind "$(pwd)" /tmp/here test -d /tmp/oldroot; then
++    assert_not_reached "/tmp/oldroot should not be visible"
++fi
++if $RUN --bind "$(pwd)" /tmp/here test -d /tmp/newroot; then
++    assert_not_reached "/tmp/newroot should not be visible"
++fi
++echo "ok - we can mount another directory inside /tmp"
++
+ echo "ok - End of test"
diff -Nru bubblewrap-0.3.1/debian/upstream/metadata bubblewrap-0.3.1/debian/upstream/metadata
--- bubblewrap-0.3.1/debian/upstream/metadata	1970-01-01 01:00:00.000000000 +0100
+++ bubblewrap-0.3.1/debian/upstream/metadata	2019-03-06 14:43:44.000000000 +0000
@@ -0,0 +1,8 @@
+---
+Name: Bubblewrap
+Repository: https://github.com/projectatomic/bubblewrap
+Repository-Browse: https://github.com/projectatomic/bubblewrap
+Bug-Database: https://github.com/projectatomic/bubblewrap/issues
+Bug-Submit: https://github.com/projectatomic/bubblewrap/issues/new
+...
+# vim:set ft=yaml:

Reply to:

Follow-Ups:
- Bug#923875: marked as done (unblock: bubblewrap/0.3.1-4)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#923797: unblock: pyres/1.5-2
Next by Date: Bug#923876: RM: libsmali-1-java -- ROM; has no deps, libsmali-java is newer
Previous by thread: Bug#923868: marked as done (unblock: notmuch/0.28.3-1)
Next by thread: Bug#923875: marked as done (unblock: bubblewrap/0.3.1-4)
Index(es):
- Date
- Thread