Your message dated Mon, 24 May 2021 23:18:29 +0000 with message-id <e1lljq9-0004iq...@fasolo.debian.org> and subject line Bug#989049: fixed in debspawn 0.4.2-1 has caused the Debian Bug report #989049, regarding debspawn: privilege escalation via uid reuse to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 989049: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989049 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: debspawn Severity: serious Justification: security hole Tags: security When building a package using debspawn, it dynamically allocates a system user that is used to perform the build. Since system users are allocated sequentially, the chosen uid is very likely to collide with a uid outside the nspawn container. This enables two possible privilege escalations: * If an unprivileged user is entitled to perform builds via debspawn, she gains privileges of the build uid inside the container and this is an expected part of the security model of debspawn. However that same uid is very likely used outside of the container for a different purpose (usually a system daemon). A number of resources are shared between the outer os and the container despite being separated by a pid namespace. For instance, resource limits are shared. It is very likely that a privilege escalation from the build user inside the container to the service user (with same uid) is possible. The culprit here is the accidental sharing of uids for two different purposes. * Likewise, the privilege escalation works in the other direction. The service that shares its uid with the build user can simply kill build processes with any signal or change arbitrary files in the build tree. Again, it is the sharing of a uid that enables this. I basically see two options for fixing this: * The build user is forced to use a uid that is not allocated elsewhere. pbuilder follows this approach and fixes a uid that is not normally allocated. * A user namespace would remap the uid space inside the container to a high, private uid range. While the build uid inside the container would equal a system user outside, the namespace would still separate them. FD: Initial disclosure to Matthias and the security team happened on May 11th. Both agreed to publish the issue. Helmut
--- End Message ---
--- Begin Message ---Source: debspawn Source-Version: 0.4.2-1 Done: Matthias Klumpp <m...@debian.org> We believe that the bug you reported is fixed in the latest version of debspawn, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 989...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Matthias Klumpp <m...@debian.org> (supplier of updated debspawn package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 24 May 2021 23:21:45 +0200 Source: debspawn Architecture: source Version: 0.4.2-1 Distribution: unstable Urgency: medium Maintainer: Matthias Klumpp <m...@debian.org> Changed-By: Matthias Klumpp <m...@debian.org> Closes: 982793 986967 987312 987547 988371 989049 Changes: debspawn (0.4.2-1) unstable; urgency=medium . * New upstream version: 0.4.2 - Configure APT to not install recommends by default (Closes: #987312) - Allow defining custom environment variables for package builds (Closes: #986967) - Use dpkg --print-architecture to determine arch (Closes: #987547) - Check system encoding properly (Closes: #982793) - Run builds as user with a random free UID (Closes: #989049) * Update homepage URL * Delete all state data on purge (Closes: #988371) * Migrate settings automatically after installation * Add NEWS entry about required image updates * Add autopkgtest for common debspawn tasks * Add new build dependency on python3-pkgconfig Checksums-Sha1: 09cc73ffafa5f6729a2772365c094de1152c07e4 2017 debspawn_0.4.2-1.dsc 021669de9286a2f35dff7198707d586a3808e2d8 50081 debspawn_0.4.2.orig.tar.gz cbcd35e3e78149feb4495f260f0556842e7a02e5 4260 debspawn_0.4.2-1.debian.tar.xz f6a922bbcb11485e8f4af924c68805dcd17cf88b 7029 debspawn_0.4.2-1_source.buildinfo Checksums-Sha256: 8db116db67fac165283e12bd6ba47cf0ec85d1c26e4006d1a72cfc381afa47c8 2017 debspawn_0.4.2-1.dsc 0d806ffe90a11b5884b093395ccc854ceceac4237c701dccd999c18e2f84f9f3 50081 debspawn_0.4.2.orig.tar.gz 6b2a99c76d640ca473b0c0753df355c93ab263ede87f5c694ccb1e60774bbcce 4260 debspawn_0.4.2-1.debian.tar.xz 8c7d9412ce3bc33dab0fdac524f95b368e9fa845555d956afd4fade407754faa 7029 debspawn_0.4.2-1_source.buildinfo Files: 5be5e739560b0a1f8c21e87891eb291d 2017 utils optional debspawn_0.4.2-1.dsc 9759e6f5e766fefdecbe12d26baf534c 50081 utils optional debspawn_0.4.2.orig.tar.gz b7edf39f7507570e986c8554a5414cbf 4260 utils optional debspawn_0.4.2-1.debian.tar.xz 6a42091277d788b9e8e6967be161a2e5 7029 utils optional debspawn_0.4.2-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJDBAEBCAAtFiEE0zo/DKFrCsxRpgc4SUyKX79N7OsFAmCsL0YPHG1ha0BkZWJp YW4ub3JnAAoJEElMil+/TezrsN0P+wYkyOYtX/3Dlq/2vApvjMOcTJlyDSArkq3a lLNoLp1FoNN7eXnhnc0Z66+JvGK4G1BpehSUiBQMoSvEUocqLEHX5oebMMEXYFpa oU1hyszIBZR6kodI06pJoj/WTyy/u3xHTBWsAxY7HTa/jJ7IAdv+xXKNqBy5RHhK nl7anGttICZVc4xsRn9gdQHHzm5Syh8g8lyqw241++g5tYeEU5ZCwCDabBDXTPk+ zb3VPMCyJ7nXfDPxWsX5HLH3v3DslHEai487L6huSf0ACDqzLDy3qQ5uOrYgVcsI ah8+5dBZGjNw1kL9ouKeQQX4jopLYmIVy/3z+RLNLStbU76P+SMrTqFYxpSO1fE4 jX5rjbqwEIpSsAIOlIJhQ4labMW4TOjRRiitGZgpn6VK+SB6OVoSa7G9sUFDdzJc z7DvtZ4n3nZdQOB8+EEiV9WpS+dav/kLBgoRfQEXRF52Gg68OFDMME+wpySf3ROC 0oxhDqTLZyhuY0Dy/xnTyERO0OioxXevQNfA+Lfmkwe7tHqP99480voOuwZ3LMoj 28musGEHYg7po6rmoZOnk62TDjNHmaZScER9/7S7o6zbVv94Nb0GUG9t1wGQYmQV 1jeP2aossAqugL7mPxZHjkiIn+sSVTb2lT+yaXAYsT6KGYM5PX1NxEPi6eXExFBD HiU0j7Jt =C/Zq -----END PGP SIGNATURE-----
--- End Message ---
