CVE-2020-5291 – Privilege escalation in setuid mode via user namespaces in Bubblewrap
https://notcve.org/view.php?id=CVE-2020-5291
Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update. Bubblewrap (bwrap) versiones anteriores a 0.4.1, si se instaló en modo setuid y el kernel admite espacios de nombres (namespaces) de usuario no privilegiados, entonces la opción "bwrap --userns2" puede ser usada para hacer que el proceso setuid continúe ejecutándose como root mientras es rastreable. • https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240 https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj • CWE-269: Improper Privilege Management CWE-648: Incorrect Use of Privileged APIs •
CVE-2019-12439 – bubblewrap: temporary directory misuse as mount point
https://notcve.org/view.php?id=CVE-2019-12439
bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code. El archivo bubblewrap.c en Bubblewrap anterior de versión 0.3.3, utiliza de manera incorrecta directorios temporales en /tmp como un punto de montaje. En algunas configuraciones particulares (relacionadas con XDG_RUNTIME_DIR), un atacante local puede abusar de este defecto para prevenir que otros usuarios ejecuten bubblewrap o potencialmente ejecute código. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html https://access.redhat.com/errata/RHSA-2019:1833 https://bugzilla.redhat.com/show_bug.cgi?id=1695963 https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e https://github.com/projectatomic/bubblewrap/issues/304 https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3 https://security.gentoo.org/glsa/202006-18 https: • CWE-20: Improper Input Validation CWE-377: Insecure Temporary File •
CVE-2016-6349
https://notcve.org/view.php?id=CVE-2016-6349
The machinectl command in oci-register-machine allows local users to list running containers and possibly obtain sensitive information by running that command. El comando machinectl en oci-register-machine permite a usuarios locales listar contenedores en ejecución y posiblemente obtener información sensible ejecutando ese comando. • http://www.openwall.com/lists/oss-security/2016/07/26/9 http://www.openwall.com/lists/oss-security/2016/10/13/7 http://www.securityfocus.com/bid/92143 https://bugzilla.redhat.com/show_bug.cgi?id=1360634 https://github.com/projectatomic/oci-register-machine/pull/22 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-5226
https://notcve.org/view.php?id=CVE-2017-5226
When executing a program via the bubblewrap sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox. "Al ejecutar un programa a través del sandbox bubblewrap, la sesión nonpriv puede escapar a la sesión padre utilizando el ioctl de TIOCSTI para insertar caracteres en el búfer de entrada del terminal, permitiendo a un atacante escapar del sandbox. " • http://www.openwall.com/lists/oss-security/2020/07/10/1 http://www.openwall.com/lists/oss-security/2023/03/17/1 http://www.securityfocus.com/bid/97260 https://bugzilla.redhat.com/show_bug.cgi?id=1411811 https://github.com/projectatomic/bubblewrap/commit/d7fc532c42f0e9bf427923bab85433282b3e5117 https://github.com/projectatomic/bubblewrap/issues/142 https://www.openwall.com/lists/oss-security/2023/03/14/2 • CWE-20: Improper Input Validation •