Your message dated Mon, 30 Mar 2020 14:33:44 +0000
with message-id <[email protected]>
and subject line Bug#951577: fixed in bubblewrap 0.4.1-1
has caused the Debian Bug report #951577,
regarding Bubblewrap upstream-as-root test fails with libcap2 1:2.31-1 and later
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
951577: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951577
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libcap2
Version: 1:2.32-1
The bubblewrap upstream-as-root test started failing after libcap2
1:2.31-1 got synced from Debian. The same failure can be seen with
1:2.32-1. I have reproduced the issue locally on focal - when using
the focal-proposed version, the aforementioned test fails, where with
the release version (after reverting libcap2 to 1:2.27-1) it passes.
It seems to fail here already:
bwrap --bind / / --tmpfs /tmp --as-pid-1 --cap-drop CAP_KILL
--cap-drop CAP_FOWNER --unshare-pid capsh --print
assert_not_file_has_content caps.test '^Current: =.*cap_kill'
It looks like the requested caps did not get dropped, as the logs show
that both cap_kill and cap_fowner are still there. This is only for
the upstream-as-root test, i.e. executing tests/test-run.sh as root.
This might be an issue with bubblewrap, but seeing that it all works
fine with the release version, it all feels like an unintended
regression.
Reported on Ubuntu here:
https://bugs.launchpad.net/ubuntu/+source/libcap2/+bug/1863733
Best regards,
--
Ćukasz 'sil2100' Zemczak
Foundations Team
[email protected]
www.canonical.com
--- End Message ---
--- Begin Message ---
Source: bubblewrap
Source-Version: 0.4.1-1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
bubblewrap, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated bubblewrap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 30 Mar 2020 14:33:54 +0100
Source: bubblewrap
Architecture: source
Version: 0.4.1-1
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 948617 951577
Changes:
bubblewrap (0.4.1-1) unstable; urgency=high
.
* New upstream release
- Fixes a root privilege escalation vulnerability introduced in 0.4.0,
in cases where the kernel allows creation of user namespaces by
unprivileged users and bwrap is (unnecessarily) setuid root.
Debian systems are vulnerable if
/proc/sys/kernel/unprivileged_userns_clone (default 0) has been
changed to 1, or if using an upstream kernel instead of a Debian
kernel.
Ubuntu systems are not normally vulnerable, because bwrap is not
normally setuid there.
(GHSA-j2qp-rvxj-43vj, CVE ID pending)
- Fixes test failure with libcap >= 2.29 (Closes: #951577)
* Update various URLs from https://github.com/projectatomic/bubblewrap
to https://github.com/containers/bubblewrap
* Set upstream metadata fields: Repository.
* Remove obsolete field Name from debian/upstream/metadata (already
present in machine-readable debian/copyright).
* Standards-Version: 4.5.0 (no changes required)
* d/tests/control: Qualify CLI tools with :native.
Thanks to Steve Langasek (Closes: #948617)
Checksums-Sha1:
eb0362c62110572b60842fef5d9dbd8874b2c7b9 2300 bubblewrap_0.4.1-1.dsc
00e121950ea494fcd9cfbe23971c0938d6be6755 214496 bubblewrap_0.4.1.orig.tar.xz
8015835ad2a1c3157866bde37893eab1bfb6455d 8592 bubblewrap_0.4.1-1.debian.tar.xz
6544b2120a9cd79330a35877429314b1cf839a04 6108
bubblewrap_0.4.1-1_source.buildinfo
Checksums-Sha256:
f1fe92d4c67b80a28e10026f42658bd8aca7f15217a1df4de640698ec6257626 2300
bubblewrap_0.4.1-1.dsc
b9c69b9b1c61a608f34325c8e1a495229bacf6e4a07cbb0c80cf7a814d7ccc03 214496
bubblewrap_0.4.1.orig.tar.xz
b0a2d0917ad1886f459c7b77cbd7ee0a10bf7f993859d3cd433f6f7b2e47e854 8592
bubblewrap_0.4.1-1.debian.tar.xz
c4722c80a0e2d8aec0ea2f8d893a8d4321828b4eb921ade52b4159a8a8620525 6108
bubblewrap_0.4.1-1_source.buildinfo
Files:
3569734be1857e791690dceb9e7ae648 2300 admin optional bubblewrap_0.4.1-1.dsc
1104b0e43006f22076b5057c129939c8 214496 admin optional
bubblewrap_0.4.1.orig.tar.xz
793296e5e8bebfa41ed1ffa0ce4caddf 8592 admin optional
bubblewrap_0.4.1-1.debian.tar.xz
d84470f46e8dbd039f0edfacd4164452 6108 admin optional
bubblewrap_0.4.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl6B96oQHHNtY3ZAZGVi
aWFuLm9yZwAKCRDgWuFHj4FMT6TeD/sGCq+IiQ1aSHWnOZcL81tJNA5hdd02yNxj
ftwCKDDpFK1viCcm7kdQZxls+Eh+jT8J1d2ozEl/tw+TpvA+SwmXsv1f4JfaeKdW
Q/0OwIJNB0/iud4AUNXusBLxGQ0F/AaQ4ju5rtV9jFtqmQlQEJGmoAykDrMWqDe2
QLn+lyL3Ve5sE3ppb8QOIPTxOHf1BcbPJeg0bw6+uqEimYiu4ovJW63aFmBClGby
AY6jv9iZaStzvv6krwmq2bXluZSudMn0I6urvgMXhdVju0FcbZfzHAMsWnEB0sn9
lADvVpwQbMuHvjfqQKuXEJCJmi5pEMMAvC0juHRQdoA4gMJQrdSRgcBCbZaJLNj0
aAl8XPONU4G1K/abv2FpiBjIc/sSdk0Ze0GYddBEU+w+vhe03bDjaIDYhYs9ATCF
quMNuMf0Rw67HR4JYMiNanWe4Rrh1bKPcGUbJvuUDnZUd+FAeaXurfxQ5p6ibq8L
fa+u9txlweCQBiOU6ZISXt9fLe/R+VPGeQ4VyOParTNOBoKINc54oQFOqfnqozzg
c5DQ9aKM54IO4/FDW4RD1Jtfv7btjoCEiBd6nZqRfkBiomBXThiO4Z2rcM+3Vk9U
IalmoYl5i9yjbS4sPrXiHuyJRUOsE0whYkHzu3yA0kQD0nhYBwQOR38Tld4Fb6sy
K/Z3B9OGsg==
=K2ep
-----END PGP SIGNATURE-----
--- End Message ---
