Your message dated Tue, 31 Mar 2020 21:51:41 +0100 with message-id <[email protected]> and subject line Re: Bug#955441: CVE-2020-5291, GHSA-j2qp-rvxj-43vj: privilege escalation in some kernel configurations has caused the Debian Bug report #955441, regarding CVE-2020-5291, GHSA-j2qp-rvxj-43vj: privilege escalation in some kernel configurations to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 955441: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955441 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: bubblewrap Version: 0.4.0-1 Severity: critical Tags: security upstream fixed-upstream Justification: root security hole bubblewrap 0.4.0 introduced a privilege escalation vulnerability on systems where both of these are true: - unprivileged users can create user namespaces: - not true on Debian kernels by default - true on Debian kernels if reconfigured with /proc/sys/kernel/unprivileged_userns_clone = 1 - true on upstream kernels (usually) - true on Ubuntu kernels (usually) - /usr/bin/bwrap is setuid root: - true with Debian's bubblewrap package - not true with Ubuntu's bubblewrap package Mitigation: - either disable unprivileged creation of user namespaces: - set /proc/sys/kernel/unprivileged_userns_clone to 0, or - set /proc/sys/user/max_user_namespaces to 0 - or make /usr/bin/bwrap not be setuid root - use dpkg-statoverride or chmod This is tracked as CVE-2020-5291 and GHSA-j2qp-rvxj-43vj. The bubblewrap packages in Debian 10 'buster' and older releases are not vulnerable. The bubblewrap 0.4.0-1~bpo10+1 package in buster-backports is vulnerable. This is fixed in 0.4.1-1~bpo10+1. The bubblewrap 0.4.0-1 package in testing is vulnerable. This is fixed in 0.4.1-1, currently in unstable. If you have reconfigured the kernel to allow unprivileged creation of user namespaces, it is unnecessary for /usr/bin/bwrap to be setuid. A least-privilege approach is to reconfigure bwrap to have no special privileges on such systems: dpkg-statoverride --update --add root root 0755 /usr/bin/bwrap However, if you do this, and subsequently reconfigure the kernel to disallow unprivileged creation of user namespaces, programs like flatpak will not work. To solve that, it will be necessary to make /usr/bin/bwrap setuid again, for example: dpkg-statoverride --remove /usr/bin/bwrap dpkg-statoverride --update --add root root 4755 /usr/bin/bwrap Regards, smcv
--- End Message ---
--- Begin Message ---Version: 0.4.1-1 On Tue, 31 Mar 2020 at 20:25:01 +0100, Simon McVittie wrote: > The bubblewrap 0.4.0-1 package in testing is vulnerable. This is fixed > in 0.4.1-1, currently in unstable.
--- End Message ---
