Hello community,
here is the log from the commit of package bubblewrap for openSUSE:Factory
checked in at 2020-04-05 20:51:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old)
and /work/SRC/openSUSE:Factory/.bubblewrap.new.3248 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bubblewrap"
Sun Apr 5 20:51:39 2020 rev:11 rq:790515 version:0.4.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes 2019-12-28
13:40:18.562926637 +0100
+++ /work/SRC/openSUSE:Factory/.bubblewrap.new.3248/bubblewrap.changes
2020-04-05 20:51:49.737084100 +0200
@@ -1,0 +2,12 @@
+Wed Apr 1 10:03:39 UTC 2020 - Sebastian Wagner <sebix+novell....@sebix.at>
+
+- Update to version 0.4.1:
+ * retcode: fix return code with syncfd and no event_fd
+ * Ensure we're always clearing the cap bounding set
+ * tests: Update output patterns for libcap >= 2.29
+ * Don't rely on geteuid() to know when to switch back from setuid root
+ * Don't support --userns2 in setuid mode
+ * fixes CVE-2020-5291
+ * fixes bsc#1168291
+
+-------------------------------------------------------------------
Old:
----
bubblewrap-0.4.0.tar.xz
New:
----
bubblewrap-0.4.1.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ bubblewrap.spec ++++++
--- /var/tmp/diff_new_pack.li2KxO/_old 2020-04-05 20:51:50.253084594 +0200
+++ /var/tmp/diff_new_pack.li2KxO/_new 2020-04-05 20:51:50.257084598 +0200
@@ -1,7 +1,7 @@
#
# spec file for package bubblewrap
#
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: bubblewrap
-Version: 0.4.0
+Version: 0.4.1
Release: 0
Summary: Core execution tool for unprivileged containers
License: LGPL-2.0-or-later
++++++ bubblewrap-0.4.0.tar.xz -> bubblewrap-0.4.1.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.4.0/bubblewrap.c
new/bubblewrap-0.4.1/bubblewrap.c
--- old/bubblewrap-0.4.0/bubblewrap.c 2019-11-27 13:34:31.000000000 +0100
+++ new/bubblewrap-0.4.1/bubblewrap.c 2020-03-30 15:09:24.000000000 +0200
@@ -532,17 +532,20 @@
int status;
child = wait (&status);
- if (child == initial_pid && event_fd != -1)
+ if (child == initial_pid)
{
- uint64_t val;
- int res UNUSED;
-
initial_exit_status = propagate_exit_status (status);
- val = initial_exit_status + 1;
- res = write (event_fd, &val, 8);
- /* Ignore res, if e.g. the parent died and closed event_fd
- we don't want to error out here */
+ if(event_fd != -1)
+ {
+ uint64_t val;
+ int res UNUSED;
+
+ val = initial_exit_status + 1;
+ res = write (event_fd, &val, 8);
+ /* Ignore res, if e.g. the parent died and closed event_fd
+ we don't want to error out here */
+ }
}
if (child == -1 && errno != EINTR)
@@ -834,11 +837,13 @@
/* Call setuid() and use capset() to adjust capabilities */
static void
-drop_privs (bool keep_requested_caps)
+drop_privs (bool keep_requested_caps,
+ bool already_changed_uid)
{
assert (!keep_requested_caps || !is_privileged);
/* Drop root uid */
- if (geteuid () == 0 && setuid (opt_sandbox_uid) < 0)
+ if (is_privileged && !already_changed_uid &&
+ setuid (opt_sandbox_uid) < 0)
die_with_error ("unable to drop root uid");
drop_all_caps (keep_requested_caps);
@@ -2296,6 +2301,9 @@
if (opt_userns_fd != -1 && is_privileged)
die ("--userns doesn't work in setuid mode");
+ if (opt_userns2_fd != -1 && is_privileged)
+ die ("--userns2 doesn't work in setuid mode");
+
/* We have to do this if we weren't installed setuid (and we're not
* root), so let's just DWIM */
if (!is_privileged && getuid () != 0 && opt_userns_fd == -1)
@@ -2499,7 +2507,7 @@
die_with_error ("Setting userns2 failed");
/* We don't need any privileges in the launcher, drop them immediately.
*/
- drop_privs (FALSE);
+ drop_privs (FALSE, FALSE);
/* Optionally bind our lifecycle to that of the parent */
handle_die_with_parent ();
@@ -2674,7 +2682,7 @@
if (child == 0)
{
/* Unprivileged setup process */
- drop_privs (FALSE);
+ drop_privs (FALSE, TRUE);
close (privsep_sockets[0]);
setup_newroot (opt_unshare_pid, privsep_sockets[1]);
exit (0);
@@ -2763,13 +2771,16 @@
if (unshare (CLONE_NEWUSER))
die_with_error ("unshare user ns");
+ /* We're in a new user namespace, we got back the bounding set, clear it
again */
+ drop_cap_bounding_set (FALSE);
+
write_uid_gid_map (opt_sandbox_uid, ns_uid,
opt_sandbox_gid, ns_gid,
-1, FALSE, FALSE);
}
/* All privileged ops are done now, so drop caps we don't need */
- drop_privs (!is_privileged);
+ drop_privs (!is_privileged, TRUE);
if (opt_block_fd != -1)
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.4.0/configure
new/bubblewrap-0.4.1/configure
--- old/bubblewrap-0.4.0/configure 2019-11-27 13:53:16.000000000 +0100
+++ new/bubblewrap-0.4.1/configure 2020-03-30 15:19:31.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for bubblewrap 0.4.0.
