sys-apps/bubblewrap is at version 0.3.1 on portage and version 0.3.3 brings an additional security fix and some bugfixes Reproducible: Always Steps to Reproduce: 1. bwrap --version 2. 3. Actual Results: reports version 0.3.1 Expected Results: reports version 0.3.3
Created attachment 576946 [details] emerge --info
(In reply to Laurent Vivier from comment #0) > sys-apps/bubblewrap is at version 0.3.1 on portage and version 0.3.3 brings > _an additional security fix_ and some bugfixes [emphasis added]
I don't see a CVE assigned?
(In reply to Aaron Bauman from comment #3) > I don't see a CVE assigned? The release notes carry this bit: > This release fixes a mostly theoretical security issue in unusual/broken > setups where $XDG_RUNTIME_DIR is unset. Please note that version 0.4.0 was released meanwhile.
Please also note that having a current version available in Gentoo would be useful to allow other ebuilds to use the system-provided version instead of a bundled copy: https://github.com/fosero/flatpak-overlay/issues/46
* CVE-2019-12439 Description: "bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code." Bug: https://github.com/containers/bubblewrap/issues/304 Patch: https://github.com/containers/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e
* CVE-2020-5291 Description: "Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces." Advisory: https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj Patch: https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240
@maintainer(s), please create an appropriate ebuild.
@maintsiner(s): ping
CVE-2020-5291 (https://nvd.nist.gov/vuln/detail/CVE-2020-5291): Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update.
Bumped: https://github.com/gentoo/gentoo/commit/e3a44ee8d1d0c4527a25ac201e6d51d974de1bbc
amd64 stable
x86 stable
arm64 stable @maintainer(s), please cleanup
(In reply to GLSAMaker/CVETool Bot from comment #10) > CVE-2020-5291 (https://nvd.nist.gov/vuln/detail/CVE-2020-5291): > Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and > the > kernel supports unprivileged user namespaces, then the `bwrap --userns2` > option can be used to make the setuid process keep running as root while > being traceable. This can in turn be used to gain root permissions. Note > that this only affects the combination of bubblewrap in setuid mode (which > is typically used when unprivileged user namespaces are not supported) and > the support of unprivileged user namespaces. Known to be affected are: * > Debian testing/unstable, if unprivileged user namespaces enabled (not > default) * Debian buster-backports, if unprivileged user namespaces enabled > (not default) * Arch if using `linux-hardened`, if unprivileged user > namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged > user namespaces enabled (not default) This has been fixed in the 0.4.1 > release, and all affected users should update. Note that we are NOT vulnerable to this: https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj Thanks slashbeast for pointing this out.
This issue was resolved and addressed in GLSA 202006-18 at https://security.gentoo.org/glsa/202006-18 by GLSA coordinator Aaron Bauman (b-man).
