604758 – (CVE-2017-5180, CVE-2017-5206, CVE-2017-5207) <sys-apps/{firejail-0.9.44.4,firejail-lts-0.9.38.8}: root privilege escalation (CVE-2017-{5180,5206,5207})

Bug 604758 (CVE-2017-5180, CVE-2017-5206, CVE-2017-5207) - <sys-apps/{firejail-0.9.44.4,firejail-lts-0.9.38.8}: root privilege escalation (CVE-2017-{5180,5206,5207})

Summary: <sys-apps/{firejail-0.9.44.4,firejail-lts-0.9.38.8}: root privilege escalatio...

Status:	RESOLVED FIXED

Alias:	CVE-2017-5180, CVE-2017-5206, CVE-2017-5207

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B1 [glsa cve]
Keywords:

Duplicates (1):	605296 (view as bug list)
Depends on:
Blocks:

Reported:	2017-01-05 14:43 UTC by Thomas Deutschmann (RETIRED)
Modified:	2017-01-24 11:33 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	=sys-apps/firejail-0.9.44.4 =sys-apps/firejail-lts-0.9.38.8
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-05 14:43:00 UTC

CVE-2017-5180 (local root exploit), which relies on the X11
sandboxing features to overwrite an arbitrary file:
it makes ${SANDBOX_HOME}/.Xauthority be a symlink to the target file,
and writes the desired content in ~/.Xauthority.


From http://www.openwall.com/lists/oss-security/2017/01/04/1:

 * Analysis: Sandboxing is cool, but it has to be done right.
 * Firejail has too broad attack surface that allows users
 * to specify a lot of options, where one of them eventually
 * broke by accessing user-files while running with euid 0.
 * There are some other similar races. Turns out that it can be
 * _very difficult_ to create a generic sandbox suid wrapper thats
 * secure but still flexible enough to sandbox arbitrary binaries.


See https://github.com/netblue30/firejail/commit/e74fdab5d2125ce8f058c1630ce7cce19cbdac16 for first (incomplete) fix.

Comment 1 Michael Palimaka (kensington) gentoo-dev

2017-01-11 10:31:47 UTC

*** Bug 605296 has been marked as a duplicate of this bug. ***

Comment 2 Sebastian Pipping gentoo-dev

2017-01-11 19:51:38 UTC

Bumped non-LTS to 0.9.44.4.


commit 8323924482277778d11fb699aa24303338fabdc8
Author: Sebastian Pipping <sping@g.o>
Date:   Wed Jan 11 20:49:46 2017 +0100

    sys-apps/firejail: 0.9.44.4 (bug #604758)
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.1

 sys-apps/firejail/Manifest                         |  1 +
 .../files/firejail-0.9.44.4-sysmacros.patch        | 10 +++++
 sys-apps/firejail/firejail-0.9.44.4.ebuild         | 46 ++++++++++++++++++++++
 3 files changed, 57 insertions(+)

https://github.com/gentoo/gentoo/commit/8323924482277778d11fb699aa24303338fabdc8

Comment 3 Amadeusz Żołnowski (RETIRED) gentoo-dev

2017-01-11 21:24:18 UTC

commit 0d4eac03e17aefca1042c661bf8f7e226b46f258
Author: Amadeusz Żołnowski <aidecoe@gentoo.org>
Date:   Wed Jan 11 21:00:35 2017 +0000

    sys-apps/firejail-lts: Bump version

    Gentoo-Bug: 604758

    Package-Manager: Portage-2.3.3, Repoman-2.3.1

Comment 4 Amadeusz Żołnowski (RETIRED) gentoo-dev

2017-01-11 21:25:02 UTC

Sebastian, thanks for bumping 0.9.40.x!

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-13 13:34:06 UTC

@ Arches,

please test and mark stable:

=sys-apps/firejail-0.9.44.4
=sys-apps/firejail-lts-0.9.38.8

Comment 6 Agostino Sarubbo gentoo-dev

2017-01-13 17:06:55 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-14 14:16:53 UTC

New GLSA request filed.

@ Maintainer(s): Please cleanup and drop previous vulnerable versions.

Comment 8 Amadeusz Żołnowski (RETIRED) gentoo-dev

2017-01-14 20:59:15 UTC

0.9.38.6 and 0.9.44.2 are removed.

Comment 9 Aaron Bauman (RETIRED) gentoo-dev

2017-01-24 11:31:52 UTC

CVE-2017-5206:

http://openwall.com/lists/oss-security/2017/01/07/5

CVE-2017-5207:

http://www.openwall.com/lists/oss-security/2017/01/07/6

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2017-01-24 11:33:33 UTC

This issue was resolved and addressed in
 GLSA 201701-62 at https://security.gentoo.org/glsa/201701-62
by GLSA coordinator Aaron Bauman (b-man).