--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package bubblewrap and/or speed up its migration. This
version fixes a potential security vulnerability reported by Jakub Wilk
(no CVE ID available yet) when not run in a systemd-logind session. I
believe the impact is usually only DoS, but it could be worse in some
cases.
Revision -4, uploaded today, should be basically equivalent to revision
-3, which has been in unstable for 3 days. It has more test coverage, and
uses the fix that was merged upstream instead of the similar fix that I
initially proposed.
unblock bubblewrap/0.3.1-4
Thanks,
smcv
diffstat for bubblewrap-0.3.1 bubblewrap-0.3.1
changelog | 19 ++
control | 2
patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch | 68 ++++++++
patches/debian/Use-Python-3-for-test-demo-code.patch | 2
patches/series | 2
patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch | 81 ++++++++++
upstream/metadata | 8
7 files changed, 180 insertions(+), 2 deletions(-)
diff -Nru bubblewrap-0.3.1/debian/changelog bubblewrap-0.3.1/debian/changelog
--- bubblewrap-0.3.1/debian/changelog 2018-10-03 15:23:27.000000000 +0100
+++ bubblewrap-0.3.1/debian/changelog 2019-03-06 14:43:44.000000000 +0000
@@ -1,3 +1,22 @@
+bubblewrap (0.3.1-4) unstable; urgency=medium
+
+ * d/p/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch:
+ Replace with the version that was applied upstream
+ * d/p/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch:
+ Add a test to check that the above patch works as intended
+
+ -- Simon McVittie <smcv@debian.org> Wed, 06 Mar 2019 14:43:44 +0000
+
+bubblewrap (0.3.1-3) unstable; urgency=medium
+
+ * d/p/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch:
+ Avoid denial of service and potential symlink attacks on systems not
+ using systemd-logind (Closes: #923557)
+ * Standards-Version: 4.3.0 (no changes required)
+ * d/upstream/metadata: Add DEP-12 metadata
+
+ -- Simon McVittie <smcv@debian.org> Sat, 02 Mar 2019 13:03:29 +0000
+
bubblewrap (0.3.1-2) unstable; urgency=medium
[ Iain Lane ]
diff -Nru bubblewrap-0.3.1/debian/control bubblewrap-0.3.1/debian/control
--- bubblewrap-0.3.1/debian/control 2018-10-03 15:23:27.000000000 +0100
+++ bubblewrap-0.3.1/debian/control 2019-03-06 14:43:44.000000000 +0000
@@ -16,7 +16,7 @@
pkg-config,
python3 <!nocheck>,
xsltproc,
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
Homepage: https://github.com/projectatomic/bubblewrap
Vcs-Git: https://salsa.debian.org/debian/bubblewrap.git
Vcs-Browser: https://salsa.debian.org/debian/bubblewrap
diff -Nru bubblewrap-0.3.1/debian/patches/debian/Use-Python-3-for-test-demo-code.patch bubblewrap-0.3.1/debian/patches/debian/Use-Python-3-for-test-demo-code.patch
--- bubblewrap-0.3.1/debian/patches/debian/Use-Python-3-for-test-demo-code.patch 2018-10-03 15:23:27.000000000 +0100
+++ bubblewrap-0.3.1/debian/patches/debian/Use-Python-3-for-test-demo-code.patch 2019-03-06 14:43:44.000000000 +0000
@@ -19,7 +19,7 @@
import os, select, subprocess, sys, json
diff --git a/tests/test-run.sh b/tests/test-run.sh
-index b883b82..5efaed0 100755
+index 9a20de6..cfadf91 100755
--- a/tests/test-run.sh
+++ b/tests/test-run.sh
@@ -193,7 +193,7 @@ fi
diff -Nru bubblewrap-0.3.1/debian/patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch bubblewrap-0.3.1/debian/patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch
--- bubblewrap-0.3.1/debian/patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch 1970-01-01 01:00:00.000000000 +0100
+++ bubblewrap-0.3.1/debian/patches/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch 2019-03-06 14:43:44.000000000 +0000
@@ -0,0 +1,68 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Sat, 2 Mar 2019 12:09:03 +0000
+Subject: Don't create our own temporary mount point for pivot_root
+
+An attacker could pre-create /tmp/.bubblewrap-$UID and make it a
+non-directory, non-symlink (in which case mounting our tmpfs would fail,
+causing denial of service), or make it a symlink under their control
+(potentially allowing bad things if the protected_symlinks sysctl is
+not enabled).
