Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 736816 (CVE-2020-17367, CVE-2020-17368) - sys-apps/firejail: Multiple vulnerabilities (CVE-2020-{17367,17368})
Summary: sys-apps/firejail: Multiple vulnerabilities (CVE-2020-{17367,17368})
Alias: CVE-2020-17367, CVE-2020-17368
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [ebuild]
Keywords: PullRequest
: 741518 (view as bug list)
Depends on:
Reported: 2020-08-12 03:33 UTC by John Helmert III (ajak)
Modified: 2020-10-14 19:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) 2020-08-12 03:33:23 UTC
From URL:

Tim Starling discovered two vulnerabilities in firejail, a sandbox program to restrict the running environment of untrusted applications.

    It was reported that firejail does not respect the end-of-options separator ("--"), allowing an attacker with control over the command line options of the sandboxed application, to write data to a specified file.

    It was reported that firejail when redirecting output via --output or --output-stderr, concatenates all command line arguments into a single string that is passed to a shell. An attacker who has control over the command line arguments of the sandboxed application could take advantage of this flaw to run arbitrary commands.

CVE-2020-17367 patch:

CVE-2020-17368 patch:

Both appear to be released in
Comment 1 Sam James archtester gentoo-dev Security 2020-08-20 10:58:04 UTC
Comment 2 Sam James archtester gentoo-dev Security 2020-08-22 10:31:32 UTC
@expeditioneer, any update? I noticed you working on firejail today.
Comment 3 Sam James archtester gentoo-dev Security 2020-09-10 14:32:10 UTC
*** Bug 741518 has been marked as a duplicate of this bug. ***
Comment 4 Sam James archtester gentoo-dev Security 2020-09-10 14:32:26 UTC
Comment 5 Hank Leininger 2020-09-26 17:28:51 UTC
FWIW just copying the existing firejail-0.9.62-r1 to firejail- (the latest tagged upstream) in my overlay has been working perfectly[*] here for a few days.

[*] Except for a previously existing issue with nvidia+recent Chromium already reported upstream,
Comment 6 Sam James archtester gentoo-dev Security 2020-09-29 14:58:49 UTC
Comment 7 Sam James archtester gentoo-dev Security 2020-10-11 16:17:57 UTC
Dennis, I'm going to need to mask this for now. Let us know when you can work on a fix.
Comment 8 John Helmert III (ajak) 2020-10-13 01:42:45 UTC
Dropping -lts, looks like the --output option doesn't exist in it, so presuming that package isn't affected.