- 1 closed CVE in our CVE database CVE-2017-5226 (LP #1657357)
- Fixed in a timely fashion but by updating to a version which is not ideal
- Provides ability to launch other applications within a sandbox via (user)
namespaces and bind mounts etc.
- Build-Depends: libcap-dev, libselinux1-dev
- Does not daemonize
- No use of udev
- No pre/post inst/rm scripts
- No initscripts / systemd unit files
- No DBus services
- 1 setuid file:
rwsr-xr-x root/root 59496 2018-07-12 18:33 ./usr/bin/bwrap
- Note: the Ubuntu kernel supports unprivileged user namespaces so there is
no reason for bwrap to be setuid - I have tested this also without setuid
and it works as expected. As such I strongly suggest we patch out the part
of the debian packaging which makes this setuid.
- binaries added to the PATH
rwsr-xr-x root/root 59496 2018-07-12 18:33 ./usr/bin/bwrap
- No sudo fragments
- No udev rules
- System tests exist but are not run as part of package build
- no unit tests
- No cronjobs
- Clean build logs - no warnings during build
- Subprocesses are spawned as that is the core functionality of bubblewrap
- Memory management looks good, no obvious issues and all memory allocations
are checked and appropriately handled with good defensive programming.
- Does not directly use any environment variables but does use setenv to allow
caller to set vars in child process environment
- Uses privileged operations to setup namespace then drops privileges before
executing child process. Correctly detects when running as setuid root and
correctly drops down to the saved user-id before executing the resulting
child process so should not be a problem when using new user namespace even
though is setuid root.
- No cryptography
- No network connections
- Uses temporary files to be able to pass in files to the subprocesses
namespace - uses umask(0) and mkstemp() so this looks to be secure
- No WebKit
- No JavaScript
- No PolicyKit
- Clean cppcheck
- 1 false positive error for a memory leak - cppcheck is confused due to the
use of gcc's cleanup attribute to automatically free the memory when it
goes out of scope)
- scan-build (6.0):
- 4 warnings:
- 1 false positive memory leak (confusion due to gcc cleanup attribute)
- 1 false positive dead assignment (confusion due to gcc cleanup attribute)
- 2 warnings about passing possible NULL pointers to functions which expect
non-NULL values
- 1 for creat(), 1 for symlink()
- both should be impossible since current call sites never provide the
preconditions to allow these to occur
- so both are false positives
- would be useful to have some assertions to convey this impossible
state
So the only real concerns I have is that the system-level tests do not seem to
be integrated with the package build process in any way, and that it is setuid
root which does not seem necessary as our kernels enable unprivileged user
namespaces. So I am happy to ACK this from the security team if both of these
can be investigated and resolved (ie. add the tests to the build process and
drop the adding of setuid permission during packaging).
It would also be worthwhile looking into adding an AppArmor profile to try and
provide additional hardening - and in particular if there is a good reason to
keep it setuid then I would definitely recommend adding an AppArmor profile to
ensure that we restrict a setuid bubblewrap from only doing the intended
functionality and not stepping outside its bounds (ie. messing with system
AppArmor policy etc. if it were somehow to be compromised).
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5226
** Changed in: bubblewrap (Ubuntu)
Assignee: Alex Murray (alexmurray) => (unassigned)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to bubblewrap in Ubuntu.
https://bugs.launchpad.net/bugs/1709164
Title:
[MIR] bubblewrap
Status in bubblewrap package in Ubuntu:
Triaged
Bug description:
Availability
============
Built for all supported architectures.
In sync with Debian.
Rationale
=========
The gnome-desktop3 library 3.25.90+ requires bubblewrap. bubblewrap is most
commonly used as part of Flatpak's security isolation feature. Here it's being
used to sandbox the thumbnailers.
See https://git.gnome.org/browse/gnome-desktop/log (changes from
3.25.4 to 3.25.90)
The bubblewrap feature was disabled in Ubuntu 17.10's gnome-desktop3
package because this MIR was not processed.
Security
========
No known open security vulnerabilities in any Ubuntu releases.
https://security-tracker.debian.org/tracker/source-package/bubblewrap
I helped prepare a security update (LP: #1657357) (CVE-2017-5226) for
bubblewrap/flatpak several months ago.
Security-sensitive package.
Quality assurance
=================
Bug subscriber: should be Ubuntu Desktop Bugs
https://bugs.launchpad.net/ubuntu/+source/bubblewrap
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=bubblewrap
https://github.com/projectatomic/bubblewrap/issues
dh_auto_test runs the build tests but they appear to be set as SKIP
upstream. (See comment #4)
Multiple autopkgtests passing on all Ubuntu architectures. Because the
tests require machine isolation, the autopkgtests don't run on
Debian's infrastructure currently.
Dependencies
============
check-mir reports all other binary dependencies are in main
Standards compliance
====================
4.0.0
Maintenance
===========
- Actively developed upstream
https://github.com/projectatomic/bubblewrap
- Maintained in Debian by the pkg-utopia team but more specifically,
it is maintained by Simon McVittie (smcv) who also maintains Flatpak
and ostree in Debian and Ubuntu.
short dh7 style rules, dh compat 10
Background information
======================
William Hua (attente) had been working last year on a snapcraft plugin that
used bubblewrap.
So maybe more stuff will use bubblewrap in the future.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
