[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#923875: marked as done (unblock: bubblewrap/0.3.1-4)



Your message dated Wed, 6 Mar 2019 19:36:18 +0000
with message-id <20190306193618.GA25516@powdarrmonkey.net>
and subject line Re: Bug#923875: unblock: bubblewrap/0.3.1-4
has caused the Debian Bug report #923875,
regarding unblock: bubblewrap/0.3.1-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
923875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923875
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package bubblewrap and/or speed up its migration. This
version fixes a potential security vulnerability reported by Jakub Wilk
(no CVE ID available yet) when not run in a systemd-logind session. I
believe the impact is usually only DoS, but it could be worse in some
cases.

Revision -4, uploaded today, should be basically equivalent to revision
-3, which has been in unstable for 3 days. It has more test coverage, and
uses the fix that was merged upstream instead of the similar fix that I
initially proposed.

unblock bubblewrap/0.3.1-4

Thanks,
    smcv
diffstat for bubblewrap-0.3.1 bubblewrap-0.3.1

 changelog                                                               |   19 ++
 control                                                                 |    2 
 patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch |   68 ++++++++
 patches/debian/Use-Python-3-for-test-demo-code.patch                    |    2 
 patches/series                                                          |    2 
 patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch |   81 ++++++++++
 upstream/metadata                                                       |    8 
 7 files changed, 180 insertions(+), 2 deletions(-)

diff -Nru bubblewrap-0.3.1/debian/changelog bubblewrap-0.3.1/debian/changelog
--- bubblewrap-0.3.1/debian/changelog	2018-10-03 15:23:27.000000000 +0100
+++ bubblewrap-0.3.1/debian/changelog	2019-03-06 14:43:44.000000000 +0000
@@ -1,3 +1,22 @@
+bubblewrap (0.3.1-4) unstable; urgency=medium
+
+  * d/p/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch:
+    Replace with the version that was applied upstream
+  * d/p/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch:
+    Add a test to check that the above patch works as intended
+
+ -- Simon McVittie <smcv@debian.org>  Wed, 06 Mar 2019 14:43:44 +0000
+
+bubblewrap (0.3.1-3) unstable; urgency=medium
+
+  * d/p/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch:
+    Avoid denial of service and potential symlink attacks on systems not
+    using systemd-logind (Closes: #923557)
+  * Standards-Version: 4.3.0 (no changes required)
+  * d/upstream/metadata: Add DEP-12 metadata
+
+ -- Simon McVittie <smcv@debian.org>  Sat, 02 Mar 2019 13:03:29 +0000
+
 bubblewrap (0.3.1-2) unstable; urgency=medium
 
   [ Iain Lane ]
diff -Nru bubblewrap-0.3.1/debian/control bubblewrap-0.3.1/debian/control
--- bubblewrap-0.3.1/debian/control	2018-10-03 15:23:27.000000000 +0100
+++ bubblewrap-0.3.1/debian/control	2019-03-06 14:43:44.000000000 +0000
@@ -16,7 +16,7 @@
  pkg-config,
  python3 <!nocheck>,
  xsltproc,
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
 Homepage: https://github.com/projectatomic/bubblewrap
 Vcs-Git: https://salsa.debian.org/debian/bubblewrap.git
 Vcs-Browser: https://salsa.debian.org/debian/bubblewrap
diff -Nru bubblewrap-0.3.1/debian/patches/debian/Use-Python-3-for-test-demo-code.patch bubblewrap-0.3.1/debian/patches/debian/Use-Python-3-for-test-demo-code.patch
--- bubblewrap-0.3.1/debian/patches/debian/Use-Python-3-for-test-demo-code.patch	2018-10-03 15:23:27.000000000 +0100
+++ bubblewrap-0.3.1/debian/patches/debian/Use-Python-3-for-test-demo-code.patch	2019-03-06 14:43:44.000000000 +0000
@@ -19,7 +19,7 @@
  import os, select, subprocess, sys, json
  
