tag name | v0.4.1 (8a3e8fd906a3b616abfa84e0fc1ac6374e792c34) |
tag date | 2020-03-30 15:19:07 +0200 |
tagged by | Alexander Larsson <alexl@redhat.com> |
tagged object | commit 5feb64dc60... |
download | bubblewrap-0.4.1.tar.gz |
---|
Release 0.4.1
This release fixes a privilege escalation bug pointed out by Stephen Röttger, where in some setups
bubblewrap can be used to gain root permissions. Only version 0.4.0 is vulnerable, and only
if installed setuid while at the same time the kernel supports unprivileged user namespaces.
More details in the advisory here:
https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj
Additionally there are some minor changes:
* Always clear the capability bounding set (cosmetic issue)
* Make the tests work with libcap >= 2.29
* Properly report child exit status in some cases
Alexander Larsson (9):
Ensure we're always clearing the cap bounding set
Don't rely on geteuid() to know when to switch back from setuid root
Don't support --userns2 in setuid mode
drop_privs: More explicit argument name
Christian Kastner (1):
tests: Update output patterns for libcap >= 2.29
Jean-Baptiste BESNARD (1):
retcode: fix return code with syncfd and no event_fd
TomSweeneyRedHat (1):
Add Code of Conduct
Git-EVTag-v0-SHA512: 0483b1e73940171e16ca41ab7994ae20e7572433a8f4cef276dfdf0685993b4c3bd21a002beb16003a29cf2280aa0394c3d2adaf1255ce1bb128bb2abaa32941
-----BEGIN PGP SIGNATURE-----
iG8EABECAC8WIQRqKwZ/teF6Gj/IoNrrYhbdt2xw6QUCXoHxyxEcYWxleGxAcmVk
aGF0LmNvbQAKCRDrYhbdt2xw6fsMAKCWU+SLEKT1XS/tI3BYNJ8UpZe8NgCfQNHO
zWAmc06AbxBb0HJqCDHY75g=
=dkJ4
-----END PGP SIGNATURE-----