diff --git a/debian/changelog b/debian/changelog index 270eeb9..71e5ef3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +bubblewrap (0.9.0-ok2) nile; urgency=medium + + * SECURITY UPDATE + + -- liubo01 Mon, 04 Nov 2024 14:49:48 +0800 + bubblewrap (0.9.0-ok1) nile; urgency=medium * Build for openKylin. diff --git a/debian/patches/SECURITY-UPDATE.patch b/debian/patches/SECURITY-UPDATE.patch new file mode 100644 index 0000000..38948e4 --- /dev/null +++ b/debian/patches/SECURITY-UPDATE.patch @@ -0,0 +1,68 @@ +From: liubo0711 <1191322237@qq.com> +Date: Mon, 4 Nov 2024 14:49:48 +0800 +Subject: SECURITY UPDATE + +--- + bubblewrap.c | 26 ++++++++++++++++++++++++++ + tests/test-run.sh | 6 ++++++ + 2 files changed, 32 insertions(+) + +diff --git a/bubblewrap.c b/bubblewrap.c +index 1ea16c9..ee270ce 100644 +--- a/bubblewrap.c ++++ b/bubblewrap.c +@@ -341,6 +341,8 @@ usage (int ecode, FILE *out) + " --dev-bind-try SRC DEST Equal to --dev-bind but ignores non-existent SRC\n" + " --ro-bind SRC DEST Bind mount the host path SRC readonly on DEST\n" + " --ro-bind-try SRC DEST Equal to --ro-bind but ignores non-existent SRC\n" ++ " --bind-fd FD DEST Bind open directory or path fd on DEST\n" ++ " --ro-bind-fd FD DEST Bind open directory or path fd read-only on DEST\n" + " --remount-ro DEST Remount DEST as readonly; does not recursively remount\n" + " --exec-label LABEL Exec label for the sandbox\n" + " --file-label LABEL File label for temporary sandbox content\n" +@@ -1874,6 +1876,30 @@ parse_args_recurse (int *argcp, + if (strcmp(arg, "--dev-bind-try") == 0) + op->flags = ALLOW_NOTEXIST; + ++ argv += 2; ++ argc -= 2; ++ } ++ else if (strcmp (arg, "--bind-fd") == 0 || ++ strcmp (arg, "--ro-bind-fd") == 0) ++ { ++ int src_fd; ++ char *endptr; ++ ++ if (argc < 3) ++ die ("--bind-fd takes two arguments"); ++ ++ src_fd = strtol (argv[1], &endptr, 10); ++ if (argv[1][0] == 0 || endptr[0] != 0 || src_fd < 0) ++ die ("Invalid fd: %s", argv[1]); ++ ++ if (strcmp(arg, "--ro-bind-fd") == 0) ++ op = setup_op_new (SETUP_RO_BIND_MOUNT); ++ else ++ op = setup_op_new (SETUP_BIND_MOUNT); ++ op->source = xasprintf ("/proc/self/fd/%d", src_fd); ++ op->fd = src_fd; ++ op->dest = argv[2]; ++ + argv += 2; + argc -= 2; + } +diff --git a/tests/test-run.sh b/tests/test-run.sh +index 6151f1a..82a3c9b 100755 +--- a/tests/test-run.sh ++++ b/tests/test-run.sh +@@ -565,4 +565,10 @@ $RUN --argv0 right sh -c 'echo $0' > stdout + assert_file_has_content stdout right + ok "argv0 manipulation" + ++ ++echo "foobar" > file-data ++$RUN --proc /proc --dev /dev --bind / / --bind-fd 0 /tmp cat /tmp/file-data 0< . > stdout ++assert_file_has_content stdout foobar ++echo "ok - bind-fd" ++ + done_testing diff --git a/debian/patches/series b/debian/patches/series index 4e2353c..b22156a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch +SECURITY-UPDATE.patch