[Bug 1136958] New: VUL-0: CVE-2019-12439: bubblewrap: temporary directory misuse as mount point
http://bugzilla.suse.com/show_bug.cgi?id=1136958 Bug ID: 1136958 Summary: VUL-0: CVE-2019-12439: bubblewrap: temporary directory misuse as mount point Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: sebix+novell.com@sebix.at Reporter: atoptsoglou@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- CVE-2019-12439 Is /run/user/<UID>/.bubblewrap/ doesn't exist and couldn't be created (as was the case on my system), bubblewrap falls back to /tmp/.bubblewrap-<UID>/. Local attacker could exploit this to prevent other users from running bubblewrap, for example: getent passwd | cut -d: -f3 | xargs printf '/tmp/.bubblewrap-%d\n' | xargs touch But it gets worse, because bubblewrap is happy to use existing /tmp/.bubblewrap-<UID>/, even when the directory is owned by some else. In the worst case, this could be exploited by a local user to execute arbitrary code in the container. (Though I couldn't find any way to exploit this without disabling protected_symlinks.) Upstream issue: https://github.com/projectatomic/bubblewrap/issues/304 References: https://bugzilla.redhat.com/show_bug.cgi?id=1695963 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12439 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12439 https://github.com/projectatomic/bubblewrap/issues/304 https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065... https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1136958
Alexandros Toptsoglou
http://bugzilla.suse.com/show_bug.cgi?id=1136958
Alexandros Toptsoglou
http://bugzilla.suse.com/show_bug.cgi?id=1136958
Alexandros Toptsoglou
http://bugzilla.suse.com/show_bug.cgi?id=1136958
Alexandros Toptsoglou
http://bugzilla.suse.com/show_bug.cgi?id=1136958
Alexandros Toptsoglou
http://bugzilla.suse.com/show_bug.cgi?id=1136958
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1136958
http://bugzilla.suse.com/show_bug.cgi?id=1136958#c1
Sebastian Wagner
http://bugzilla.suse.com/show_bug.cgi?id=1136958
http://bugzilla.suse.com/show_bug.cgi?id=1136958#c2
Alexandros Toptsoglou
fixed in Virtualization:containers Request for Factory: https://build.opensuse.org/request/show/706819 Request for Leap 15.1: https://build.opensuse.org/request/show/706820
Is it also required for Leap 15.0?
Hi Sebastian, Since Leap 15.0 is still on life. It is preferable to have a submission also for Leap. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1136958
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1136958
http://bugzilla.suse.com/show_bug.cgi?id=1136958#c3
--- Comment #3 from Sebastian Wagner
http://bugzilla.suse.com/show_bug.cgi?id=1136958
http://bugzilla.suse.com/show_bug.cgi?id=1136958#c4
--- Comment #4 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1136958
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1136958
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1136958
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1136958
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1136958
http://bugzilla.suse.com/show_bug.cgi?id=1136958#c7
--- Comment #7 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1136958
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1136958
http://bugzilla.suse.com/show_bug.cgi?id=1136958#c8
--- Comment #8 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com