Firejail latest release notes show an updated fix for a previous vulnerability thought patched in bug 604758. Issue seems to only be in the LTS version. From URL: firejail (0.9.38.10) baseline; urgency=low * security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week * security: tightening the rules for --chroot * bugfix: ported Gentoo compile patch * bugfix: fix ASSERT_PERMS_FD macro -- netblue30 Sun, 15 Jan 2017 10:00:00 -0500 ~ eleix (Security Padawan) Reproducible: Didn't try
sys-apps/firejail-lts-0.9.38.10 sys-apps/firejail-0.9.44.8 - pushed into repository.
@ Arches, please test and mark stable: =sys-apps/firejail-lts-0.9.38.10
amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Upstream has now confirmed that the previous fix was incomplete (an attacker just needed to rename a file...) and confirmed issue for both versions. @ Arches, please test and mark stable: =sys-apps/firejail-0.9.44.8
sys-apps/firejail-lts-0.9.38.8 - removed
amd64 stable. Maintainer(s), please cleanup.
New GLSA request filed. @ Maintainer(s): Please cleanup and drop <sys-apps/firejail-0.9.44.8!
sys-apps/firejail-0.9.44.4 has been removed.
CVE-2017-5940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5940): firejail before 0.9.44.6 and 0.9.38.x LTS before 0.9.38.10 LTS does not comprehensively address dotfile cases during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-5180.
This issue was resolved and addressed in GLSA 201702-03 at https://security.gentoo.org/glsa/201702-03 by GLSA coordinator Thomas Deutschmann (whissi).