Summary: | <sys-apps/firejail-0.9.64.4: root privilege escalation (CVE-2021-26910) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | hlein, proxy-maint |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.openwall.com/lists/oss-security/2021/02/08/5 | ||
See Also: | https://github.com/gentoo/gentoo/pull/19377 | ||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 769230 | ||
Bug Blocks: |
Description
Sam James
2021-02-08 14:36:30 UTC
Please bump, thanks. Assigned CVE-2021-26910 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26910 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c891dd97151555cea24f2793933c85fa0b8e71b commit 5c891dd97151555cea24f2793933c85fa0b8e71b Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2021-02-08 20:21:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-09 07:26:41 +0000 sys-apps/firejail: Version bump, disables overlayfs to fix privesc New version disables overlayfs, which has a root privesc vuln. Some new profiles and other minor fixes also included. Disable overlayfs USE flag in live ebuild as well. Signed-off-by: Hank Leininger <hlein@korelogic.com> Closes: https://bugs.gentoo.org/769230 Bug: https://bugs.gentoo.org/769542 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Closes: https://github.com/gentoo/gentoo/pull/19377 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/firejail/Manifest | 1 + sys-apps/firejail/firejail-0.9.64.4.ebuild | 97 ++++++++++++++++++++++++++++++ sys-apps/firejail/firejail-9999.ebuild | 5 +- 3 files changed, 100 insertions(+), 3 deletions(-) Let's stable it in a few hours if no objections. *** Bug 769227 has been marked as a duplicate of this bug. *** *** Bug 771177 has been marked as a duplicate of this bug. *** amd64 done all arches done Please cleanup, thanks! (In reply to Sam James from comment #8) > Please cleanup, thanks! Done in https://github.com/gentoo/gentoo/pull/19512 , but the Bug: addition isn't being picked up despite [please reassign], for some reason. Cleanup done. This security bug has been sitting open with no activity for a month even though the fix landed 1.5 months ago. What if anything is next to get it closed? Anything I can do to move it along? (In reply to Hank Leininger from comment #11) > This security bug has been sitting open with no activity for a month even > though the fix landed 1.5 months ago. What if anything is next to get it > closed? Anything I can do to move it along? We've got a bit of a backlog with GLSAs right now which is the only step to be done here internally. Nothing more for the maintainer to do though (In reply to Sam James from comment #12) > (In reply to Hank Leininger from comment #11) > > This security bug has been sitting open with no activity for a month even > > though the fix landed 1.5 months ago. What if anything is next to get it > > closed? Anything I can do to move it along? > > We've got a bit of a backlog with GLSAs right now which is the only step to > be done here internally. Nothing more for the maintainer to do though OK, thanks! If I can help by drafting a GLSA, please let me know ;) New GLSA request filed. This issue was resolved and addressed in GLSA 202105-19 at https://security.gentoo.org/glsa/202105-19 by GLSA coordinator Thomas Deutschmann (whissi). |