+# Generated by GNU Autoconf 2.69 for bubblewrap 0.4.1.
#
# Report bugs to <atomic-de...@projectatomic.io>.
#
@@ -580,8 +580,8 @@
# Identity of this package.
PACKAGE_NAME='bubblewrap'
PACKAGE_TARNAME='bubblewrap'
-PACKAGE_VERSION='0.4.0'
-PACKAGE_STRING='bubblewrap 0.4.0'
+PACKAGE_VERSION='0.4.1'
+PACKAGE_STRING='bubblewrap 0.4.1'
PACKAGE_BUGREPORT='atomic-de...@projectatomic.io'
PACKAGE_URL=''
@@ -1302,7 +1302,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures bubblewrap 0.4.0 to adapt to many kinds of systems.
+\`configure' configures bubblewrap 0.4.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1368,7 +1368,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of bubblewrap 0.4.0:";;
+ short | recursive ) echo "Configuration of bubblewrap 0.4.1:";;
esac
cat <<\_ACEOF
@@ -1492,7 +1492,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-bubblewrap configure 0.4.0
+bubblewrap configure 0.4.1
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1794,7 +1794,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by bubblewrap $as_me 0.4.0, which was
+It was created by bubblewrap $as_me 0.4.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -4032,7 +4032,7 @@
# Define the identity of the package.
PACKAGE='bubblewrap'
- VERSION='0.4.0'
+ VERSION='0.4.1'
# Some tools Automake needs.
@@ -6365,7 +6365,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by bubblewrap $as_me 0.4.0, which was
+This file was extended by bubblewrap $as_me 0.4.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -6431,7 +6431,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-bubblewrap config.status 0.4.0
+bubblewrap config.status 0.4.1
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.4.0/configure.ac
new/bubblewrap-0.4.1/configure.ac
--- old/bubblewrap-0.4.0/configure.ac 2019-11-27 13:40:58.000000000 +0100
+++ new/bubblewrap-0.4.1/configure.ac 2020-03-30 15:10:30.000000000 +0200
@@ -1,5 +1,5 @@
AC_PREREQ([2.63])
-AC_INIT([bubblewrap], [0.4.0], [atomic-de...@projectatomic.io])
+AC_INIT([bubblewrap], [0.4.1], [atomic-de...@projectatomic.io])
AC_CONFIG_HEADER([config.h])
AC_CONFIG_MACRO_DIR([m4])
AC_CONFIG_AUX_DIR([build-aux])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bubblewrap-0.4.0/tests/test-run.sh
new/bubblewrap-0.4.1/tests/test-run.sh
--- old/bubblewrap-0.4.0/tests/test-run.sh 2019-11-27 13:34:31.000000000
+0100
+++ new/bubblewrap-0.4.1/tests/test-run.sh 2020-03-30 15:09:24.000000000
+0200
@@ -215,11 +215,18 @@
$RUN $OPT --cap-drop ALL --unshare-pid capsh --print >caps.test
assert_file_has_content caps.test 'Current: =$'
# Check for dropping kill/fowner (we assume all uid 0 callers have this)
- $RUN $OPT --cap-drop CAP_KILL --cap-drop CAP_FOWNER --unshare-pid capsh
--print >caps.test
- assert_not_file_has_content caps.test '^Current: =.*cap_kill'
- assert_not_file_has_content caps.test '^Current: =.*cap_fowner'
# But we should still have net_bind_service for example
- assert_file_has_content caps.test '^Current: =.*cap_net_bind_service'
+ $RUN $OPT --cap-drop CAP_KILL --cap-drop CAP_FOWNER --unshare-pid capsh
--print >caps.test
+ # capsh's output format changed from v2.29 -> drops are now indicated
with -eip
+ if grep 'Current: =.*+eip$' caps.test; then
+ assert_not_file_has_content caps.test '^Current: =.*cap_kill.*+eip$'
+ assert_not_file_has_content caps.test '^Current: =.*cap_fowner.*+eip$'
+ assert_file_has_content caps.test '^Current:
=.*cap_net_bind_service.*+eip$'
+ else
+ assert_file_has_content caps.test '^Current: =eip.*cap_kill.*-eip$'
+ assert_file_has_content caps.test '^Current: =eip.*cap_fowner.*-eip$'
+ assert_not_file_has_content caps.test '^Current:
=.*cap_net_bind_service.*-eip$'
+ fi
echo "ok - we have the expected caps as uid 0"
fi
