Package: bubblewrap
Version: 0.4.0-1
Severity: critical
Tags: security upstream fixed-upstream
Justification: root security hole
bubblewrap 0.4.0 introduced a privilege escalation vulnerability on systems
where both of these are true:
- unprivileged users can create user namespaces:
- not true on Debian kernels by default
- true on Debian kernels if reconfigured
with /proc/sys/kernel/unprivileged_userns_clone = 1
- true on upstream kernels (usually)
- true on Ubuntu kernels (usually)
- /usr/bin/bwrap is setuid root:
- true with Debian's bubblewrap package
- not true with Ubuntu's bubblewrap package
Mitigation:
- either disable unprivileged creation of user namespaces:
- set /proc/sys/kernel/unprivileged_userns_clone to 0, or
- set /proc/sys/user/max_user_namespaces to 0
- or make /usr/bin/bwrap not be setuid root
- use dpkg-statoverride or chmod
This is tracked as CVE-2020-5291 and GHSA-j2qp-rvxj-43vj.
The bubblewrap packages in Debian 10 'buster' and older releases are
not vulnerable.
The bubblewrap 0.4.0-1~bpo10+1 package in buster-backports is vulnerable.
This is fixed in 0.4.1-1~bpo10+1.
The bubblewrap 0.4.0-1 package in testing is vulnerable. This is fixed
in 0.4.1-1, currently in unstable.
If you have reconfigured the kernel to allow unprivileged creation of user
namespaces, it is unnecessary for /usr/bin/bwrap to be setuid. A
least-privilege approach is to reconfigure bwrap to have no special
privileges on such systems:
dpkg-statoverride --update --add root root 0755 /usr/bin/bwrap
However, if you do this, and subsequently reconfigure the kernel to
disallow unprivileged creation of user namespaces, programs like flatpak
will not work. To solve that, it will be necessary to make /usr/bin/bwrap
setuid again, for example:
dpkg-statoverride --remove /usr/bin/bwrap
dpkg-statoverride --update --add root root 4755 /usr/bin/bwrap
Regards,
smcv
