Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2020-04-05 20:51:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new.3248 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bubblewrap" Sun Apr 5 20:51:39 2020 rev:11 rq:790515 version:0.4.1 Changes: -------- --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes 2019-12-28 13:40:18.562926637 +0100 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new.3248/bubblewrap.changes 2020-04-05 20:51:49.737084100 +0200 @@ -1,0 +2,12 @@ +Wed Apr 1 10:03:39 UTC 2020 - Sebastian Wagner <sebix+novell....@sebix.at> + +- Update to version 0.4.1: + * retcode: fix return code with syncfd and no event_fd + * Ensure we're always clearing the cap bounding set + * tests: Update output patterns for libcap >= 2.29 + * Don't rely on geteuid() to know when to switch back from setuid root + * Don't support --userns2 in setuid mode + * fixes CVE-2020-5291 + * fixes bsc#1168291 + +------------------------------------------------------------------- Old: ---- bubblewrap-0.4.0.tar.xz New: ---- bubblewrap-0.4.1.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bubblewrap.spec ++++++ --- /var/tmp/diff_new_pack.li2KxO/_old 2020-04-05 20:51:50.253084594 +0200 +++ /var/tmp/diff_new_pack.li2KxO/_new 2020-04-05 20:51:50.257084598 +0200 @@ -1,7 +1,7 @@ # # spec file for package bubblewrap # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: bubblewrap -Version: 0.4.0 +Version: 0.4.1 Release: 0 Summary: Core execution tool for unprivileged containers License: LGPL-2.0-or-later ++++++ bubblewrap-0.4.0.tar.xz -> bubblewrap-0.4.1.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.4.0/bubblewrap.c new/bubblewrap-0.4.1/bubblewrap.c --- old/bubblewrap-0.4.0/bubblewrap.c 2019-11-27 13:34:31.000000000 +0100 +++ new/bubblewrap-0.4.1/bubblewrap.c 2020-03-30 15:09:24.000000000 +0200 @@ -532,17 +532,20 @@ int status; child = wait (&status); - if (child == initial_pid && event_fd != -1) + if (child == initial_pid) { - uint64_t val; - int res UNUSED; - initial_exit_status = propagate_exit_status (status); - val = initial_exit_status + 1; - res = write (event_fd, &val, 8); - /* Ignore res, if e.g. the parent died and closed event_fd - we don't want to error out here */ + if(event_fd != -1) + { + uint64_t val; + int res UNUSED; + + val = initial_exit_status + 1; + res = write (event_fd, &val, 8); + /* Ignore res, if e.g. the parent died and closed event_fd + we don't want to error out here */ + } } if (child == -1 && errno != EINTR) @@ -834,11 +837,13 @@ /* Call setuid() and use capset() to adjust capabilities */ static void -drop_privs (bool keep_requested_caps) +drop_privs (bool keep_requested_caps, + bool already_changed_uid) { assert (!keep_requested_caps || !is_privileged); /* Drop root uid */ - if (geteuid () == 0 && setuid (opt_sandbox_uid) < 0) + if (is_privileged && !already_changed_uid && + setuid (opt_sandbox_uid) < 0) die_with_error ("unable to drop root uid"); drop_all_caps (keep_requested_caps); @@ -2296,6 +2301,9 @@ if (opt_userns_fd != -1 && is_privileged) die ("--userns doesn't work in setuid mode"); + if (opt_userns2_fd != -1 && is_privileged) + die ("--userns2 doesn't work in setuid mode"); + /* We have to do this if we weren't installed setuid (and we're not * root), so let's just DWIM */ if (!is_privileged && getuid () != 0 && opt_userns_fd == -1) @@ -2499,7 +2507,7 @@ die_with_error ("Setting userns2 failed"); /* We don't need any privileges in the launcher, drop them immediately. */ - drop_privs (FALSE); + drop_privs (FALSE, FALSE); /* Optionally bind our lifecycle to that of the parent */ handle_die_with_parent (); @@ -2674,7 +2682,7 @@ if (child == 0) { /* Unprivileged setup process */ - drop_privs (FALSE); + drop_privs (FALSE, TRUE); close (privsep_sockets[0]); setup_newroot (opt_unshare_pid, privsep_sockets[1]); exit (0); @@ -2763,13 +2771,16 @@ if (unshare (CLONE_NEWUSER)) die_with_error ("unshare user ns"); + /* We're in a new user namespace, we got back the bounding set, clear it again */ + drop_cap_bounding_set (FALSE); + write_uid_gid_map (opt_sandbox_uid, ns_uid, opt_sandbox_gid, ns_gid, -1, FALSE, FALSE); } /* All privileged ops are done now, so drop caps we don't need */ - drop_privs (!is_privileged); + drop_privs (!is_privileged, TRUE); if (opt_block_fd != -1) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.4.0/configure new/bubblewrap-0.4.1/configure --- old/bubblewrap-0.4.0/configure 2019-11-27 13:53:16.000000000 +0100 +++ new/bubblewrap-0.4.1/configure 2020-03-30 15:19:31.