| Summary: | firejail new security issues CVE-2020-17367, CVE-2020-17368 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, jani.valimaa, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | firejail-0.9.62-2.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-08-07 19:07:14 CEST
David Walser
2020-08-07 19:07:21 CEST
Whiteboard:
(none) =>
MGA7TOO This belongs unambiguously to wally, so assigning it to you. Assignee:
bugsquad =>
jani.valimaa Patched packages uploaded by Jani for Mageia 7 and Cauldron.
Advisory:
========================
Updated firejail package fixes security vulnerabilities:
It was reported that firejail does not respect the end-of-options separator
("--"), allowing an attacker with control over the command line options of the
sandboxed application, to write data to a specified file (CVE-2020-17367).
It was reported that firejail when redirecting output via --output or
--output-stderr, concatenates all command line arguments into a single string
that is passed to a shell. An attacker who has control over the command line
arguments of the sandboxed application could take advantage of this flaw to run
arbitrary commands (CVE-2020-17368).
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17367
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17368
https://www.debian.org/security/2020/dsa-4742
========================
Updated packages in core/updates_testing:
========================
firejail-0.9.56-2.2.mga7
from firejail-0.9.56-2.2.mga7.src.rpmAssignee:
jani.valimaa =>
qa-bugs MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 26013 for testing (and the tutorial it refers to). Closed fire fox and it CLI: $ firejail firefox -no-remote Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 21974, child pid 21975 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Post-exec seccomp protector enabled Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, Child process initialized in 116.63 ms (firefox:7): libnotify-WARNING **: 11:22:36.823: Failed to connect to proxy The resulting firefox shows up - in contradiction with bug 26013 - with ots home page displayed completely. In fact, this editing is done in this session. What is consistent with the tutorial, are the limitations when pointing rhe browser to ///, so this proves that the firefox session is running in firejail. Not sure what to do with this ????? CC:
(none) =>
herman.viaene The main use of firejail is used to limit which files on the local system can
be accessed.
$ echo test>test
$ firefox ~/test &
shows the contents of the file file:///home/dave/test
After closing the tab and firefox ...
$ firejail firefox ~/test &
shows ...
File not found
Firefox can't find the file at /home/dave/test.
Check the file name for capitalisation or other typing errors.
Check to see if the file was moved, renamed or deleted.
with a "Try Again" button, showing that firefox was denied access to that
file since ~/* is not in the whitelist in /etc/firejail/firefox.profileCC:
(none) =>
davidwhodgins Just an FYI Jani, firejail 0.9.62.2 has been released with these fixes: https://github.com/netblue30/firejail/releases/tag/0.9.62.2
David Walser
2020-08-16 16:06:55 CEST
Keywords:
(none) =>
validated_update
Dave Hodgins
2020-08-18 18:31:56 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0328.html Status:
NEW =>
RESOLVED |