Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 687612 (CVE-2019-12589) - <sys-apps/firejail-0.9.60-r1: unauthorized disclosure of information (CVE-2019-12589)
Summary: <sys-apps/firejail-0.9.60-r1: unauthorized disclosure of information (CVE-201...
Status: RESOLVED FIXED
Alias: CVE-2019-12589
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor with 1 vote (vote)
Assignee: Gentoo Security
URL: https://github.com/netblue30/firejail...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on: CVE-2019-12499
Blocks: 678976
  Show dependency tree
 
Reported: 2019-06-08 01:44 UTC by D'juan McDonald (domhnall)
Modified: 2020-03-15 21:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-06-08 01:44:02 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-12589):

In Firejail before 0.9.60, seccomp filters are writable inside the jail, leading to a lack of intended seccomp restrictions for a process that is joined to the jail after a filter has been modified by an attacker.

Upstream Reference: https://github.com/netblue30/firejail/issues/2718

Upstream Patch: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134



Gentoo Security Padawan
(domhnall)
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-11 18:45:45 UTC
This "was fixed in 0.9.60, 0.9.56.2-LTS" [1].

[1]: https://firejail.wordpress.com/download-2/cve-status/

Maintainer, do you intend to bump the LTS release?
Comment 2 Dennis Lamm gentoo-dev 2019-08-12 04:53:59 UTC
Hi Aaron,

yes the ebuild of the firejail LTS version was bumped to 0.9.56.2.

Best regards,
Dennis
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-03-15 21:46:28 UTC
Repository is clean, all done!