CVE-2020-5291, GHSA-j2qp-rvxj-43vj: privilege escalation in some kernel configurations

Related Vulnerabilities: CVE-2020-5291  

Debian Bug report logs - #955441
CVE-2020-5291, GHSA-j2qp-rvxj-43vj: privilege escalation in some kernel configurations

version graph

Reported by: Simon McVittie <smcv@debian.org>

Date: Tue, 31 Mar 2020 19:27:04 UTC

Severity: critical

Tags: fixed-upstream, security, upstream

Found in version bubblewrap/0.4.0-1

Fixed in versions bubblewrap/0.4.1-1, 0.4.1-1

Done: Simon McVittie <smcv@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#955441; Package bubblewrap. (Tue, 31 Mar 2020 19:27:06 GMT) (full text, mbox, link).


Acknowledgement sent to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Tue, 31 Mar 2020 19:27:06 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2020-5291, GHSA-j2qp-rvxj-43vj: privilege escalation in some kernel configurations
Date: Tue, 31 Mar 2020 20:25:01 +0100
Package: bubblewrap
Version: 0.4.0-1
Severity: critical
Tags: security upstream fixed-upstream
Justification: root security hole

bubblewrap 0.4.0 introduced a privilege escalation vulnerability on systems
where both of these are true:

- unprivileged users can create user namespaces:
    - not true on Debian kernels by default
    - true on Debian kernels if reconfigured
      with /proc/sys/kernel/unprivileged_userns_clone = 1
    - true on upstream kernels (usually)
    - true on Ubuntu kernels (usually)

- /usr/bin/bwrap is setuid root:
    - true with Debian's bubblewrap package
    - not true with Ubuntu's bubblewrap package

Mitigation:

- either disable unprivileged creation of user namespaces:
    - set /proc/sys/kernel/unprivileged_userns_clone to 0, or
    - set /proc/sys/user/max_user_namespaces to 0
- or make /usr/bin/bwrap not be setuid root
    - use dpkg-statoverride or chmod

This is tracked as CVE-2020-5291 and GHSA-j2qp-rvxj-43vj.

The bubblewrap packages in Debian 10 'buster' and older releases are
not vulnerable.

The bubblewrap 0.4.0-1~bpo10+1 package in buster-backports is vulnerable.
This is fixed in 0.4.1-1~bpo10+1.

The bubblewrap 0.4.0-1 package in testing is vulnerable. This is fixed
in 0.4.1-1, currently in unstable.

If you have reconfigured the kernel to allow unprivileged creation of user
namespaces, it is unnecessary for /usr/bin/bwrap to be setuid. A
least-privilege approach is to reconfigure bwrap to have no special
privileges on such systems:

    dpkg-statoverride --update --add root root 0755 /usr/bin/bwrap

However, if you do this, and subsequently reconfigure the kernel to
disallow unprivileged creation of user namespaces, programs like flatpak
will not work. To solve that, it will be necessary to make /usr/bin/bwrap
setuid again, for example:

    dpkg-statoverride --remove /usr/bin/bwrap
    dpkg-statoverride --update --add root root 4755 /usr/bin/bwrap

Regards,
    smcv



Marked as fixed in versions bubblewrap/0.4.1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 31 Mar 2020 20:54:02 GMT) (full text, mbox, link).


Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Tue, 31 Mar 2020 20:54:04 GMT) (full text, mbox, link).


Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Tue, 31 Mar 2020 20:54:04 GMT) (full text, mbox, link).


Message #12 received at 955441-done@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>
To: 955441-done@bugs.debian.org
Subject: Re: Bug#955441: CVE-2020-5291, GHSA-j2qp-rvxj-43vj: privilege escalation in some kernel configurations
Date: Tue, 31 Mar 2020 21:51:41 +0100
Version: 0.4.1-1

On Tue, 31 Mar 2020 at 20:25:01 +0100, Simon McVittie wrote:
> The bubblewrap 0.4.0-1 package in testing is vulnerable. This is fixed
> in 0.4.1-1, currently in unstable.



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 1 08:35:46 2020; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.