850748 – (CVE-2022-31214) <sys-apps/firejail-0.9.70: local privilege escalation via --join

Bug 850748 (CVE-2022-31214) - <sys-apps/firejail-0.9.70: local privilege escalation via --join

Summary: <sys-apps/firejail-0.9.70: local privilege escalation via --join

Status:	IN_PROGRESS

Alias:	CVE-2022-31214

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	B1 [glsa? cleanup]
Keywords:	PullRequest

Depends on:	858158
Blocks:
	Show dependency tree

Reported:	2022-06-09 14:24 UTC by John Helmert III
Modified:	2022-07-15 12:10 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/25840
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-06-09 14:24:10 UTC

Very detailed exploit and writeup at URL. There's a
patch available:

https://github.com/netblue30/firejail/commit/27cde3d7d1e4e16d4190932347c7151dc2a84c50

Workarounds exist:

Workarounds / Mitigations
=========================

System administrators can mitigate this vulnerability via the Firejail
configuration file in /etc/firejail/firejail.config. Either one of these
options will prevent the attack from succeeding:

- "force-nonewprivs yes"
- "join no"

Comment 1 John Helmert III archtester

2022-06-09 16:05:09 UTC

0.9.70 has the fix.

Comment 2 Larry the Git Cow gentoo-dev

2022-06-15 05:47:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc196a524bd19f0f9e5960c0fb4744347f0fd3af

commit cc196a524bd19f0f9e5960c0fb4744347f0fd3af
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2022-06-09 22:01:22 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-06-15 05:47:49 +0000

    sys-apps/firejail: bump to 0.9.70 for security fixes; cleanup
    
    Fix for CVE-2022-31214. Drop old version & un-tended-to live ebuild.
    
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Bug: https://bugs.gentoo.org/850748
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Closes: https://github.com/gentoo/gentoo/pull/25840
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 sys-apps/firejail/Manifest                         |  1 +
 .../firejail/files/firejail-0.9.70-envlimits.patch | 12 +++
 .../files/firejail-0.9.70-firecfg.config.patch     | 82 ++++++++++++++++++
 ...rejail-0.9.68.ebuild => firejail-0.9.70.ebuild} |  6 +-
 sys-apps/firejail/firejail-9999.ebuild             | 99 ----------------------
 sys-apps/firejail/metadata.xml                     |  1 -
 6 files changed, 98 insertions(+), 103 deletions(-)

Comment 3 John Helmert III archtester

2022-06-15 14:50:56 UTC

Thanks! Please stabilize when ready.

Comment 4 Sam James archtester

2022-07-15 10:44:43 UTC

Please cleanup, thanks!

Comment 5 Larry the Git Cow gentoo-dev

2022-07-15 12:10:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4841bfc1121b88d8603a594046429ca4eaa6978

commit c4841bfc1121b88d8603a594046429ca4eaa6978
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-07-15 12:10:04 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-07-15 12:10:30 +0000

    sys-apps/firejail: drop 0.9.68-r1
    
    Bug: https://bugs.gentoo.org/850748
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 sys-apps/firejail/Manifest                         |   1 -
 .../firejail/files/firejail-0.9.68-envlimits.patch |  12 ---
 .../files/firejail-0.9.68-firecfg.config.patch     |  81 --------------
 sys-apps/firejail/firejail-0.9.68-r1.ebuild        | 118 ---------------------
 4 files changed, 212 deletions(-)