Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 769542 (CVE-2021-26910) - <sys-apps/firejail-0.9.64.4: root privilege escalation (CVE-2021-26910)
Summary: <sys-apps/firejail-0.9.64.4: root privilege escalation (CVE-2021-26910)
Status: RESOLVED FIXED
Alias: CVE-2021-26910
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B1 [glsa+ cve]
Keywords:
: 769227 771177 (view as bug list)
Depends on: 769230
Blocks:
  Show dependency tree
 
Reported: 2021-02-08 14:36 UTC by Sam James
Modified: 2021-05-26 08:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-08 14:36:30 UTC
"Summary: A vulnerability resulting in root privilege escalation was discovered in Firejail's OverlayFS code,

Versions affected: Firejail software versions starting with 0.9.30.
Long Term Support (LTS) Firejail branch is not affected by this bug.

Workaround: Disable overlayfs feature at runtime. In a text editor open /etc/firejail/firejail.config file,
and set "overlayfs" entry to "no".

     $ grep overlayfs /etc/firejail/firejail.config
     # Enable or disable overlayfs features, default enabled.
     overlayfs no

Fix: The bug is fixed in Firejail version 0.9.64.4

GitHub commit: (file configure.ac)
https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b

Credit:  Security researcher Roman Fiedler analyzed the code and discovered the vulnerability.
Functional PoC exploit code was provided to Firejail development team.
A description of the problem is here on Roman's blog:

https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt
https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/"
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-08 14:36:55 UTC
Please bump, thanks.
Comment 2 Hank Leininger 2021-02-09 07:14:48 UTC
Assigned CVE-2021-26910

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26910
Comment 3 Larry the Git Cow gentoo-dev 2021-02-09 07:34:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c891dd97151555cea24f2793933c85fa0b8e71b

commit 5c891dd97151555cea24f2793933c85fa0b8e71b
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2021-02-08 20:21:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-02-09 07:26:41 +0000

    sys-apps/firejail: Version bump, disables overlayfs to fix privesc
    
    New version disables overlayfs, which has a root privesc vuln.
    Some new profiles and other minor fixes also included. Disable
    overlayfs USE flag in live ebuild as well.
    
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Closes: https://bugs.gentoo.org/769230
    Bug: https://bugs.gentoo.org/769542
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Closes: https://github.com/gentoo/gentoo/pull/19377
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/firejail/Manifest                 |  1 +
 sys-apps/firejail/firejail-0.9.64.4.ebuild | 97 ++++++++++++++++++++++++++++++
 sys-apps/firejail/firejail-9999.ebuild     |  5 +-
 3 files changed, 100 insertions(+), 3 deletions(-)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-09 07:47:05 UTC
Let's stable it in a few hours if no objections.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-12 10:35:46 UTC
*** Bug 769227 has been marked as a duplicate of this bug. ***
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-17 23:15:56 UTC
*** Bug 771177 has been marked as a duplicate of this bug. ***
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 00:54:41 UTC
amd64 done

all arches done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 01:05:18 UTC
Please cleanup, thanks!
Comment 9 Hank Leininger 2021-02-18 01:44:45 UTC
(In reply to Sam James from comment #8)
> Please cleanup, thanks!

Done in https://github.com/gentoo/gentoo/pull/19512 , but the Bug: addition isn't being picked up despite [please reassign], for some reason.
Comment 10 Hank Leininger 2021-02-20 19:46:32 UTC
Cleanup done.
Comment 11 Hank Leininger 2021-03-30 00:16:24 UTC
This security bug has been sitting open with no activity for a month even though the fix landed 1.5 months ago. What if anything is next to get it closed? Anything I can do to move it along?
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-30 00:46:20 UTC
(In reply to Hank Leininger from comment #11)
> This security bug has been sitting open with no activity for a month even
> though the fix landed 1.5 months ago. What if anything is next to get it
> closed? Anything I can do to move it along?

We've got a bit of a backlog with GLSAs right now which is the only step to be done here internally. Nothing more for the maintainer to do though
Comment 13 Hank Leininger 2021-03-30 00:51:50 UTC
(In reply to Sam James from comment #12)
> (In reply to Hank Leininger from comment #11)
> > This security bug has been sitting open with no activity for a month even
> > though the fix landed 1.5 months ago. What if anything is next to get it
> > closed? Anything I can do to move it along?
> 
> We've got a bit of a backlog with GLSAs right now which is the only step to
> be done here internally. Nothing more for the maintainer to do though

OK, thanks! If I can help by drafting a GLSA, please let me know ;)
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-25 20:21:49 UTC
New GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:59:01 UTC
This issue was resolved and addressed in
 GLSA 202105-19 at https://security.gentoo.org/glsa/202105-19
by GLSA coordinator Thomas Deutschmann (whissi).