Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 736816 (CVE-2020-17367, CVE-2020-17368) - sys-apps/firejail: Multiple vulnerabilities (CVE-2020-{17367,17368})
Summary: sys-apps/firejail: Multiple vulnerabilities (CVE-2020-{17367,17368})
Status: IN_PROGRESS
Alias: CVE-2020-17367, CVE-2020-17368
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.debian.org/security/2020/...
Whiteboard: B2 [ebuild]
Keywords: PullRequest
: 741518 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-08-12 03:33 UTC by John Helmert III (ajak)
Modified: 2020-10-14 19:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) 2020-08-12 03:33:23 UTC
From URL:

Tim Starling discovered two vulnerabilities in firejail, a sandbox program to restrict the running environment of untrusted applications.

CVE-2020-17367:
    It was reported that firejail does not respect the end-of-options separator ("--"), allowing an attacker with control over the command line options of the sandboxed application, to write data to a specified file.

CVE-2020-17368:
    It was reported that firejail when redirecting output via --output or --output-stderr, concatenates all command line arguments into a single string that is passed to a shell. An attacker who has control over the command line arguments of the sandboxed application could take advantage of this flaw to run arbitrary commands.


CVE-2020-17367 patch: https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37

CVE-2020-17368 patch: https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b

Both appear to be released in 0.9.62.2: https://github.com/netblue30/firejail/releases/tag/0.9.62.2
Comment 1 Sam James archtester gentoo-dev Security 2020-08-20 10:58:04 UTC
ping.
Comment 2 Sam James archtester gentoo-dev Security 2020-08-22 10:31:32 UTC
@expeditioneer, any update? I noticed you working on firejail today.
Comment 3 Sam James archtester gentoo-dev Security 2020-09-10 14:32:10 UTC
*** Bug 741518 has been marked as a duplicate of this bug. ***
Comment 4 Sam James archtester gentoo-dev Security 2020-09-10 14:32:26 UTC
Ping.
Comment 5 Hank Leininger 2020-09-26 17:28:51 UTC
FWIW just copying the existing firejail-0.9.62-r1 to firejail-0.9.62.4.ebuild (the latest tagged upstream) in my overlay has been working perfectly[*] here for a few days.

[*] Except for a previously existing issue with nvidia+recent Chromium already reported upstream, https://github.com/netblue30/firejail/issues/3644
Comment 6 Sam James archtester gentoo-dev Security 2020-09-29 14:58:49 UTC
ping.
Comment 7 Sam James archtester gentoo-dev Security 2020-10-11 16:17:57 UTC
Dennis, I'm going to need to mask this for now. Let us know when you can work on a fix.
Comment 8 John Helmert III (ajak) 2020-10-13 01:42:45 UTC
Dropping -lts, looks like the --output option doesn't exist in it, so presuming that package isn't affected.