Bug 1823504 (CVE-2020-5291)

Summary: CVE-2020-5291 bubblewrap: privilege escalation in some kernel configurations
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akarol, alexl, cmeyers, dmetzger, gblomqui, gmainwar, gmccullo, gtanzill, jfrey, jhardy, mabashia, mclasen, notting, notting, obarenbo, roliveri, rpetrell, simaishi, smallamp, smcdonal, walters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-05 14:21:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1823505, 1823506, 1823763, 1824826, 1824827    
Bug Blocks: 1823507    

Description Guilherme de Almeida Suckevicz 2020-04-13 20:38:51 UTC 
Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update.

Reference:
https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj

Upstream commit:
https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240
Comment 1 Guilherme de Almeida Suckevicz 2020-04-13 20:39:14 UTC 
Created bubblewrap tracking bugs for this issue:

Affects: epel-7 [bug 1823506]
Affects: fedora-all [bug 1823505]
Comment 2 Yadnyawalk Tale 2020-04-14 12:52:48 UTC 
CloudForms 5.10 uses bubblewrap-0.3.3-2 which is vulnerable, CF 5.11 is not using bubblewrap somehow.
Comment 9 Bill Nottingham 2020-04-16 18:45:11 UTC 
Per upstream changelog (https://github.com/containers/bubblewrap/releases/tag/v0.4.1), only 0.4.0 is vulnerable.

So none of Ansible Tower or CloudForms includes a version affected by this issue.
Comment 10 Borja Tarraso 2020-04-17 14:48:52 UTC 
Statement:

Red Hat CloudForms 5.10 uses vulnerable bubblewrap package, however 5.11 is not vulnerable to this flaw. CloudForms may update bubblewrap in future.

Red Hat Ansible Tower is not vulnerable, as it uses 0.3.3 bubblewrap package version, only bubblewrap 0.4.0 package version is affected.

The version of bubblewrap package as shipped with Red Hat Enterprise Linux 8 is not affected by this issue. Although we have the affected code, Red Hat Enterprise Linux 8 bubblewrap doesn't use the setuid mechanism for privilege escalation, which is the attack vector for this issue, but capabilities instead. Red Hat Enterprise Linux's bubblewrap may be update in the future to a version
which includes the fix.
Comment 11 Product Security DevOps Team 2020-11-05 14:21:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-5291