"Summary: A vulnerability resulting in root privilege escalation was discovered in Firejail's OverlayFS code, Versions affected: Firejail software versions starting with 0.9.30. Long Term Support (LTS) Firejail branch is not affected by this bug. Workaround: Disable overlayfs feature at runtime. In a text editor open /etc/firejail/firejail.config file, and set "overlayfs" entry to "no". $ grep overlayfs /etc/firejail/firejail.config # Enable or disable overlayfs features, default enabled. overlayfs no Fix: The bug is fixed in Firejail version 0.9.64.4 GitHub commit: (file configure.ac) https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b Credit: Security researcher Roman Fiedler analyzed the code and discovered the vulnerability. Functional PoC exploit code was provided to Firejail development team. A description of the problem is here on Roman's blog: https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/"
Please bump, thanks.
Assigned CVE-2021-26910 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26910
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c891dd97151555cea24f2793933c85fa0b8e71b commit 5c891dd97151555cea24f2793933c85fa0b8e71b Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2021-02-08 20:21:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-09 07:26:41 +0000 sys-apps/firejail: Version bump, disables overlayfs to fix privesc New version disables overlayfs, which has a root privesc vuln. Some new profiles and other minor fixes also included. Disable overlayfs USE flag in live ebuild as well. Signed-off-by: Hank Leininger <hlein@korelogic.com> Closes: https://bugs.gentoo.org/769230 Bug: https://bugs.gentoo.org/769542 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Closes: https://github.com/gentoo/gentoo/pull/19377 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/firejail/Manifest | 1 + sys-apps/firejail/firejail-0.9.64.4.ebuild | 97 ++++++++++++++++++++++++++++++ sys-apps/firejail/firejail-9999.ebuild | 5 +- 3 files changed, 100 insertions(+), 3 deletions(-)
Let's stable it in a few hours if no objections.
*** Bug 769227 has been marked as a duplicate of this bug. ***
*** Bug 771177 has been marked as a duplicate of this bug. ***
amd64 done all arches done
Please cleanup, thanks!
(In reply to Sam James from comment #8) > Please cleanup, thanks! Done in https://github.com/gentoo/gentoo/pull/19512 , but the Bug: addition isn't being picked up despite [please reassign], for some reason.
Cleanup done.
This security bug has been sitting open with no activity for a month even though the fix landed 1.5 months ago. What if anything is next to get it closed? Anything I can do to move it along?
(In reply to Hank Leininger from comment #11) > This security bug has been sitting open with no activity for a month even > though the fix landed 1.5 months ago. What if anything is next to get it > closed? Anything I can do to move it along? We've got a bit of a backlog with GLSAs right now which is the only step to be done here internally. Nothing more for the maintainer to do though
(In reply to Sam James from comment #12) > (In reply to Hank Leininger from comment #11) > > This security bug has been sitting open with no activity for a month even > > though the fix landed 1.5 months ago. What if anything is next to get it > > closed? Anything I can do to move it along? > > We've got a bit of a backlog with GLSAs right now which is the only step to > be done here internally. Nothing more for the maintainer to do though OK, thanks! If I can help by drafting a GLSA, please let me know ;)
New GLSA request filed.
This issue was resolved and addressed in GLSA 202105-19 at https://security.gentoo.org/glsa/202105-19 by GLSA coordinator Thomas Deutschmann (whissi).
