Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:GA
bubblewrap.11815
fix-cve-2019-12439.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fix-cve-2019-12439.patch of Package bubblewrap.11815
From efc89e3b939b4bde42c10f065f6b7b02958ed50e Mon Sep 17 00:00:00 2001 From: Simon McVittie <smcv@debian.org> Date: Sat, 2 Mar 2019 12:09:03 +0000 Subject: [PATCH] Don't create our own temporary mount point for pivot_root An attacker could pre-create /tmp/.bubblewrap-$UID and make it a non-directory, non-symlink (in which case mounting our tmpfs would fail, causing denial of service), or make it a symlink under their control (potentially allowing bad things if the protected_symlinks sysctl is not enabled). Instead, temporarily mount the tmpfs on a directory that we are sure exists and is not attacker-controlled. /tmp (the directory itself, not a subdirectory) will do. Fixes: #304 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557 Signed-off-by: Simon McVittie <smcv@debian.org> Closes: #305 Approved by: cgwalters --- bubblewrap.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) --- bubblewrap.c 2017-10-09 16:11:41.000000000 +0200 +++ bubblewrap.c 2019-06-06 21:49:24.808159459 +0200 @@ -1912,7 +1912,7 @@ char **argv) { mode_t old_umask; - cleanup_free char *base_path = NULL; + const char *base_path = NULL; int clone_flags; char *old_cwd = NULL; pid_t pid; @@ -2047,15 +2047,12 @@ die_with_error ("Can't open /proc"); /* We need *some* mountpoint where we can mount the root tmpfs. - We first try in /run, and if that fails, try in /tmp. */ - base_path = xasprintf ("/run/user/%d/.bubblewrap", real_uid); - if (mkdir (base_path, 0755) && errno != EEXIST) - { - free (base_path); - base_path = xasprintf ("/tmp/.bubblewrap-%d", real_uid); - if (mkdir (base_path, 0755) && errno != EEXIST) - die_with_error ("Creating root mountpoint failed"); - } + * Because we use pivot_root, it won't appear to be mounted from + * the perspective of the sandboxed process, so we can use anywhere + * that is sure to exist, that is sure to not be a symlink controlled + * by someone malicious, and that we won't immediately need to + * access ourselves. */ + base_path = "/tmp"; __debug__ (("creating new namespace\n")); @@ -2246,7 +2243,8 @@ /* We create a subdir "$base_path/newroot" for the new root, that * way we can pivot_root to base_path, and put the old root at * "$base_path/oldroot". This avoids problems accessing the oldroot - * dir if the user requested to bind mount something over / */ + * dir if the user requested to bind mount something over / (or + * over /tmp, now that we use that for base_path). */ if (mkdir ("newroot", 0755)) die_with_error ("Creating newroot failed");
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor