Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

container: bubblewrap runner: use --new-session to mitigate CVE-2017-5226 #320

Merged
merged 1 commit into from
Mar 14, 2023

Conversation

kaniini
Copy link
Contributor

@kaniini kaniini commented Mar 14, 2023

Without it, it is possible to escape the sandbox via TIOCSTI ioctls on the session PTY.

Related: containers/bubblewrap#555
Related: containers/bubblewrap#142
Related: https://news.ycombinator.com/item?id=30825088

…5226

Without it, it is possible to escape the sandbox via TIOCSTI ioctls on the session
PTY.

Related: containers/bubblewrap#555
Related: containers/bubblewrap#142
Related: https://news.ycombinator.com/item?id=30825088
Signed-off-by: Ariadne Conill <[email protected]>
@kaniini kaniini merged commit f680f28 into main Mar 14, 2023
@kaniini kaniini deleted the fix/bwrap-new-session-cve-2017-5226 branch March 14, 2023 10:28
@hartwork
Copy link

Hi, good move!

I see that commit 07cd62e is not part of release 0.2.0 and that 0.2.0 is packaged in Arch Linux and derivatives. My vote for considering a new release and a CVE for this. It only takes filling this form: https://cveform.mitre.org/ .

@kaniini
Copy link
Contributor Author

kaniini commented Mar 25, 2023

Our invocation of bubblewrap does not pass through the terminal file descriptor, so we do not believe there is any practical exposure to CVE-2017-5226. We would be likely to dispute any CVE filed for that reason.

@hartwork
Copy link

To be sure I understand: if that is true, why would you want to pass --new-session then? How is exec.Command not passing the controlling terminal to bwrap? Please help me understand what I may be missing.

@kaniini
Copy link
Contributor Author

kaniini commented Mar 25, 2023

To be sure I understand: if that is true, why would you want to pass --new-session then?

We do want the setsid effects for other reasons. And it is better to have it anyway, just in case we begin to use PTYs in the future instead of pipes.

How is exec.Command not passing the controlling terminal to bwrap? Please help me understand what I may be missing.

exec.Command just creates an execution object. The actual execution happens here, after stdio redirection is set up to use pipes: https://github.com/chainguard-dev/melange/blob/main/pkg/container/runner.go#L49

@hartwork
Copy link

We do want the setsid effects for other reasons.

Could you elaborate?

The title "to mitigate CVE-2017-5226" communicates a different picture. I'm confused.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants