| Summary: | firejail new security issue fixed upstream in 0.9.68 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, fri, jani.valimaa, mageia, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | firejail-0.9.66-1.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-02-06 17:31:01 CET
David Walser
2022-02-06 17:31:11 CET
Whiteboard:
(none) =>
MGA8TOO new version pushed in mga9. For mageia what about updating to the new version too ? CC:
(none) =>
mageia IIRC, there was a reason we didn't upgrade it before, some removed features or something. patch added in mga8:
src:
- firejail-0.9.64-1.2.mga8CC:
(none) =>
jani.valimaa Mageia 8 Test copied from Dave H in https://bugs.mageia.org/show_bug.cgi?id=27059#c4 : The main use of firejail is used to limit which files on the local system can be accessed. $ echo test>test $ firefox ~/test & shows the contents of the file file:///home/dave/test After closing the tab and firefox ... $ firejail firefox ~/test & shows ... File not found So far so good - BUT: If i in firefox tell it to enter /// it lists my root! And I can browse the file system I can also tell it to list ///home/morgan Neither is in a whitelist line in /etc/firejail/firefox.profile It was also the same before update, so no regression from previous version on my system, but still something is wrong, IMO. According to Herman V in https://bugs.mageia.org/show_bug.cgi?id=27059#c3 that version blocked /// if i understand him correctly, and I remember one test I did myself long ago with that result. I am not sure about if home was blocked in earlier version. CC:
(none) =>
fri (In reply to David Walser from comment #2) > IIRC, there was a reason we didn't upgrade it before, some removed features > or something. I remember for mga7 we kept it at .56 due to dropped support of snap, possibly more, but we advanced firejail to .64 (64.4 overlayfs fix) in mga8 Bug 28322 and I cant see something that seem important that got dropped since then. But more eyes should check. https://github.com/netblue30/firejail/releases Ahh, that's probably what I was remembering. (In reply to Morgan Leijström from comment #4) > Mageia 8 > Test copied from Dave H in https://bugs.mageia.org/show_bug.cgi?id=27059#c4 : > > The main use of firejail is used to limit which files on the local system can > be accessed. > > $ echo test>test > > $ firefox ~/test & > shows the contents of the file file:///home/dave/test > After closing the tab and firefox ... > > $ firejail firefox ~/test & > > shows ... > File not found > > > So far so good - BUT: > If i in firefox tell it to enter /// it lists my root! > And I can browse the file system The parent directories must be accessible or the lower level directories would not be able to be accessed. > I can also tell it to list ///home/morgan However the list of files/directories in /home/morgan is restricted. See "grep HOME /etc/firejail/*|grep firefox" > Neither is in a whitelist line in /etc/firejail/firefox.profile The files in / are neither in a whitelist or blacklist, so apparently are allowed. That's an oversight in the default profile for firefox, imho. CC:
(none) =>
davidwhodgins Validating the update. Keywords:
(none) =>
validated_update
Dave Hodgins
2022-02-09 20:57:35 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0055.html Resolution:
(none) =>
FIXED |