Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 607382 (CVE-2017-5940)

Summary: <sys-apps/firejail{-0.9.44.8,-lts-0.9.38.10}: Local root exploit (CVE-2017-5940)
Product: Gentoo Security Reporter: Francis Booth <boothf>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: aidecoe
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://firejail.wordpress.com/download-2/release-notes/
Whiteboard: B1 [glsa cve]
Package list:
=sys-apps/firejail-lts-0.9.38.10 =sys-apps/firejail-0.9.44.8
 Runtime testing required: ---

Description Francis Booth 2017-01-27 09:04:50 UTC 
Firejail latest release notes show an updated fix for a previous vulnerability thought patched in bug 604758.

Issue seems to only be in the LTS version.

From URL:

firejail (0.9.38.10) baseline; urgency=low
  * security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
  * security: tightening the rules for --chroot
  * bugfix: ported Gentoo compile patch
  * bugfix: fix ASSERT_PERMS_FD macro
 -- netblue30   Sun, 15 Jan 2017 10:00:00 -0500


~ eleix (Security Padawan)


Reproducible: Didn't try
Comment 1 Amadeusz Żołnowski (RETIRED) gentoo-dev 2017-01-27 22:22:36 UTC 
sys-apps/firejail-lts-0.9.38.10
sys-apps/firejail-0.9.44.8

- pushed into repository.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-28 00:14:16 UTC 
@ Arches,

please test and mark stable: =sys-apps/firejail-lts-0.9.38.10
Comment 3 Agostino Sarubbo gentoo-dev 2017-01-29 13:56:24 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-29 15:33:05 UTC 
Upstream has now confirmed that the previous fix was incomplete (an attacker just needed to rename a file...) and confirmed issue for both versions.


@ Arches,

please test and mark stable: =sys-apps/firejail-0.9.44.8
Comment 5 Amadeusz Żołnowski (RETIRED) gentoo-dev 2017-01-29 18:09:17 UTC 
sys-apps/firejail-lts-0.9.38.8 - removed
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-30 13:10:24 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-30 13:27:20 UTC 
New GLSA request filed.

@ Maintainer(s): Please cleanup and drop <sys-apps/firejail-0.9.44.8!
Comment 8 Amadeusz Żołnowski (RETIRED) gentoo-dev 2017-01-31 20:06:58 UTC 
sys-apps/firejail-0.9.44.4 has been removed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-02-09 15:23:49 UTC 
CVE-2017-5940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5940):
  firejail before 0.9.44.6 and 0.9.38.x LTS before 0.9.38.10 LTS does not
  comprehensively address dotfile cases during its attempt to prevent
  accessing user files with an euid of zero, which allows local users to
  conduct sandbox-escape attacks via vectors involving a symlink and the
  --private option.
  NOTE: this vulnerability exists because of an incomplete fix for
  CVE-2017-5180.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-02-09 15:42:12 UTC 
This issue was resolved and addressed in
 GLSA 201702-03 at https://security.gentoo.org/glsa/201702-03
by GLSA coordinator Thomas Deutschmann (whissi).