Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 686114 (CVE-2019-12439, CVE-2020-5291) - <sys-apps/bubblewrap-0.4.1: Multiple vulnerabilities (CVE-2019-12439, CVE-2020-5291)
Summary: <sys-apps/bubblewrap-0.4.1: Multiple vulnerabilities (CVE-2019-12439, CVE-202...
Status: RESOLVED FIXED
Alias: CVE-2019-12439, CVE-2020-5291
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+ cve]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2019-05-16 18:54 UTC by Laurent V
Modified: 2020-06-15 15:52 UTC (History)
4 users (show)

See Also:
Package list:
=sys-apps/bubblewrap-0.4.1
Runtime testing required: ---
nattka: sanity-check+


Attachments
emerge --info (emerge-info,6.14 KB, text/plain)
2019-05-16 18:55 UTC, Laurent V
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Laurent V 2019-05-16 18:54:02 UTC
sys-apps/bubblewrap is at version 0.3.1 on portage and version 0.3.3 brings an additional security fix and some bugfixes

Reproducible: Always

Steps to Reproduce:
1. bwrap --version
2.
3.
Actual Results:  
reports version 0.3.1

Expected Results:  
reports version 0.3.3
Comment 1 Laurent V 2019-05-16 18:55:05 UTC
Created attachment 576946 [details]
emerge --info
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2019-05-16 23:06:00 UTC
(In reply to Laurent Vivier from comment #0)
> sys-apps/bubblewrap is at version 0.3.1 on portage and version 0.3.3 brings
> _an additional security fix_ and some bugfixes

[emphasis added]
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-08-11 23:09:23 UTC
I don't see a CVE assigned?
Comment 4 Dennis Schridde 2020-03-01 00:01:34 UTC
(In reply to Aaron Bauman from comment #3)
> I don't see a CVE assigned?

The release notes carry this bit:
> This release fixes a mostly theoretical security issue in unusual/broken
> setups where $XDG_RUNTIME_DIR is unset.

Please note that version 0.4.0 was released meanwhile.
Comment 5 Dennis Schridde 2020-03-01 00:03:21 UTC
Please also note that having a current version available in Gentoo would be useful to allow other ebuilds to use the system-provided version instead of a bundled copy: https://github.com/fosero/flatpak-overlay/issues/46
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-06 13:03:47 UTC
* CVE-2019-12439

Description:
"bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code."

Bug: https://github.com/containers/bubblewrap/issues/304
Patch: https://github.com/containers/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-31 18:48:11 UTC
* CVE-2020-5291

Description:
"Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. 

Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces."

Advisory: https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj

Patch: https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-31 18:50:07 UTC
@maintainer(s), please create an appropriate ebuild.
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-16 00:55:29 UTC
@maintsiner(s): ping
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-04-16 13:47:45 UTC
CVE-2020-5291 (https://nvd.nist.gov/vuln/detail/CVE-2020-5291):
  Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the
  kernel supports unprivileged user namespaces, then the `bwrap --userns2`
  option can be used to make the setuid process keep running as root while
  being traceable. This can in turn be used to gain root permissions. Note
  that this only affects the combination of bubblewrap in setuid mode (which
  is typically used when unprivileged user namespaces are not supported) and
  the support of unprivileged user namespaces. Known to be affected are: *
  Debian testing/unstable, if unprivileged user namespaces enabled (not
  default) * Debian buster-backports, if unprivileged user namespaces enabled
  (not default) * Arch if using `linux-hardened`, if unprivileged user
  namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged
  user namespaces enabled (not default) This has been fixed in the 0.4.1
  release, and all affected users should update.
Comment 12 Agostino Sarubbo gentoo-dev 2020-05-02 18:42:32 UTC
amd64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-05-02 18:44:53 UTC
x86 stable
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-04 06:22:03 UTC
arm64 stable

@maintainer(s), please cleanup
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-13 00:52:15 UTC
(In reply to GLSAMaker/CVETool Bot from comment #10)
> CVE-2020-5291 (https://nvd.nist.gov/vuln/detail/CVE-2020-5291):
>   Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and
> the
>   kernel supports unprivileged user namespaces, then the `bwrap --userns2`
>   option can be used to make the setuid process keep running as root while
>   being traceable. This can in turn be used to gain root permissions. Note
>   that this only affects the combination of bubblewrap in setuid mode (which
>   is typically used when unprivileged user namespaces are not supported) and
>   the support of unprivileged user namespaces. Known to be affected are: *
>   Debian testing/unstable, if unprivileged user namespaces enabled (not
>   default) * Debian buster-backports, if unprivileged user namespaces enabled
>   (not default) * Arch if using `linux-hardened`, if unprivileged user
>   namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged
>   user namespaces enabled (not default) This has been fixed in the 0.4.1
>   release, and all affected users should update.

Note that we are NOT vulnerable to this: https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj

Thanks slashbeast for pointing this out.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-06-15 15:52:05 UTC
This issue was resolved and addressed in
 GLSA 202006-18 at https://security.gentoo.org/glsa/202006-18
by GLSA coordinator Aaron Bauman (b-man).