Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 850748 (CVE-2022-31214) - <sys-apps/firejail-0.9.70 sys-apps/firejail-lts: local privilege escalation via --join
Summary: <sys-apps/firejail-0.9.70 sys-apps/firejail-lts: local privilege escalation v...
Status: RESOLVED FIXED
Alias: CVE-2022-31214
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B1 [glsa+]
Keywords: PullRequest
Depends on: 858158
Blocks:
  Show dependency tree
 
Reported: 2022-06-09 14:24 UTC by John Helmert III
Modified: 2023-05-03 10:07 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-09 14:24:10 UTC
Very detailed exploit and writeup at URL. There's a
patch available:

https://github.com/netblue30/firejail/commit/27cde3d7d1e4e16d4190932347c7151dc2a84c50

Workarounds exist:

Workarounds / Mitigations
=========================

System administrators can mitigate this vulnerability via the Firejail
configuration file in /etc/firejail/firejail.config. Either one of these
options will prevent the attack from succeeding:

- "force-nonewprivs yes"
- "join no"
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-09 16:05:09 UTC
0.9.70 has the fix.
Comment 2 Larry the Git Cow gentoo-dev 2022-06-15 05:47:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc196a524bd19f0f9e5960c0fb4744347f0fd3af

commit cc196a524bd19f0f9e5960c0fb4744347f0fd3af
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2022-06-09 22:01:22 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-06-15 05:47:49 +0000

    sys-apps/firejail: bump to 0.9.70 for security fixes; cleanup
    
    Fix for CVE-2022-31214. Drop old version & un-tended-to live ebuild.
    
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Bug: https://bugs.gentoo.org/850748
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Closes: https://github.com/gentoo/gentoo/pull/25840
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 sys-apps/firejail/Manifest                         |  1 +
 .../firejail/files/firejail-0.9.70-envlimits.patch | 12 +++
 .../files/firejail-0.9.70-firecfg.config.patch     | 82 ++++++++++++++++++
 ...rejail-0.9.68.ebuild => firejail-0.9.70.ebuild} |  6 +-
 sys-apps/firejail/firejail-9999.ebuild             | 99 ----------------------
 sys-apps/firejail/metadata.xml                     |  1 -
 6 files changed, 98 insertions(+), 103 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-15 14:50:56 UTC
Thanks! Please stabilize when ready.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-07-15 10:44:43 UTC
Please cleanup, thanks!
Comment 5 Larry the Git Cow gentoo-dev 2022-07-15 12:10:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4841bfc1121b88d8603a594046429ca4eaa6978

commit c4841bfc1121b88d8603a594046429ca4eaa6978
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-07-15 12:10:04 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-07-15 12:10:30 +0000

    sys-apps/firejail: drop 0.9.68-r1
    
    Bug: https://bugs.gentoo.org/850748
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 sys-apps/firejail/Manifest                         |   1 -
 .../firejail/files/firejail-0.9.68-envlimits.patch |  12 ---
 .../files/firejail-0.9.68-firecfg.config.patch     |  81 --------------
 sys-apps/firejail/firejail-0.9.68-r1.ebuild        | 118 ---------------------
 4 files changed, 212 deletions(-)
Comment 6 Hank Leininger 2022-12-04 00:32:31 UTC
Can this security bug be closed please?

The fix has been in the tree for almost 6 months and the vulnerable version removed almost 5 months.

If a GLSA is needed, please let me know if I can help.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-05 00:23:27 UTC
I suspect we didn't change the whiteboard because we were waiting on firejail-lts removal. That's removed now.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-05 00:57:10 UTC
GLSA request filed
Comment 9 Larry the Git Cow gentoo-dev 2023-05-03 10:05:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=aae7358daf0c30f6977e45b822b7fa582382adbf

commit aae7358daf0c30f6977e45b822b7fa582382adbf
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 10:04:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 10:05:29 +0000

    [ GLSA 202305-19 ] Firejail: Local Privilege Escalation
    
    Bug: https://bugs.gentoo.org/850748
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-19.xml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)