Package: bubblewrap / 0.3.1-4

Metadata

Package Version Patches format
bubblewrap 0.3.1-4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
tests Handle systems without merged usr.patch | (download)

tests/test-run.sh | 31 22 + 9 - 0 !
1 file changed, 22 insertions(+), 9 deletions(-)

 tests: handle systems without merged-/usr

For the non-suid case, we were assuming that the host system would have
merged /usr (e.g. /bin -> /usr/bin). This isn't yet the case for all
distros, so let's handle both.

Bug: https://github.com/projectatomic/bubblewrap/issues/290
man page Describe chdir not nonexistent cwd.patch | (download)

bwrap.xml | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 man page: describe --chdir, not nonexistent --cwd

Bug: https://github.com/projectatomic/bubblewrap/issues/291
Signed-off-by: Simon McVittie <smcv@collabora.com>
Make lockdata long enough on 32 bit with 64 bit file poin.patch | (download)

tests/test-run.sh | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 make lockdata long enough on 32-bit with 64-bit file pointers.

Bug: https://github.com/projectatomic/bubblewrap/pull/288
Don t create our own temporary mount point for pivot_root.patch | (download)

bubblewrap.c | 20 9 + 11 - 0 !
1 file changed, 9 insertions(+), 11 deletions(-)

 don't create our own temporary mount point for pivot_root

An attacker could pre-create /tmp/.bubblewrap-$UID and make it a
non-directory, non-symlink (in which case mounting our tmpfs would fail,
causing denial of service), or make it a symlink under their control
(potentially allowing bad things if the protected_symlinks sysctl is
not enabled).

Instead, temporarily mount the tmpfs on a directory that we are sure
exists and is not attacker-controlled. /tmp (the directory itself, not
a subdirectory) will do.

Bug: https://github.com/projectatomic/bubblewrap/issues/304
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557
Signed-off-by: Simon McVittie <smcv@debian.org>
tests Ensure that tmpfs with oldroot newroot doesn t appe.patch | (download)

tests/test-run.sh | 53 52 + 1 - 0 !
1 file changed, 52 insertions(+), 1 deletion(-)

 tests: ensure that tmpfs with oldroot/newroot doesn't appear in
 container

Signed-off-by: Simon McVittie <smcv@collabora.com>
debian/Use Python 3 for test demo code.patch | (download)

demos/userns-block-fd.py | 2 1 + 1 - 0 !
tests/test-run.sh | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 use python 3 for test/demo code