 diff --git a/tests/test-run.sh b/tests/test-run.sh
-index b883b82..5efaed0 100755
+index 9a20de6..cfadf91 100755
 --- a/tests/test-run.sh
 +++ b/tests/test-run.sh
 @@ -193,7 +193,7 @@ fi
diff -Nru bubblewrap-0.3.1/debian/patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch bubblewrap-0.3.1/debian/patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch
--- bubblewrap-0.3.1/debian/patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch	1970-01-01 01:00:00.000000000 +0100
+++ bubblewrap-0.3.1/debian/patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch	2019-03-06 14:43:44.000000000 +0000
@@ -0,0 +1,68 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Sat, 2 Mar 2019 12:09:03 +0000
+Subject: Don't create our own temporary mount point for pivot_root
+
+An attacker could pre-create /tmp/.bubblewrap-$UID and make it a
+non-directory, non-symlink (in which case mounting our tmpfs would fail,
+causing denial of service), or make it a symlink under their control
+(potentially allowing bad things if the protected_symlinks sysctl is
+not enabled).
+
+Instead, temporarily mount the tmpfs on a directory that we are sure
+exists and is not attacker-controlled. /tmp (the directory itself, not
+a subdirectory) will do.
+
+Bug: https://github.com/projectatomic/bubblewrap/issues/304
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557
+Signed-off-by: Simon McVittie <smcv@debian.org>
+Forwarded: https://github.com/projectatomic/bubblewrap/pull/305
+Reviewed-by: cgwalters
+---
+ bubblewrap.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/bubblewrap.c b/bubblewrap.c
+index b319f1c..fa78129 100644
+--- a/bubblewrap.c
++++ b/bubblewrap.c
+@@ -1977,7 +1977,7 @@ main (int    argc,
+       char **argv)
+ {
+   mode_t old_umask;
+-  cleanup_free char *base_path = NULL;
++  const char *base_path = NULL;
+   int clone_flags;
+   char *old_cwd = NULL;
+   pid_t pid;
+@@ -2117,15 +2117,12 @@ main (int    argc,
+     die_with_error ("Can't open /proc");
+ 
+   /* We need *some* mountpoint where we can mount the root tmpfs.
+-     We first try in /run, and if that fails, try in /tmp. */
+-  base_path = xasprintf ("/run/user/%d/.bubblewrap", real_uid);
+-  if (ensure_dir (base_path, 0755))
+-    {
+-      free (base_path);
+-      base_path = xasprintf ("/tmp/.bubblewrap-%d", real_uid);
+-      if (ensure_dir (base_path, 0755))
+-        die_with_error ("Creating root mountpoint failed");
+-    }
++   * Because we use pivot_root, it won't appear to be mounted from
++   * the perspective of the sandboxed process, so we can use anywhere
++   * that is sure to exist, that is sure to not be a symlink controlled
++   * by someone malicious, and that we won't immediately need to
++   * access ourselves. */
++  base_path = "/tmp";
+ 
+   __debug__ (("creating new namespace\n"));
+ 
+@@ -2315,7 +2312,8 @@ main (int    argc,
+   /* We create a subdir "$base_path/newroot" for the new root, that
+    * way we can pivot_root to base_path, and put the old root at
+    * "$base_path/oldroot". This avoids problems accessing the oldroot
+-   * dir if the user requested to bind mount something over / */
++   * dir if the user requested to bind mount something over / (or
++   * over /tmp, now that we use that for base_path). */
+ 
+   if (mkdir ("newroot", 0755))
+     die_with_error ("Creating newroot failed");
diff -Nru bubblewrap-0.3.1/debian/patches/series bubblewrap-0.3.1/debian/patches/series
--- bubblewrap-0.3.1/debian/patches/series	2018-10-03 15:23:27.000000000 +0100
+++ bubblewrap-0.3.1/debian/patches/series	2019-03-06 14:43:44.000000000 +0000
@@ -1,4 +1,6 @@
 tests-Handle-systems-without-merged-usr.patch
 man-page-Describe-chdir-not-nonexistent-cwd.patch
 Make-lockdata-long-enough-on-32-bit-with-64-bit-file-poin.patch
+Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch
+tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch
 debian/Use-Python-3-for-test-demo-code.patch
diff -Nru bubblewrap-0.3.1/debian/patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch bubblewrap-0.3.1/debian/patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch
--- bubblewrap-0.3.1/debian/patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch	1970-01-01 01:00:00.000000000 +0100
