From URL: Tim Starling discovered two vulnerabilities in firejail, a sandbox program to restrict the running environment of untrusted applications. CVE-2020-17367: It was reported that firejail does not respect the end-of-options separator ("--"), allowing an attacker with control over the command line options of the sandboxed application, to write data to a specified file. CVE-2020-17368: It was reported that firejail when redirecting output via --output or --output-stderr, concatenates all command line arguments into a single string that is passed to a shell. An attacker who has control over the command line arguments of the sandboxed application could take advantage of this flaw to run arbitrary commands. CVE-2020-17367 patch: https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37 CVE-2020-17368 patch: https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b Both appear to be released in 0.9.62.2: https://github.com/netblue30/firejail/releases/tag/0.9.62.2
ping.
@expeditioneer, any update? I noticed you working on firejail today.
*** Bug 741518 has been marked as a duplicate of this bug. ***
Ping.
FWIW just copying the existing firejail-0.9.62-r1 to firejail-0.9.62.4.ebuild (the latest tagged upstream) in my overlay has been working perfectly[*] here for a few days. [*] Except for a previously existing issue with nvidia+recent Chromium already reported upstream, https://github.com/netblue30/firejail/issues/3644
Dennis, I'm going to need to mask this for now. Let us know when you can work on a fix.
Dropping -lts, looks like the --output option doesn't exist in it, so presuming that package isn't affected.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f23fe664f064159ec4460c36c114ff5858c3033b commit f23fe664f064159ec4460c36c114ff5858c3033b Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2020-10-14 17:36:50 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-11-11 07:50:10 +0000 sys-apps/firejail: Version bump for CVEs, fixes, add proxy maintainer Version bump to address outstanding CVEs. Confirmed the current release includes the fixes for several open bugs, so closing those. Updated to address feedback in https://github.com/gentoo/gentoo/pull/17929 Signed-off-by: Hank Leininger <hlein@korelogic.com> Closes: https://bugs.gentoo.org/698062 Closes: https://bugs.gentoo.org/747859 Closes: https://bugs.gentoo.org/747613 Closes: https://bugs.gentoo.org/747859 Bug: https://bugs.gentoo.org/736816 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Closes: https://github.com/gentoo/gentoo/pull/17929 Signed-off-by: Joonas Niilola <juippis@gentoo.org> sys-apps/firejail/Manifest | 1 + sys-apps/firejail/firejail-0.9.64.ebuild | 83 ++++++++++++++++++++++++++++++++ sys-apps/firejail/metadata.xml | 10 +++- 3 files changed, 93 insertions(+), 1 deletion(-)
amd64 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2d4cd3c2890fdf89e50d4746bc72cad4b499ff8 commit c2d4cd3c2890fdf89e50d4746bc72cad4b499ff8 Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2020-11-15 02:24:29 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-11-20 11:36:10 +0000 sys-apps/firejail: Cleanup old versions Signed-off-by: Hank Leininger <hlein@korelogic.com> Bug: https://bugs.gentoo.org/736816 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Closes: https://github.com/gentoo/gentoo/pull/18263 Signed-off-by: Joonas Niilola <juippis@gentoo.org> sys-apps/firejail/Manifest | 1 - sys-apps/firejail/firejail-0.9.62-r1.ebuild | 80 ----------------------------- sys-apps/firejail/firejail-0.9.62.ebuild | 76 --------------------------- 3 files changed, 157 deletions(-)
The vulnerable version has been removed from the tree since 2020-11-14, can someone with the right b.g.o perms close this bug please? If a GLSA needs to be released first, is there anything I can do to help that long?
(In reply to Hank Leininger from comment #13) > The vulnerable version has been removed from the tree since 2020-11-14, can > someone with the right b.g.o perms close this bug please? > > If a GLSA needs to be released first, is there anything I can do to help > that long? We are waiting for the GLSA to be released, that's handled by the security team. After that we can close the bug, but feel free to un-CC yourself if you wish. Thank you for your attentiveness!
This issue was resolved and addressed in GLSA 202101-02 at https://security.gentoo.org/glsa/202101-02 by GLSA coordinator Sam James (sam_c).
