Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 736816 (CVE-2020-17367, CVE-2020-17368)

Summary: <sys-apps/firejail-0.9.64: Multiple vulnerabilities (CVE-2020-{17367,17368})
Product: Gentoo Security Reporter: John Helmert III (ajak) <jchelmert3>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: esteve.varela, expeditioneer, hlein, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.debian.org/security/2020/dsa-4742
See Also: https://bugs.gentoo.org/show_bug.cgi?id=741518
https://bugs.gentoo.org/show_bug.cgi?id=745438
https://github.com/gentoo/gentoo/pull/17929
https://github.com/gentoo/gentoo/pull/18263
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description John Helmert III (ajak) 2020-08-12 03:33:23 UTC
From URL:

Tim Starling discovered two vulnerabilities in firejail, a sandbox program to restrict the running environment of untrusted applications.

CVE-2020-17367:
    It was reported that firejail does not respect the end-of-options separator ("--"), allowing an attacker with control over the command line options of the sandboxed application, to write data to a specified file.

CVE-2020-17368:
    It was reported that firejail when redirecting output via --output or --output-stderr, concatenates all command line arguments into a single string that is passed to a shell. An attacker who has control over the command line arguments of the sandboxed application could take advantage of this flaw to run arbitrary commands.


CVE-2020-17367 patch: https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37

CVE-2020-17368 patch: https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b

Both appear to be released in 0.9.62.2: https://github.com/netblue30/firejail/releases/tag/0.9.62.2
Comment 1 Sam James archtester gentoo-dev Security 2020-08-20 10:58:04 UTC
ping.
Comment 2 Sam James archtester gentoo-dev Security 2020-08-22 10:31:32 UTC
@expeditioneer, any update? I noticed you working on firejail today.
Comment 3 Sam James archtester gentoo-dev Security 2020-09-10 14:32:10 UTC
*** Bug 741518 has been marked as a duplicate of this bug. ***
Comment 4 Sam James archtester gentoo-dev Security 2020-09-10 14:32:26 UTC
Ping.
Comment 5 Hank Leininger 2020-09-26 17:28:51 UTC
FWIW just copying the existing firejail-0.9.62-r1 to firejail-0.9.62.4.ebuild (the latest tagged upstream) in my overlay has been working perfectly[*] here for a few days.

[*] Except for a previously existing issue with nvidia+recent Chromium already reported upstream, https://github.com/netblue30/firejail/issues/3644
Comment 6 Sam James archtester gentoo-dev Security 2020-09-29 14:58:49 UTC
ping.
Comment 7 Sam James archtester gentoo-dev Security 2020-10-11 16:17:57 UTC
Dennis, I'm going to need to mask this for now. Let us know when you can work on a fix.
Comment 8 John Helmert III (ajak) 2020-10-13 01:42:45 UTC
Dropping -lts, looks like the --output option doesn't exist in it, so presuming that package isn't affected.
Comment 9 Larry the Git Cow gentoo-dev 2020-11-11 07:50:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f23fe664f064159ec4460c36c114ff5858c3033b

commit f23fe664f064159ec4460c36c114ff5858c3033b
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2020-10-14 17:36:50 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-11-11 07:50:10 +0000

    sys-apps/firejail: Version bump for CVEs, fixes, add proxy maintainer
    
    Version bump to address outstanding CVEs. Confirmed the current
    release includes the fixes for several open bugs, so closing those.
    
    Updated to address feedback in https://github.com/gentoo/gentoo/pull/17929
    
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Closes: https://bugs.gentoo.org/698062
    Closes: https://bugs.gentoo.org/747859
    Closes: https://bugs.gentoo.org/747613
    Closes: https://bugs.gentoo.org/747859
    Bug: https://bugs.gentoo.org/736816
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Closes: https://github.com/gentoo/gentoo/pull/17929
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 sys-apps/firejail/Manifest               |  1 +
 sys-apps/firejail/firejail-0.9.64.ebuild | 83 ++++++++++++++++++++++++++++++++
 sys-apps/firejail/metadata.xml           | 10 +++-
 3 files changed, 93 insertions(+), 1 deletion(-)
Comment 10 Sam James archtester gentoo-dev Security 2020-11-14 23:38:20 UTC
amd64 done

all arches done
Comment 11 John Helmert III (ajak) 2020-11-15 00:57:32 UTC
Please cleanup.
Comment 12 Larry the Git Cow gentoo-dev 2020-11-20 11:45:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2d4cd3c2890fdf89e50d4746bc72cad4b499ff8

commit c2d4cd3c2890fdf89e50d4746bc72cad4b499ff8
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2020-11-15 02:24:29 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-11-20 11:36:10 +0000

    sys-apps/firejail: Cleanup old versions
    
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Bug: https://bugs.gentoo.org/736816
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Closes: https://github.com/gentoo/gentoo/pull/18263
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 sys-apps/firejail/Manifest                  |  1 -
 sys-apps/firejail/firejail-0.9.62-r1.ebuild | 80 -----------------------------
 sys-apps/firejail/firejail-0.9.62.ebuild    | 76 ---------------------------
 3 files changed, 157 deletions(-)