+++ bubblewrap-0.3.1/debian/patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch	2019-03-06 14:43:44.000000000 +0000
@@ -0,0 +1,81 @@
+From: Simon McVittie <smcv@collabora.com>
+Date: Tue, 5 Mar 2019 08:36:55 +0000
+Subject: tests: Ensure that tmpfs with oldroot/newroot doesn't appear in
+ container
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Forwarded: https://github.com/projectatomic/bubblewrap/pull/305
+Reviewed-by: cgwalters
+---
+ tests/test-run.sh | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/tests/test-run.sh b/tests/test-run.sh
+index b883b82..9a20de6 100755
+--- a/tests/test-run.sh
++++ b/tests/test-run.sh
+@@ -80,7 +80,7 @@ if ! $RUN true; then
+     skip Seems like bwrap is not working at all. Maybe setuid is not working
+ fi
+ 
+-echo "1..38"
++echo "1..43"
+ 
+ # Test help
+ ${BWRAP} --help > help.txt
+@@ -256,4 +256,55 @@ if $RUN -- --dev-bind /dev /dev sh -c 'echo should not have run'; then
+ fi
+ echo "ok - options like --dev-bind are defanged by --"
+ 
++if command -v mktemp > /dev/null; then
++    tempfile="$(mktemp /tmp/bwrap-test-XXXXXXXX)"
++    echo "hello" > "$tempfile"
++    $BWRAP --bind / / cat "$tempfile" > stdout
++    assert_file_has_content stdout hello
++    echo "ok - bind-mount of / exposes real /tmp"
++    $BWRAP --bind / / --bind /tmp /tmp cat "$tempfile" > stdout
++    assert_file_has_content stdout hello
++    echo "ok - bind-mount of /tmp exposes real /tmp"
++    if [ -d /mnt ]; then
++        $BWRAP --bind / / --bind /tmp /mnt cat "/mnt/${tempfile#/tmp/}" > stdout
++        assert_file_has_content stdout hello
++        echo "ok - bind-mount of /tmp onto /mnt exposes real /tmp"
++    else
++        echo "ok - # SKIP /mnt does not exist"
++    fi
++else
++    echo "ok - # SKIP mktemp not found"
++    echo "ok - # SKIP mktemp not found"
++    echo "ok - # SKIP mktemp not found"
++fi
++
++if $RUN test -d /tmp/oldroot; then
++    assert_not_reached "/tmp/oldroot should not be visible"
++fi
++if $RUN test -d /tmp/newroot; then
++    assert_not_reached "/tmp/newroot should not be visible"
++fi
++
++echo "hello" > input.$$
++$BWRAP --bind / / --bind "$(pwd)" /tmp cat /tmp/input.$$ > stdout
++assert_file_has_content stdout hello
++if $BWRAP --bind / / --bind "$(pwd)" /tmp test -d /tmp/oldroot; then
++    assert_not_reached "/tmp/oldroot should not be visible"
++fi
++if $BWRAP --bind / / --bind "$(pwd)" /tmp test -d /tmp/newroot; then
++    assert_not_reached "/tmp/newroot should not be visible"
++fi
++echo "ok - we can mount another directory onto /tmp"
++
++echo "hello" > input.$$
++$RUN --bind "$(pwd)" /tmp/here cat /tmp/here/input.$$ > stdout
++assert_file_has_content stdout hello
++if $RUN --bind "$(pwd)" /tmp/here test -d /tmp/oldroot; then
++    assert_not_reached "/tmp/oldroot should not be visible"
++fi
++if $RUN --bind "$(pwd)" /tmp/here test -d /tmp/newroot; then
++    assert_not_reached "/tmp/newroot should not be visible"
++fi
++echo "ok - we can mount another directory inside /tmp"
++
+ echo "ok - End of test"
diff -Nru bubblewrap-0.3.1/debian/upstream/metadata bubblewrap-0.3.1/debian/upstream/metadata
--- bubblewrap-0.3.1/debian/upstream/metadata	1970-01-01 01:00:00.000000000 +0100
+++ bubblewrap-0.3.1/debian/upstream/metadata	2019-03-06 14:43:44.000000000 +0000
@@ -0,0 +1,8 @@
+---
+Name: Bubblewrap
+Repository: https://github.com/projectatomic/bubblewrap
+Repository-Browse: https://github.com/projectatomic/bubblewrap
+Bug-Database: https://github.com/projectatomic/bubblewrap/issues
+Bug-Submit: https://github.com/projectatomic/bubblewrap/issues/new
+...
+# vim:set ft=yaml:

--- End Message ---
--- Begin Message ---
On Wed, Mar 06, 2019 at 04:38:52PM +0000, Simon McVittie wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package bubblewrap and/or speed up its migration. This
> version fixes a potential security vulnerability reported by Jakub Wilk
> (no CVE ID available yet) when not run in a systemd-logind session. I
> believe the impact is usually only DoS, but it could be worse in some
> cases.

Unblocked and aged due to the security fix; thanks.


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---

Reply to: