Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 607382 (CVE-2017-5940) - <sys-apps/firejail{-0.9.44.8,-lts-0.9.38.10}: Local root exploit (CVE-2017-5940)
Summary: <sys-apps/firejail{-0.9.44.8,-lts-0.9.38.10}: Local root exploit (CVE-2017-5940)
Status: RESOLVED FIXED
Alias: CVE-2017-5940
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://firejail.wordpress.com/downlo...
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-27 09:04 UTC by Francis Booth
Modified: 2017-02-09 15:42 UTC (History)
1 user (show)

See Also:
Package list:
=sys-apps/firejail-lts-0.9.38.10 =sys-apps/firejail-0.9.44.8
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Francis Booth 2017-01-27 09:04:50 UTC
Firejail latest release notes show an updated fix for a previous vulnerability thought patched in bug 604758.

Issue seems to only be in the LTS version.

From URL:

firejail (0.9.38.10) baseline; urgency=low
  * security: new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
  * security: tightening the rules for --chroot
  * bugfix: ported Gentoo compile patch
  * bugfix: fix ASSERT_PERMS_FD macro
 -- netblue30   Sun, 15 Jan 2017 10:00:00 -0500


~ eleix (Security Padawan)


Reproducible: Didn't try
Comment 1 Amadeusz Żołnowski gentoo-dev 2017-01-27 22:22:36 UTC
sys-apps/firejail-lts-0.9.38.10
sys-apps/firejail-0.9.44.8

- pushed into repository.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-01-28 00:14:16 UTC
@ Arches,

please test and mark stable: =sys-apps/firejail-lts-0.9.38.10
Comment 3 Agostino Sarubbo gentoo-dev 2017-01-29 13:56:24 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-01-29 15:33:05 UTC
Upstream has now confirmed that the previous fix was incomplete (an attacker just needed to rename a file...) and confirmed issue for both versions.


@ Arches,

please test and mark stable: =sys-apps/firejail-0.9.44.8
Comment 5 Amadeusz Żołnowski gentoo-dev 2017-01-29 18:09:17 UTC
sys-apps/firejail-lts-0.9.38.8 - removed
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-30 13:10:24 UTC
amd64 stable.

Maintainer(s), please cleanup.
Comment 7 Thomas Deutschmann gentoo-dev Security 2017-01-30 13:27:20 UTC
New GLSA request filed.

@ Maintainer(s): Please cleanup and drop <sys-apps/firejail-0.9.44.8!
Comment 8 Amadeusz Żołnowski gentoo-dev 2017-01-31 20:06:58 UTC
sys-apps/firejail-0.9.44.4 has been removed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-02-09 15:23:49 UTC
CVE-2017-5940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5940):
  firejail before 0.9.44.6 and 0.9.38.x LTS before 0.9.38.10 LTS does not
  comprehensively address dotfile cases during its attempt to prevent
  accessing user files with an euid of zero, which allows local users to
  conduct sandbox-escape attacks via vectors involving a symlink and the
  --private option.
  NOTE: this vulnerability exists because of an incomplete fix for
  CVE-2017-5180.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-02-09 15:42:12 UTC
This issue was resolved and addressed in
 GLSA 201702-03 at https://security.gentoo.org/glsa/201702-03
by GLSA coordinator Thomas Deutschmann (whissi).