Bug 28322

Summary: firejail new security issue fixed upstream in 0.9.64.4 (CVE-2021-26910)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, fri, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: firejail-0.9.64-1.mga8.src.rpm CVE: CVE-2021-26910
Status comment:

Description David Walser 2021-02-08 16:41:27 CET 
Upstream has issued an advisory today (February 8):
https://www.openwall.com/lists/oss-security/2021/02/08/5

The issue is fixed upstream in 0.9.64.4.

Mageia 7 is also affected.
David Walser 2021-02-08 16:41:41 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 0.9.64.4

Comment 1 David Walser 2021-02-09 15:30:24 CET 
CVE-2021-26910 has been assigned for this:
https://www.openwall.com/lists/oss-security/2021/02/09/1

Summary: firejail new security issue fixed upstream in 0.9.64.4 => firejail new security issue fixed upstream in 0.9.64.4 (CVE-2021-26910)

David Walser 2021-02-10 16:37:22 CET

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO

Comment 2 Jani Välimaa 2021-02-25 15:06:07 CET 
Pushed fixed versions to mga7, mga8 (and cauldron).

mga7 SRPM/RPM:
firejail-0.9.56-2.3.mga7

mga8 SRPM/RPM:
firejail-0.9.64-1.1.mga8

Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Assignee: jani.valimaa => qa-bugs

Comment 3 Morgan Leijström 2021-02-26 00:10:26 CET 
Mga7-64 simple test OK:
Clean update
$ firejail falkon -> browsing OK

CC: (none) => fri

Comment 4 David Walser 2021-02-26 16:33:30 CET 
Debian has issued an advisory for this on February 9:
https://www.debian.org/security/2021/dsa-4849
Comment 5 David Walser 2021-03-03 01:53:03 CET 
Advisory:
========================

Updated firejail package fixes security vulnerability:

Roman Fiedler discovered a vulnerability in the OverlayFS code in firejail,
which could result in root privilege escalation. This update disables
OverlayFS support in firejail (CVE-2021-26910).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26910
https://www.debian.org/security/2021/dsa-4849
Comment 6 Thomas Andrews 2021-03-07 23:27:59 CET 
Updated on each release on the same hardware, both 64-bit Plasma installs. No installation issues.

Referred to https://bugs.mageia.org/show_bug.cgi?id=27059#c4 for a testing procedure, performed on both releases:

$ echo "My name is TJ" > TJ

$ firefox ~/TJ &

The contents of the file TJ were shown in Firefox.

$ firejail firefox ~/TJ &

Created a "file not found" page in Firefox, indicating that access to the file TJ had been denied.

On the MGA8 release, the commands to run Firefox all produced some warning messages about a Gtk "windows decorations" .conf file not being found before eventually opening the Firefox window, where there were no such messages on MGA7. The warnings also appeared if the command was simply "firefox" which leads me to believe that if an issue, it is not related to this bug.

Giving this an OK on each release, and validating. Advisory in Comment 5.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Aurelien Oudelet 2021-03-11 23:16:36 CET 
Advisory committed to svn.

Keywords: (none) => advisory
Status comment: Fixed upstream in 0.9.64.4 => (none)
CC: (none) => ouaurelien
CVE: (none) => CVE-2021-26910

Comment 8 Mageia Robot 2021-03-12 02:27:26 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0120.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED