SECURITY UPDATE

2024-11-04 14:49:48 +08:00 · 2024-11-04 14:49:48 +08:00 · 92d580fffd
parent 20b859454d
commit 92d580fffd
3 changed files with 75 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
+bubblewrap (0.9.0-ok2) nile; urgency=medium
+
+  * SECURITY UPDATE
+
+ -- liubo01 <liubo01@kylinos.cn>  Mon, 04 Nov 2024 14:49:48 +0800
+
 bubblewrap (0.9.0-ok1) nile; urgency=medium

  * Build for openKylin.
--- a/debian/patches/SECURITY-UPDATE.patch
+++ b/debian/patches/SECURITY-UPDATE.patch
@ -0,0 +1,68 @@
+From: liubo0711 <1191322237@qq.com>
+Date: Mon, 4 Nov 2024 14:49:48 +0800
+Subject: SECURITY UPDATE
+
+---
+ bubblewrap.c      | 26 ++++++++++++++++++++++++++
+ tests/test-run.sh |  6 ++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/bubblewrap.c b/bubblewrap.c
+index 1ea16c9..ee270ce 100644
+--- a/bubblewrap.c
+++ b/bubblewrap.c
+@@ -341,6 +341,8 @@ usage (int ecode, FILE *out)
+            "    --dev-bind-try SRC DEST      Equal to --dev-bind but ignores non-existent SRC\n"
+            "    --ro-bind SRC DEST           Bind mount the host path SRC readonly on DEST\n"
+            "    --ro-bind-try SRC DEST       Equal to --ro-bind but ignores non-existent SRC\n"
+           "    --bind-fd FD DEST            Bind open directory or path fd on DEST\n"
+           "    --ro-bind-fd FD DEST         Bind open directory or path fd read-only on DEST\n"
+            "    --remount-ro DEST            Remount DEST as readonly; does not recursively remount\n"
+            "    --exec-label LABEL           Exec label for the sandbox\n"
+            "    --file-label LABEL           File label for temporary sandbox content\n"
+@@ -1874,6 +1876,30 @@ parse_args_recurse (int          *argcp,
+           if (strcmp(arg, "--dev-bind-try") == 0)
+             op->flags = ALLOW_NOTEXIST;
+ 
+          argv += 2;
+          argc -= 2;
+        }
+      else if (strcmp (arg, "--bind-fd") == 0 ||
+               strcmp (arg, "--ro-bind-fd") == 0)
+        {
+          int src_fd;
+          char *endptr;
+
+          if (argc < 3)
+            die ("--bind-fd takes two arguments");
+
+          src_fd = strtol (argv[1], &endptr, 10);
+          if (argv[1][0] == 0 || endptr[0] != 0 || src_fd < 0)
+            die ("Invalid fd: %s", argv[1]);
+
+          if (strcmp(arg, "--ro-bind-fd") == 0)
+            op = setup_op_new (SETUP_RO_BIND_MOUNT);
+          else
+            op = setup_op_new (SETUP_BIND_MOUNT);
+          op->source = xasprintf ("/proc/self/fd/%d", src_fd);
+          op->fd = src_fd;
+          op->dest = argv[2];
+
+           argv += 2;
+           argc -= 2;
+         }
+diff --git a/tests/test-run.sh b/tests/test-run.sh
+index 6151f1a..82a3c9b 100755
+--- a/tests/test-run.sh
+++ b/tests/test-run.sh
+@@ -565,4 +565,10 @@ $RUN --argv0 right sh -c 'echo $0' > stdout
+ assert_file_has_content stdout right
+ ok "argv0 manipulation"
+ 
+
+echo "foobar" > file-data
+$RUN --proc /proc --dev /dev --bind / / --bind-fd 0 /tmp cat /tmp/file-data 0< . > stdout
+assert_file_has_content stdout foobar
+echo "ok - bind-fd"
+
+ done_testing
--- a/debian/patches/series
+++ b/debian/patches/series
@ -1 +1,2 @@
 debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch
+SECURITY-UPDATE.patch