Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2026-05-04 12:48:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new.30200 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bubblewrap" Mon May 4 12:48:22 2026 rev:24 rq:1350063 version:0.11.2 Changes: -------- --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes 2026-04-26 21:11:20.053470564 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new.30200/bubblewrap.changes 2026-05-04 12:48:55.810148207 +0200 @@ -1,0 +2,11 @@ +Wed Apr 29 16:20:45 UTC 2026 - Michael Gorse <[email protected]> + +- Update to version 0.11.2 (bsc#1262113): + * In setuid mode, don't run the low-privileged parts of the setup + as dumpable, as that allows it to be ptraced which can lead to + problems. This is CVE-2026-41163. + * New build option `-Dsupport_setuid`, which if set to false + (which is the default) disables the support for setuid. + Binaries built with this will refuse to run if made setuid. + +------------------------------------------------------------------- Old: ---- bubblewrap-0.11.1.tar.xz bubblewrap-0.11.1.tar.xz.asc bubblewrap.keyring New: ---- bubblewrap-0.11.2.tar.xz bubblewrap-0.11.2.tar.xz.sha256sum ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bubblewrap.spec ++++++ --- /var/tmp/diff_new_pack.RjVvBI/_old 2026-05-04 12:48:56.454174724 +0200 +++ /var/tmp/diff_new_pack.RjVvBI/_new 2026-05-04 12:48:56.458174889 +0200 @@ -18,17 +18,16 @@ Name: bubblewrap -Version: 0.11.1 +Version: 0.11.2 Release: 0 Summary: Core execution tool for unprivileged containers License: LGPL-2.0-or-later Group: Productivity/Security URL: https://github.com/containers/bubblewrap Source0: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.xz -Source1: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.xz.asc +Source1: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.xz.sha256sum # https://www.pseudorandom.co.uk/2003/contact/ # 0x4DE8FF2A63C7CC90, fingerprint: DA98 F25C 0871 C49A 59EA FF2C 4DE8 FF2A 63C7 CC90 -Source2: %{name}.keyring BuildRequires: docbook-xsl-stylesheets BuildRequires: gcc BuildRequires: git ++++++ bubblewrap-0.11.1.tar.xz -> bubblewrap-0.11.2.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.11.1/NEWS.md new/bubblewrap-0.11.2/NEWS.md --- old/bubblewrap-0.11.1/NEWS.md 2026-03-21 18:33:47.000000000 +0100 +++ new/bubblewrap-0.11.2/NEWS.md 2026-04-23 10:18:48.000000000 +0200 @@ -1,3 +1,22 @@ +bubblewrap 0.11.2 +================= + +Released: 2026-04-23 + +Bug fixes: + + * In setuid mode, don't run the low-privileged parts parts of the setup + as dumpable, as that allows it to be ptraced which can lead to problems. + This is CVE-2026-41163, and was reported by François Diakhate. + +Enhancements: + + * New build option `-Dsupport_setuid`, which if set to false (which + is the default) disables the support for setuid. Binaries built + with this will refuse to run if made setuid. We recommend building + normal bubblewrap binaries like this, which allows you to safely + ignore any security issues that only affect setuid mode. + bubblewrap 0.11.1 ================= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.11.1/README.md new/bubblewrap-0.11.2/README.md --- old/bubblewrap-0.11.1/README.md 2026-03-21 18:33:47.000000000 +0100 +++ new/bubblewrap-0.11.2/README.md 2026-04-23 10:18:48.000000000 +0200 @@ -12,23 +12,24 @@ User namespaces --------------- -There is an effort in the Linux kernel called +There is an feature in the Linux kernel called [user namespaces](https://www.google.com/search?q=user+namespaces+site%3Ahttps%3A%2F%2Flwn.net) -which attempts to allow unprivileged users to use container features. -While significant progress has been made, there are -[still concerns](https://lwn.net/Articles/673597/) about it, and -it is not available to unprivileged users in several production distributions -such as CentOS/Red Hat Enterprise Linux 7, Debian Jessie, etc. +which allows unprivileged users to use container features. Bubblewrap uses these to +build the sandbox, allowing any user to use the tool. -See for example -[CVE-2016-3135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3135) -which is a local root vulnerability introduced by userns. -[This March 2016 post](https://lkml.org/lkml/2016/3/9/555) has some -more discussion. +Historically, not all Linux distributions supported (at least by +default) unprivileged user namespaces, so bubblewrap supports a second +mode of operation when the binary is setuid root. In that setup +bubblewrap could be viewed as setuid implementation of a *subset* of +user namespaces. However, not all features of bubblewrap work in +this mode. -Bubblewrap could be viewed as setuid implementation of a *subset* of -user namespaces. Emphasis on subset - specifically relevant to the -above CVE, bubblewrap does not allow control over iptables. +However, setuid mode is deprecated, as most recent Linux distributions +support unprivileged user namespaces, and setuid binaries carry +significant risks. By default, bubblewrap binaries refuse to work if +setuid, and you must build explicitly with ` -Dsupport_setuid=true` to +enable it to work. Later versions of bubblewrap aims to completely +remove this support. The original bubblewrap code existed before user namespaces - it inherits code from [xdg-app helper](https://cgit.freedesktop.org/xdg-app/xdg-app/tree/common/xdg-app-helper.c?id=4c3bf179e2e4a2a298cd1db1d045adaf3f564532) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.11.1/SECURITY.md new/bubblewrap-0.11.2/SECURITY.md --- old/bubblewrap-0.11.1/SECURITY.md 2026-03-21 18:33:47.000000000 +0100 +++ new/bubblewrap-0.11.2/SECURITY.md 2026-04-23 10:18:48.000000000 +0200 @@ -15,6 +15,13 @@ malicious user could equally well do by writing their own tool equivalent to bubblewrap. +Since 0.11.2, unless compiled with the `-Dsupport_setuid=true` option, +setuid root support is disabled. In this mode bubblewrap will refuse +to operate if the binary has been made setuid. For binaries built like +this it is safe to ignore any bubblewrap CVEs that are described as +affecting setuid mode only. This is the recommended way to package +bubblewrap. + ### Sandbox security bubblewrap is a toolkit for constructing sandbox environments. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.11.1/bubblewrap.c new/bubblewrap-0.11.2/bubblewrap.c --- old/bubblewrap-0.11.1/bubblewrap.c 2026-03-21 18:33:47.000000000 +0100 +++ new/bubblewrap-0.11.2/bubblewrap.c 2026-04-23 10:18:48.000000000 +0200 @@ -55,7 +55,11 @@ static gid_t real_gid; static uid_t overflow_uid; static gid_t overflow_gid; +#ifdef ENABLE_SUPPORT_SETUID static bool is_privileged; /* See acquire_privs() */ +#else +#define is_privileged 0 +#endif static const char *argv0; static const char *host_tty_dev; static int proc_fd = -1; @@ -840,13 +844,16 @@ static void acquire_privs (void) { - uid_t euid, new_fsuid; + uid_t euid; euid = geteuid (); /* Are we setuid ? */ if (real_uid != euid) { +#ifdef ENABLE_SUPPORT_SETUID + uid_t new_fsuid; + if (euid != 0) die ("Unexpected setuid user %d, should be 0", euid); @@ -868,13 +875,16 @@ /* setfsuid can't properly report errors, check that it worked (as per manpage) */ new_fsuid = setfsuid (-1); if (new_fsuid != real_uid) - die ("Unable to set fsuid (was %d)", (int)new_fsuid); + die_with_error ("Unable to set fsuid (was %d)", (int)new_fsuid); /* We never need capabilities after execve(), so lets drop everything from the bounding set */ drop_cap_bounding_set (true); /* Keep only the required capabilities for setup */ set_required_caps (); +#else + die ("setuid use of bubblewrap is not supported in this build"); +#endif } else if (real_uid != 0 && has_caps ()) { @@ -937,7 +947,8 @@ /* Call setuid() and use capset() to adjust capabilities */ static void drop_privs (bool keep_requested_caps, - bool already_changed_uid) + bool already_changed_uid, + bool set_dumpable) { assert (!keep_requested_caps || !is_privileged); /* Drop root uid */ @@ -947,9 +958,12 @@ drop_all_caps (keep_requested_caps); - /* We don't have any privs now, so mark us dumpable which makes /proc/self be owned by the user instead of root */ - if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) != 0) - die_with_error ("can't set dumpable"); + if (set_dumpable) + { + /* We don't have any privs now, so mark us dumpable which makes /proc/self be owned by the user instead of root */ + if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) != 0) + die_with_error ("can't set dumpable"); + } } static void @@ -1154,7 +1168,9 @@ break; case PRIV_SEP_OP_OVERLAY_MOUNT: - if (mount ("overlay", arg2, "overlay", MS_MGC_VAL, arg1) != 0) + if (is_privileged) + die ("Overlay mounts are not supported in setuid mode"); + if (mount ("overlay", arg2, "overlay", MS_MGC_VAL | MS_NOSUID | MS_NODEV, arg1) != 0) { /* The standard message for ELOOP, "Too many levels of symbolic * links", is not helpful here. */ @@ -1172,6 +1188,8 @@ something manages to send hacked priv-sep operation requests. */ if (!opt_unshare_uts) die ("Refusing to set hostname in original namespace"); + if (arg1 == NULL) + die ("Hostname argument is NULL"); if (sethostname (arg1, strlen(arg1)) != 0) die_with_error ("Can't set hostname to %s", arg1); break; @@ -3182,7 +3200,7 @@ die_with_error ("Setting userns2 failed"); /* We don't need any privileges in the launcher, drop them immediately. */ - drop_privs (false, false); + drop_privs (false, false, true); /* Optionally bind our lifecycle to that of the parent */ handle_die_with_parent (); @@ -3369,8 +3387,10 @@ if (child == 0) { - /* Unprivileged setup process */ - drop_privs (false, true); + /* Unprivileged setup process. + * Note: Don't set dumpable, because we can still perform privileged + * operations via privileged_op(). */ + drop_privs (false, true, false); close (privsep_sockets[0]); setup_newroot (opt_unshare_pid, privsep_sockets[1]); exit (0); @@ -3499,7 +3519,7 @@ } /* All privileged ops are done now, so drop caps we don't need */ - drop_privs (!is_privileged, true); + drop_privs (!is_privileged, true, true); if (opt_block_fd != -1) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.11.1/meson.build new/bubblewrap-0.11.2/meson.build --- old/bubblewrap-0.11.1/meson.build 2026-03-21 18:33:47.000000000 +0100 +++ new/bubblewrap-0.11.2/meson.build 2026-04-23 10:18:48.000000000 +0200 @@ -1,7 +1,7 @@ project( 'bubblewrap', 'c', - version : '0.11.1', + version : '0.11.2', meson_version : '>=0.49.0', default_options : [ 'warning_level=2', @@ -91,6 +91,11 @@ cdata.set('ENABLE_REQUIRE_USERNS', 1) endif +if get_option('support_setuid') + cdata.set('ENABLE_SUPPORT_SETUID', 1) + warning('running bubblewrap setuid is deprecated and risky. Most recent operating systems support unprivileged user namespaces and we recommend using that. Support for this will be removed in the next version.') +endif + configure_file( output : 'config.h', configuration : cdata, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.11.1/meson_options.txt new/bubblewrap-0.11.2/meson_options.txt --- old/bubblewrap-0.11.1/meson_options.txt 2026-03-21 18:33:47.000000000 +0100 +++ new/bubblewrap-0.11.2/meson_options.txt 2026-04-23 10:18:48.000000000 +0200 @@ -42,6 +42,12 @@ description : 'Path to Python 3, or empty to use python3', ) option( + 'support_setuid', + type : 'boolean', + description : 'Support setuid mode (deprecated)', + value : false, +) +option( 'require_userns', type : 'boolean', description : 'require user namespaces by default when installed setuid', ++++++ bubblewrap-0.11.2.tar.xz.sha256sum ++++++ 69abc30005d2186baf7737feacd8da35633b93cf5af38838ecff17c5f8e924f6 *bubblewrap-0.11.2.tar.xz