+
+Instead, temporarily mount the tmpfs on a directory that we are sure
+exists and is not attacker-controlled. /tmp (the directory itself, not
+a subdirectory) will do.
+
+Bug: https://github.com/projectatomic/bubblewrap/issues/304
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557
+Signed-off-by: Simon McVittie <smcv@debian.org>
+Forwarded: https://github.com/projectatomic/bubblewrap/pull/305
+Reviewed-by: cgwalters
+---
+ bubblewrap.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/bubblewrap.c b/bubblewrap.c
+index b319f1c..fa78129 100644
+--- a/bubblewrap.c
++++ b/bubblewrap.c
+@@ -1977,7 +1977,7 @@ main (int argc,
+ char **argv)
+ {
+ mode_t old_umask;
+- cleanup_free char *base_path = NULL;
++ const char *base_path = NULL;
+ int clone_flags;
+ char *old_cwd = NULL;
+ pid_t pid;
+@@ -2117,15 +2117,12 @@ main (int argc,
+ die_with_error ("Can't open /proc");
+
+ /* We need *some* mountpoint where we can mount the root tmpfs.
+- We first try in /run, and if that fails, try in /tmp. */
+- base_path = xasprintf ("/run/user/%d/.bubblewrap", real_uid);
+- if (ensure_dir (base_path, 0755))
+- {
+- free (base_path);
+- base_path = xasprintf ("/tmp/.bubblewrap-%d", real_uid);
+- if (ensure_dir (base_path, 0755))
+- die_with_error ("Creating root mountpoint failed");
+- }
++ * Because we use pivot_root, it won't appear to be mounted from
++ * the perspective of the sandboxed process, so we can use anywhere
++ * that is sure to exist, that is sure to not be a symlink controlled
++ * by someone malicious, and that we won't immediately need to
++ * access ourselves. */
++ base_path = "/tmp";
+
+ __debug__ (("creating new namespace\n"));
+
+@@ -2315,7 +2312,8 @@ main (int argc,
+ /* We create a subdir "$base_path/newroot" for the new root, that
+ * way we can pivot_root to base_path, and put the old root at
+ * "$base_path/oldroot". This avoids problems accessing the oldroot
+- * dir if the user requested to bind mount something over / */
++ * dir if the user requested to bind mount something over / (or
++ * over /tmp, now that we use that for base_path). */
+
+ if (mkdir ("newroot", 0755))
+ die_with_error ("Creating newroot failed");
diff -Nru bubblewrap-0.3.1/debian/patches/series bubblewrap-0.3.1/debian/patches/series
--- bubblewrap-0.3.1/debian/patches/series 2018-10-03 15:23:27.000000000 +0100
+++ bubblewrap-0.3.1/debian/patches/series 2019-03-06 14:43:44.000000000 +0000
@@ -1,4 +1,6 @@
tests-Handle-systems-without-merged-usr.patch
man-page-Describe-chdir-not-nonexistent-cwd.patch
Make-lockdata-long-enough-on-32-bit-with-64-bit-file-poin.patch
+Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch
+tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch
debian/Use-Python-3-for-test-demo-code.patch
diff -Nru bubblewrap-0.3.1/debian/patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch bubblewrap-0.3.1/debian/patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch
--- bubblewrap-0.3.1/debian/patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch 1970-01-01 01:00:00.000000000 +0100
+++ bubblewrap-0.3.1/debian/patches/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch 2019-03-06 14:43:44.000000000 +0000
@@ -0,0 +1,81 @@
+From: Simon McVittie <smcv@collabora.com>
+Date: Tue, 5 Mar 2019 08:36:55 +0000
