[Pkg-utopia-maintainers] Bug#923557: bubblewrap: insecure use of /tmp
Jakub Wilk
jwilk at jwilk.net
Fri Mar 1 21:43:40 GMT 2019
Package: bubblewrap
Version: 0.3.1-2
Tags: security
Is /run/user/<UID>/.bubblewrap/ doesn't exist and couldn't be created
(as was the case on my system), bubblewrap falls back to
/tmp/.bubblewrap-<UID>/. Local attacker could exploit this to prevent
other users from running bubblewrap, for example:
getent passwd | cut -d: -f3 | xargs printf '/tmp/.bubblewrap-%d\n' | xargs touch
But it gets worse, because bubblewrap is happy to use existing
/tmp/.bubblewrap-<UID>/, even when the directory is owned by some else.
In the worst case, this could be exploited by a local user to execute
arbitrary code in the container. (Though I couldn't find any way to
exploit this without disabling protected_symlinks.)
--
Jakub Wilk
More information about the Pkg-utopia-maintainers
mailing list