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for bubblewrap 0.4.0. +# Generated by GNU Autoconf 2.69 for bubblewrap 0.4.1. # # Report bugs to <atomic-de...@projectatomic.io>. # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='bubblewrap' PACKAGE_TARNAME='bubblewrap' -PACKAGE_VERSION='0.4.0' -PACKAGE_STRING='bubblewrap 0.4.0' +PACKAGE_VERSION='0.4.1' +PACKAGE_STRING='bubblewrap 0.4.1' PACKAGE_BUGREPORT='atomic-de...@projectatomic.io' PACKAGE_URL='' @@ -1302,7 +1302,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures bubblewrap 0.4.0 to adapt to many kinds of systems. +\`configure' configures bubblewrap 0.4.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1368,7 +1368,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of bubblewrap 0.4.0:";; + short | recursive ) echo "Configuration of bubblewrap 0.4.1:";; esac cat <<\_ACEOF @@ -1492,7 +1492,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -bubblewrap configure 0.4.0 +bubblewrap configure 0.4.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1794,7 +1794,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by bubblewrap $as_me 0.4.0, which was +It was created by bubblewrap $as_me 0.4.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4032,7 +4032,7 @@ # Define the identity of the package. PACKAGE='bubblewrap' - VERSION='0.4.0' + VERSION='0.4.1' # Some tools Automake needs. @@ -6365,7 +6365,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by bubblewrap $as_me 0.4.0, which was +This file was extended by bubblewrap $as_me 0.4.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -6431,7 +6431,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -bubblewrap config.status 0.4.0 +bubblewrap config.status 0.4.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.4.0/configure.ac new/bubblewrap-0.4.1/configure.ac --- old/bubblewrap-0.4.0/configure.ac 2019-11-27 13:40:58.000000000 +0100 +++ new/bubblewrap-0.4.1/configure.ac 2020-03-30 15:10:30.000000000 +0200 @@ -1,5 +1,5 @@ AC_PREREQ([2.63]) -AC_INIT([bubblewrap], [0.4.0], [atomic-de...@projectatomic.io]) +AC_INIT([bubblewrap], [0.4.1], [atomic-de...@projectatomic.io]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.4.0/tests/test-run.sh new/bubblewrap-0.4.1/tests/test-run.sh --- old/bubblewrap-0.4.0/tests/test-run.sh 2019-11-27 13:34:31.000000000 +0100 +++ new/bubblewrap-0.4.1/tests/test-run.sh 2020-03-30 15:09:24.000000000 +0200 @@ -215,11 +215,18 @@ $RUN $OPT --cap-drop ALL --unshare-pid capsh --print >caps.test assert_file_has_content caps.test 'Current: =$' # Check for dropping kill/fowner (we assume all uid 0 callers have this) - $RUN $OPT --cap-drop CAP_KILL --cap-drop CAP_FOWNER --unshare-pid capsh --print >caps.test - assert_not_file_has_content caps.test '^Current: =.*cap_kill' - assert_not_file_has_content caps.test '^Current: =.*cap_fowner' # But we should still have net_bind_service for example - assert_file_has_content caps.test '^Current: =.*cap_net_bind_service' + $RUN $OPT --cap-drop CAP_KILL --cap-drop CAP_FOWNER --unshare-pid capsh --print >caps.test + # capsh's output format changed from v2.29 -> drops are now indicated with -eip + if grep 'Current: =.*+eip$' caps.test; then + assert_not_file_has_content caps.test '^Current: =.*cap_kill.*+eip$' + assert_not_file_has_content caps.test '^Current: =.*cap_fowner.*+eip$' + assert_file_has_content caps.test '^Current: =.*cap_net_bind_service.*+eip$' + else + assert_file_has_content caps.test '^Current: =eip.*cap_kill.*-eip$' + assert_file_has_content caps.test '^Current: =eip.*cap_fowner.*-eip$' + assert_not_file_has_content caps.test '^Current: =.*cap_net_bind_service.*-eip$' + fi echo "ok - we have the expected caps as uid 0" fi