+Subject: tests: Ensure that tmpfs with oldroot/newroot doesn't appear in
+ container
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Forwarded: https://github.com/projectatomic/bubblewrap/pull/305
+Reviewed-by: cgwalters
+---
+ tests/test-run.sh | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/tests/test-run.sh b/tests/test-run.sh
+index b883b82..9a20de6 100755
+--- a/tests/test-run.sh
++++ b/tests/test-run.sh
+@@ -80,7 +80,7 @@ if ! $RUN true; then
+ skip Seems like bwrap is not working at all. Maybe setuid is not working
+ fi
+
+-echo "1..38"
++echo "1..43"
+
+ # Test help
+ ${BWRAP} --help > help.txt
+@@ -256,4 +256,55 @@ if $RUN -- --dev-bind /dev /dev sh -c 'echo should not have run'; then
+ fi
+ echo "ok - options like --dev-bind are defanged by --"
+
++if command -v mktemp > /dev/null; then
++ tempfile="$(mktemp /tmp/bwrap-test-XXXXXXXX)"
++ echo "hello" > "$tempfile"
++ $BWRAP --bind / / cat "$tempfile" > stdout
++ assert_file_has_content stdout hello
++ echo "ok - bind-mount of / exposes real /tmp"
++ $BWRAP --bind / / --bind /tmp /tmp cat "$tempfile" > stdout
++ assert_file_has_content stdout hello
++ echo "ok - bind-mount of /tmp exposes real /tmp"
++ if [ -d /mnt ]; then
++ $BWRAP --bind / / --bind /tmp /mnt cat "/mnt/${tempfile#/tmp/}" > stdout
++ assert_file_has_content stdout hello
++ echo "ok - bind-mount of /tmp onto /mnt exposes real /tmp"
++ else
++ echo "ok - # SKIP /mnt does not exist"
++ fi
++else
++ echo "ok - # SKIP mktemp not found"
++ echo "ok - # SKIP mktemp not found"
++ echo "ok - # SKIP mktemp not found"
++fi
++
++if $RUN test -d /tmp/oldroot; then
++ assert_not_reached "/tmp/oldroot should not be visible"
++fi
++if $RUN test -d /tmp/newroot; then
++ assert_not_reached "/tmp/newroot should not be visible"
++fi
++
++echo "hello" > input.$$
++$BWRAP --bind / / --bind "$(pwd)" /tmp cat /tmp/input.$$ > stdout
++assert_file_has_content stdout hello
++if $BWRAP --bind / / --bind "$(pwd)" /tmp test -d /tmp/oldroot; then
++ assert_not_reached "/tmp/oldroot should not be visible"
++fi
++if $BWRAP --bind / / --bind "$(pwd)" /tmp test -d /tmp/newroot; then
++ assert_not_reached "/tmp/newroot should not be visible"
++fi
++echo "ok - we can mount another directory onto /tmp"
++
++echo "hello" > input.$$
++$RUN --bind "$(pwd)" /tmp/here cat /tmp/here/input.$$ > stdout
++assert_file_has_content stdout hello
++if $RUN --bind "$(pwd)" /tmp/here test -d /tmp/oldroot; then
++ assert_not_reached "/tmp/oldroot should not be visible"
++fi
++if $RUN --bind "$(pwd)" /tmp/here test -d /tmp/newroot; then
++ assert_not_reached "/tmp/newroot should not be visible"
++fi
++echo "ok - we can mount another directory inside /tmp"
++
+ echo "ok - End of test"
diff -Nru bubblewrap-0.3.1/debian/upstream/metadata bubblewrap-0.3.1/debian/upstream/metadata
--- bubblewrap-0.3.1/debian/upstream/metadata 1970-01-01 01:00:00.000000000 +0100
+++ bubblewrap-0.3.1/debian/upstream/metadata 2019-03-06 14:43:44.000000000 +0000
@@ -0,0 +1,8 @@
+---
+Name: Bubblewrap
+Repository: https://github.com/projectatomic/bubblewrap
+Repository-Browse: https://github.com/projectatomic/bubblewrap
+Bug-Database: https://github.com/projectatomic/bubblewrap/issues
+Bug-Submit: https://github.com/projectatomic/bubblewrap/issues/new
+...
+# vim:set ft=yaml:
--- End Message ---