Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 604758 (CVE-2017-5180, CVE-2017-5206, CVE-2017-5207) - <sys-apps/{firejail-0.9.44.4,firejail-lts-0.9.38.8}: root privilege escalation (CVE-2017-{5180,5206,5207})
Summary: <sys-apps/{firejail-0.9.44.4,firejail-lts-0.9.38.8}: root privilege escalatio...
Status: RESOLVED FIXED
Alias: CVE-2017-5180, CVE-2017-5206, CVE-2017-5207
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B1 [glsa cve]
Keywords:
: 605296 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-01-05 14:43 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-01-24 11:33 UTC (History)
2 users (show)

See Also:
Package list:
=sys-apps/firejail-0.9.44.4 =sys-apps/firejail-lts-0.9.38.8
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-05 14:43:00 UTC
CVE-2017-5180 (local root exploit), which relies on the X11
sandboxing features to overwrite an arbitrary file:
it makes ${SANDBOX_HOME}/.Xauthority be a symlink to the target file,
and writes the desired content in ~/.Xauthority.


From http://www.openwall.com/lists/oss-security/2017/01/04/1:

 * Analysis: Sandboxing is cool, but it has to be done right.
 * Firejail has too broad attack surface that allows users
 * to specify a lot of options, where one of them eventually
 * broke by accessing user-files while running with euid 0.
 * There are some other similar races. Turns out that it can be
 * _very difficult_ to create a generic sandbox suid wrapper thats
 * secure but still flexible enough to sandbox arbitrary binaries.


See https://github.com/netblue30/firejail/commit/e74fdab5d2125ce8f058c1630ce7cce19cbdac16 for first (incomplete) fix.
Comment 1 Michael Palimaka (kensington) gentoo-dev 2017-01-11 10:31:47 UTC
*** Bug 605296 has been marked as a duplicate of this bug. ***
Comment 2 Sebastian Pipping gentoo-dev 2017-01-11 19:51:38 UTC
Bumped non-LTS to 0.9.44.4.


commit 8323924482277778d11fb699aa24303338fabdc8
Author: Sebastian Pipping <sping@g.o>
Date:   Wed Jan 11 20:49:46 2017 +0100

    sys-apps/firejail: 0.9.44.4 (bug #604758)
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.1

 sys-apps/firejail/Manifest                         |  1 +
 .../files/firejail-0.9.44.4-sysmacros.patch        | 10 +++++
 sys-apps/firejail/firejail-0.9.44.4.ebuild         | 46 ++++++++++++++++++++++
 3 files changed, 57 insertions(+)

https://github.com/gentoo/gentoo/commit/8323924482277778d11fb699aa24303338fabdc8
Comment 3 Amadeusz Żołnowski (RETIRED) gentoo-dev 2017-01-11 21:24:18 UTC
commit 0d4eac03e17aefca1042c661bf8f7e226b46f258
Author: Amadeusz Żołnowski <aidecoe@gentoo.org>
Date:   Wed Jan 11 21:00:35 2017 +0000

    sys-apps/firejail-lts: Bump version

    Gentoo-Bug: 604758

    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 4 Amadeusz Żołnowski (RETIRED) gentoo-dev 2017-01-11 21:25:02 UTC
Sebastian, thanks for bumping 0.9.40.x!
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-13 13:34:06 UTC
@ Arches,

please test and mark stable:

=sys-apps/firejail-0.9.44.4
=sys-apps/firejail-lts-0.9.38.8
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-13 17:06:55 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-14 14:16:53 UTC
New GLSA request filed.

@ Maintainer(s): Please cleanup and drop previous vulnerable versions.
Comment 8 Amadeusz Żołnowski (RETIRED) gentoo-dev 2017-01-14 20:59:15 UTC
0.9.38.6 and 0.9.44.2 are removed.
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2017-01-24 11:31:52 UTC
CVE-2017-5206:

http://openwall.com/lists/oss-security/2017/01/07/5

CVE-2017-5207:

http://www.openwall.com/lists/oss-security/2017/01/07/6
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-01-24 11:33:33 UTC
This issue was resolved and addressed in
 GLSA 201701-62 at https://security.gentoo.org/glsa/201701-62
by GLSA coordinator Aaron Bauman (b-man).