* SECURITY UPDATE: privilege escalation when used in setuid mode
- debian/patches/CVE-2020-5291.patch: don't rely on geteuid() to know
when to switch back from setuid root in bubblewrap.c.
- CVE-2020-5291
* d/p/update-output-patterns-libcap-2.29.patch: cherry-pick fix proposed
fix to capability drop-related tests, which broke with newer libcap2.
* No-change rebuild with fixed binutils on arm64.
* Make autopkgtests cross-test-friendly.
* New upstream release
* Use debhelper-compat 12
* Standards-Version: 4.4.1 (no changes required)
* Release to unstable
* d/salsa-ci.yml: Request standard CI on salsa.debian.org
* d/rules: Disable any active LD_PRELOAD hacks while running tests.
These will typically assume a fully-featured OS (for example faketime
assumes sem_open() will work), but bubblewrap is a low-level tool
that temporarily operates in a container that is only partially
functional (for example /dev/shm isn't always mounted).
* Standards-Version: 4.4.0 (no changes required)
* New upstream release
- Drop all patches except
d/p/debian/Use-Python-3-for-test-demo-code.patch, merged upstream
* d/p/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch:
Replace with the version that was applied upstream
* d/p/tests-Ensure-that-tmpfs-with-oldroot-newroot-doesn-t-appe.patch:
Add a test to check that the above patch works as intended
* d/p/Don-t-create-our-own-temporary-mount-point-for-pivot_root.patch:
Avoid denial of service and potential symlink attacks on systems not
using systemd-logind (Closes: #923557)
* Standards-Version: 4.3.0 (no changes required)
* d/upstream/metadata: Add DEP-12 metadata
[ Iain Lane ]
* d/tests/basic: Don't assume `id` will be the same inside the sandbox,
making this test pass on (Ubuntu) systems where bubblewrap is not
setuid (Closes: #910006)
* d/tests/upstream-usrmerge: Add a test to ensure that bubblewrap
works on a /usr-merged system
[ Simon McVittie ]
* d/p/tests-Handle-systems-without-merged-usr.patch:
Add patch from upstream git to make tests pass on non-merged-/usr
systems where bubblewrap is not setuid. Thanks to Iain Lane.
* d/p/man-page-Describe-chdir-not-nonexistent-cwd.patch:
Add patch from upstream git to fix documentation of --chdir option
* d/p/Make-lockdata-long-enough-on-32-bit-with-64-bit-file-poin.patch:
Add patch from upstream git to fix lock handling in tests on 32-bit
platforms with 64-bit off_t. Thanks to Timothy E Baldwin.
[ Simon McVittie ]
* Standards-Version: 4.2.1 (no changes required)
* New upstream release
[ Iain Lane ]
* Don't install setuid on Ubuntu and derivatives.
Ubuntu's kernel enables unprivileged user namespaces, so we don't
need to install bwrap setuid there.
* New upstream release
* Upload to unstable
- d/gbp.conf: Switch back to debian/master
* Standards-Version: 4.1.5 (no changes required)
* d/watch: Strip +N+gHHHHHHH snapshot markers from version
* d/gbp.conf: Use debian/experimental branch
* New upstream git snapshot
* New upstream release
- Drop all patches except
d/p/debian/Use-Python-3-for-test-demo-code.patch, merged upstream
* Standards-Version: 4.1.4 (no changes required)
* Change Vcs-* to point to salsa.debian.org
* Standards-Version: 4.1.3 (no changes required)
* d/control, d/tests/control,
d/p/debian/Use-Python-3-for-test-demo-code.patch:
Use Python 3 for tests and demo code
* d/control: Annotate python3 dependency with <!nocheck>
* d/patches/0.2.1/userns-block-fd-*.patch: Update patches to match
what was merged upstream, with both Python 2 and 3 support
* Standards-Version: 4.1.2 (no changes required)
* Build-depend on automake (>= 1.14.1) to avoid backports
resolvers sometimes deciding to install automake1.11, which is
not enough
* Standards-Version: 4.1.1 (no changes required)
* Set Rules-Requires-Root: no
* d/dist/, d/patches/dist/: Add missing files via a patch instead of
shipping them in debian/
* Add patches to make demos/userns-block-fd.py work on Debian
* New upstream release
* d/watch: Import release tarballs
* d/gbp.conf: Merge upstream git tags into the tarball imports
* d/watch: Stop repacking upstream tarballs
* d/dist/: Add upstream README.md and demos/ directory, which are
missing from the official tarball releases
* d/gbp.conf: Branch for experimental
* New upstream snapshot v0.1.8-37-g27eb690
- d/copyright: Remove Files-Excluded, the non-DFSG file was removed
upstream
- d/patches: Remove
* d/watch: Adjust to remove +git... suffix
* d/tests/upstream-as-root: Re-run upstream tests as root if allowed
* d/tests/control: Depend on libcap2-bin, for capsh and getpcaps
* Repack tarball to remove CC-BY-ND cat picture (Closes: #876980)
- d/copyright: Add Files-Excluded
- d/watch: Adjust to add/remove +dfsg suffix
- Add patch from upstream removing a link to it from the README
* d/watch: Take the opportunity to upgrade to v4 and use @PACKAGE@,
@ANY_VERSION@, @ARCHIVE_EXT@ tokens
* Use Perl rather than shell script for the autopkgtest test cases.
