[Pkg-utopia-maintainers] Bug#955441: CVE-2020-5291, GHSA-j2qp-rvxj-43vj: privilege escalation in some kernel configurations

Simon McVittie smcv at debian.org
Tue Mar 31 20:25:01 BST 2020 

Package: bubblewrap
Version: 0.4.0-1
Severity: critical
Tags: security upstream fixed-upstream
Justification: root security hole

bubblewrap 0.4.0 introduced a privilege escalation vulnerability on systems
where both of these are true:

- unprivileged users can create user namespaces:
    - not true on Debian kernels by default
    - true on Debian kernels if reconfigured
      with /proc/sys/kernel/unprivileged_userns_clone = 1
    - true on upstream kernels (usually)
    - true on Ubuntu kernels (usually)

- /usr/bin/bwrap is setuid root:
    - true with Debian's bubblewrap package
    - not true with Ubuntu's bubblewrap package

Mitigation:

- either disable unprivileged creation of user namespaces:
    - set /proc/sys/kernel/unprivileged_userns_clone to 0, or
    - set /proc/sys/user/max_user_namespaces to 0
- or make /usr/bin/bwrap not be setuid root
    - use dpkg-statoverride or chmod

This is tracked as CVE-2020-5291 and GHSA-j2qp-rvxj-43vj.

The bubblewrap packages in Debian 10 'buster' and older releases are
not vulnerable.

The bubblewrap 0.4.0-1~bpo10+1 package in buster-backports is vulnerable.
This is fixed in 0.4.1-1~bpo10+1.

The bubblewrap 0.4.0-1 package in testing is vulnerable. This is fixed
in 0.4.1-1, currently in unstable.

If you have reconfigured the kernel to allow unprivileged creation of user
namespaces, it is unnecessary for /usr/bin/bwrap to be setuid. A
least-privilege approach is to reconfigure bwrap to have no special
privileges on such systems:

    dpkg-statoverride --update --add root root 0755 /usr/bin/bwrap

However, if you do this, and subsequently reconfigure the kernel to
disallow unprivileged creation of user namespaces, programs like flatpak
will not work. To solve that, it will be necessary to make /usr/bin/bwrap
setuid again, for example:

    dpkg-statoverride --remove /usr/bin/bwrap
    dpkg-statoverride --update --add root root 4755 /usr/bin/bwrap

Regards,
    smcv

More information about the Pkg-utopia-maintainers mailing list