Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2024-08-16 12:22:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new.2698 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bubblewrap" Fri Aug 16 12:22:52 2024 rev:18 rq:1193998 version:0.10.0 Changes: -------- --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes 2024-04-03 17:18:30.853291905 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new.2698/bubblewrap.changes 2024-08-16 12:22:53.209129186 +0200 @@ -1,0 +2,11 @@ +Wed Aug 14 17:02:31 UTC 2024 - Bjørn Lie <[email protected]> + +- Update to version v0.10.0: + * New features: Add the --[ro-]bind-fd option, which can be used + to mount a filesystem represented by a file descriptor without + time-of-check/time-of-use attacks. This is needed when + resolving CVE-2024-42472 in Flatpak. + * Other changes: Fix some confusing syntax in SetupOpFlag (no + functional change). + +------------------------------------------------------------------- Old: ---- bubblewrap-0.9.0.tar.xz New: ---- bubblewrap-0.10.0.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bubblewrap.spec ++++++ --- /var/tmp/diff_new_pack.abz6dJ/_old 2024-08-16 12:22:54.445180552 +0200 +++ /var/tmp/diff_new_pack.abz6dJ/_new 2024-08-16 12:22:54.445180552 +0200 @@ -17,7 +17,7 @@ Name: bubblewrap -Version: 0.9.0 +Version: 0.10.0 Release: 0 Summary: Core execution tool for unprivileged containers License: LGPL-2.0-or-later ++++++ bubblewrap-0.9.0.tar.xz -> bubblewrap-0.10.0.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.9.0/bubblewrap.c new/bubblewrap-0.10.0/bubblewrap.c --- old/bubblewrap-0.9.0/bubblewrap.c 2024-03-26 22:08:55.000000000 +0100 +++ new/bubblewrap-0.10.0/bubblewrap.c 2024-08-14 10:30:44.000000000 +0200 @@ -147,7 +147,7 @@ typedef enum { NO_CREATE_DEST = (1 << 0), - ALLOW_NOTEXIST = (2 << 0), + ALLOW_NOTEXIST = (1 << 1), } SetupOpFlag; typedef struct _SetupOp SetupOp; @@ -341,6 +341,8 @@ " --dev-bind-try SRC DEST Equal to --dev-bind but ignores non-existent SRC\n" " --ro-bind SRC DEST Bind mount the host path SRC readonly on DEST\n" " --ro-bind-try SRC DEST Equal to --ro-bind but ignores non-existent SRC\n" + " --bind-fd FD DEST Bind open directory or path fd on DEST\n" + " --ro-bind-fd FD DEST Bind open directory or path fd read-only on DEST\n" " --remount-ro DEST Remount DEST as readonly; does not recursively remount\n" " --exec-label LABEL Exec label for the sandbox\n" " --file-label LABEL File label for temporary sandbox content\n" @@ -1231,6 +1233,30 @@ (op->type == SETUP_RO_BIND_MOUNT ? BIND_READONLY : 0) | (op->type == SETUP_DEV_BIND_MOUNT ? BIND_DEVICES : 0), 0, 0, source, dest); + + if (op->fd >= 0) + { + struct stat fd_st, mount_st; + + /* When using bind-fd, there is a race condition between resolving the fd as a magic symlink + * and mounting it, where someone could replace what is at the symlink target. Ideally + * we would not even resolve the symlink and directly bind-mount from the fd, but unfortunately + * we can't do that, because its not permitted to bind mount a fd from another user namespace. + * So, we resolve, mount and then compare fstat+stat to detect the race. */ + + if (fstat(op->fd, &fd_st) != 0) + die_with_error("Can't stat fd %d", op->fd); + if (lstat(dest, &mount_st) != 0) + die_with_error("Can't stat mount at %s", dest); + + if (fd_st.st_ino != mount_st.st_ino || + fd_st.st_dev != mount_st.st_dev) + die_with_error("Race condition binding dirfd"); + + close(op->fd); + op->fd = -1; + } + break; case SETUP_REMOUNT_RO_NO_RECURSIVE: @@ -1876,6 +1902,30 @@ argv += 2; argc -= 2; + } + else if (strcmp (arg, "--bind-fd") == 0 || + strcmp (arg, "--ro-bind-fd") == 0) + { + int src_fd; + char *endptr; + + if (argc < 3) + die ("--bind-fd takes two arguments"); + + src_fd = strtol (argv[1], &endptr, 10); + if (argv[1][0] == 0 || endptr[0] != 0 || src_fd < 0) + die ("Invalid fd: %s", argv[1]); + + if (strcmp(arg, "--ro-bind-fd") == 0) + op = setup_op_new (SETUP_RO_BIND_MOUNT); + else + op = setup_op_new (SETUP_BIND_MOUNT); + op->source = xasprintf ("/proc/self/fd/%d", src_fd); + op->fd = src_fd; + op->dest = argv[2]; + + argv += 2; + argc -= 2; } else if (strcmp (arg, "--proc") == 0) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.9.0/configure.ac new/bubblewrap-0.10.0/configure.ac --- old/bubblewrap-0.9.0/configure.ac 2024-03-26 22:08:55.000000000 +0100 +++ new/bubblewrap-0.10.0/configure.ac 2024-08-14 10:30:44.000000000 +0200 @@ -1,5 +1,5 @@ AC_PREREQ([2.63]) -AC_INIT([bubblewrap], [0.9.0], [[email protected]]) +AC_INIT([bubblewrap], [0.10.0], [[email protected]]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.9.0/meson.build new/bubblewrap-0.10.0/meson.build --- old/bubblewrap-0.9.0/meson.build 2024-03-26 22:08:55.000000000 +0100 +++ new/bubblewrap-0.10.0/meson.build 2024-08-14 10:30:44.000000000 +0200 @@ -1,7 +1,7 @@ project( 'bubblewrap', 'c', - version : '0.9.0', + version : '0.10.0', meson_version : '>=0.49.0', default_options : [ 'warning_level=2', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.9.0/tests/test-run.sh new/bubblewrap-0.10.0/tests/test-run.sh --- old/bubblewrap-0.9.0/tests/test-run.sh 2024-03-26 22:08:55.000000000 +0100 +++ new/bubblewrap-0.10.0/tests/test-run.sh 2024-08-14 10:30:44.000000000 +0200 @@ -565,4 +565,10 @@ assert_file_has_content stdout right ok "argv0 manipulation" +echo "foobar" > file-data +$RUN --proc /proc --dev /dev --bind / / --bind-fd 100 /tmp cat /tmp/file-data 100< . > stdout +assert_file_has_content stdout foobar + +ok "bind-fd" + done_testing