This avoids needing the uncommon bats package, or writing shell
scripts.
* Standards-Version: 4.0.0
- Use https URL for format of debian/copyright
* Upload to unstable
* New upstream release
- Stop trying to run tests/test-basic.sh, it no longer exists
- Build-depend on python, one test now needs it
* Build-depend on docbook-xml for the documentation DTD
* Move to debhelper compat level 10
- drop dh-autoreconf, it is now done by default
- drop explicit --parallel, it is now the default
* New upstream release
- effectively the same as 0.1.6-2
- drop all patches
* d/p/Make-the-call-to-setsid-optional-with-new-session.patch:
Add patch from upstream to make the setsid() that addresses
CVE-2017-5226 optional, because it breaks interactive shells.
Users of bubblewrap to confine untrusted programs should either
add --new-session to the bwrap command line, or prevent the
TIOCSTI ioctl with a seccomp filter instead (as Flatpak does).
- d/control: add Breaks on versions of Flatpak that did not
load the necessary seccomp filter to prevent CVE-2017-5226
* d/p/demos-bubblewrap-shell.sh-Unshare-all-namespaces.patch:
Add patch from upstream to improve example code
* d/p/Call-setsid-and-setexeccon-befor-forking-the-init-monitor.patch,
d/p/Install-seccomp-filter-at-the-very-end.patch:
Add patches from upstream to re-order initialization. This means
the seccomp filter is no longer required to account for syscalls that
are made by bwrap itself.
* d/p/Add-unshare-all-and-share-net.patch:
Add patch from upstream introducing new command line options
--unshare-all and --share-net, for a more whitelist-based approach
to sharing namespaces with the parent.
* New upstream release
- drop the only patch, applied upstream
* debian/patches: update to upstream master for additional fixes
to SIGCHLD handling and documentation, and improved hardening
against being able to obtain capabilities
* debian/bubblewrap.examples: install upstream examples
* d/p/Call-setsid-before-executing-sandboxed-code-CVE-2017-5226.patch:
Call setsid() before executing sandboxed code, preventing a
sandboxed executable invoked with a controlling terminal (for
example in Flatpak) from escalating its privileges by injecting
keypresses into the controlling terminal with the TIOCSTI
ioctl. (Closes: #850702; CVE-2017-5226)
* d/control: remove Maintainer status from Laszlo Boszormenyi at his
request. Add him to Uploaders instead, and hand the package over
to the Utopia Maintenance Team (the same as OSTree and Flatpak).
* New upstream release
- drop all patches, applied upstream
- debian/copyright: update for build system additions
* d/tests/*: only run tests on a real or virtual machine, not in a
container. bubblewrap is effectively already a container, and
nesting containers doesn't work particularly well.
Unfortunately this means the tests won't work on ci.debian.net,
which uses LXC.
* New upstream release
* d/p/test-run-be-a-bash-script.patch,
d/p/test-run-don-t-assume-we-are-uid-1000.patch,
d/p/Adapt-tests-so-they-can-be-run-against-installed-binaries.patch,
d/p/Fix-incorrect-nesting-of-backticks-when-finding-a-FUSE-mo.patch:
improve the upstream tests
* d/tests/upstream: run the upstream tests as autopkgtests
* d/rules: Do not enable setuid mode at configure time. If we do, we
can't run the build-time tests, and it no longer makes any difference
to the actual code. Make the executable setuid via Debian packaging
instead.
* New upstream release
- bring back --set-hostname, the upstream fix for CVE-2016-8659
makes it no longer a vulnerability
* Revert addition of --set-hostname as a short-term fix for
CVE-2016-8659 (Closes: #840605)
* New upstream release
* New upstream release
- drop patch, included upstream
* d/control: bubblewrap is Multi-Arch: foreign
* Hardening: build as a position-independent executable with
eager symbol binding
* Run basic and dev autopkgtests in addition to userns
* Really add the regression test for keeping CAP_NET_ADMIN
* debian/gbp.conf: add DEP-14-style git-buildpackage configuration
* Normalize package lists via `wrap-and-sort -abst`
* Add Vcs-Git, Vcs-Browser metadata
* d/p/build-put-libraries-in-LDADD-not-LDFLAGS.patch: new patch
fixing linking with -Wl,--as-needed (closes: #826787)
* New upstream release (closes: #826358).
* Add watch file.
* Add Simon McVittie as uploader.
[ Simon McVittie <smcv@debian.org> ]
* debian/copyright: correct package name and source (closes: #824969)
* debian/control: make the whole package Linux-only. Like Flatpak, this
package is inherently non-portable.
* Move from Section: web to Section: admin
* Increase Priority to optional, because this tool is likely to be
depended on by gnome-software (via Flatpak) in future
* Add some simple autopkgtests, including one for bug 71 (closes: #824968)
* Install bwrap binary setuid (closes: #824646).
* Make libselinux1-dev build dependency Linux only.
* Initial upload (closes: #823548).