bubblewrap (0.4.1-1) unstable; urgency=high
* New upstream release
- Fixes a root privilege escalation vulnerability introduced in 0.4.0,
in cases where the kernel allows creation of user namespaces by
unprivileged users and bwrap is (unnecessarily) setuid root.
Debian systems are vulnerable if
/proc/sys/kernel/unprivileged_userns_clone (default 0) has been
changed to 1, or if using an upstream kernel instead of a Debian
kernel.
Ubuntu systems are not normally vulnerable, because bwrap is not
normally setuid there.
(GHSA-j2qp-rvxj-43vj, CVE ID pending)
- Fixes test failure with libcap >= 2.29 (Closes: #951577)
* Update various URLs from https://github.com/projectatomic/bubblewrap
to https://github.com/containers/bubblewrap
* Set upstream metadata fields: Repository.
* Remove obsolete field Name from debian/upstream/metadata (already
present in machine-readable debian/copyright).
* Standards-Version: 4.5.0 (no changes required)
* d/tests/control: Qualify CLI tools with :native.
Thanks to Steve Langasek (Closes: #948617)
-- Simon McVittie <[email protected]> Mon, 30 Mar 2020 14:33:54 +0100
** Changed in: bubblewrap (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to bubblewrap in Ubuntu.
https://bugs.launchpad.net/bugs/1873925
Title:
Sync bubblewrap 0.4.1-1 (main) from Debian unstable (main)
Status in bubblewrap package in Ubuntu:
Fix Released
Bug description:
Please sync bubblewrap 0.4.1-1 (main) from Debian unstable (main)
The sync includes the security fix, which is already included in
0.4.0-1ubuntu4, and other minor fixes.
https://github.com/containers/bubblewrap/releases/tag/v0.4.1
- Always clear the capability bounding set (cosmetic issue)
- Make the tests work with libcap >= 2.29
- Properly report child exit status in some cases
Alexander Larsson (9):
Ensure we're always clearing the cap bounding set
Don't rely on geteuid() to know when to switch back from setuid root
Don't support --userns2 in setuid mode
drop_privs: More explicit argument name
Christian Kastner (1):
tests: Update output patterns for libcap >= 2.29
Jean-Baptiste BESNARD (1):
retcode: fix return code with syncfd and no event_fd
TomSweeneyRedHat (1):
Add Code of Conduct
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: privilege escalation when used in setuid mode
- debian/patches/CVE-2020-5291.patch: don't rely on geteuid() to know
when to switch back from setuid root in bubblewrap.c.
- CVE-2020-5291
* d/p/update-output-patterns-libcap-2.29.patch: cherry-pick fix proposed
fix to capability drop-related tests, which broke with newer libcap2.
* No-change rebuild with fixed binutils on arm64.
* Make autopkgtests cross-test-friendly.
All changes are now in Debian.
Changelog entries since current focal version 0.4.0-1ubuntu4:
bubblewrap (0.4.1-1) unstable; urgency=high
* New upstream release
- Fixes a root privilege escalation vulnerability introduced in 0.4.0,
in cases where the kernel allows creation of user namespaces by
unprivileged users and bwrap is (unnecessarily) setuid root.
Debian systems are vulnerable if
/proc/sys/kernel/unprivileged_userns_clone (default 0) has been
changed to 1, or if using an upstream kernel instead of a Debian
kernel.
Ubuntu systems are not normally vulnerable, because bwrap is not
normally setuid there.
(GHSA-j2qp-rvxj-43vj, CVE ID pending)
- Fixes test failure with libcap >= 2.29 (Closes: #951577)
* Update various URLs from https://github.com/projectatomic/bubblewrap
to https://github.com/containers/bubblewrap
* Set upstream metadata fields: Repository.
* Remove obsolete field Name from debian/upstream/metadata (already
present in machine-readable debian/copyright).
* Standards-Version: 4.5.0 (no changes required)
* d/tests/control: Qualify CLI tools with :native.
Thanks to Steve Langasek (Closes: #948617)
-- Simon McVittie <[email protected]> Mon, 30 Mar 2020 14:33:54 +0100
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1873925/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
