Bug 30528

Summary: firejail new security issue CVE-2022-31214
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, fri, herman.viaene, jani.valimaa, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: firejail-0.9.68-2.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-06-08 18:30:59 CEST 
A security issue fixed upstream in firejail has been announced today (June 8):
https://www.openwall.com/lists/oss-security/2022/06/08/10

The upstream commit that fixed the issue is linked from the message above.

Mageia 8 is also affected.
David Walser 2022-06-08 18:31:14 CEST

Status comment: (none) => Patch available from upstream
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-06-09 22:37:19 CEST 
Note the subsequent fix commits too:
https://www.openwall.com/lists/oss-security/2022/06/09/2

Status comment: Patch available from upstream => Patches available from upstream

Comment 3 David Walser 2022-06-20 19:29:54 CEST 
openSUSE has issued an advisory for this today (June 20):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BANQSQMV546D7IN75266REGOZOIGQEUH/
Comment 4 David Walser 2022-06-23 16:20:39 CEST 
Debian has issued an advisory for this on June 22:
https://www.debian.org/security/2022/dsa-5167
Comment 5 David Walser 2022-09-14 23:10:59 CEST 
Fedora has issued an advisory for this today (September 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SIBEBE3KFINMGJATBQQS7D2VQQ62ZVMF/

Severity: normal => critical

Comment 6 Morgan Leijström 2022-09-17 16:10:58 CEST 
mga8-64, updated from 0.9.64 to 0.9.70 in testing. 

I never learned to use this tool adequately.

But I note that it works like before in simple tests.
Someone more used to it should test before OKing.

Related:
 Bug 30858 - firetools update, have a couple wrinkles

CC: (none) => fri

Comment 7 Jani Välimaa 2022-09-17 22:09:10 CEST 
Fixed in cauldron with firejail-0.9.70-1.mag9.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 8 Jani Välimaa 2022-09-17 22:09:37 CEST 
Because of bug 30858 comment 2 I had to push a new release to mga8 core/updates_testing. Please test firejail-0.9.70-1.1.mga8.

SRPM/RPMS:
firejail-0.9.70-1.1.mga8

Assignee: jani.valimaa => qa-bugs

David Walser 2022-09-17 22:11:59 CEST

Status comment: Patches available from upstream => (none)

David Walser 2022-09-17 22:12:28 CEST

CC: (none) => jani.valimaa

Comment 9 Herman Viaene 2022-09-26 11:25:32 CEST 
MGA8-64 Plasma on Acer Aspire 5253
No installation issues
$ firejail thunderbird
I could send a mail from it to read on my desktop PC, that works OK
In a second tab on Konsole:
$ firejail --list
Warning: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
9331:tester8::firejail thunderbird 
Seems OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 10 Thomas Andrews 2022-09-26 14:13:09 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-01 16:24:42 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 11 Mageia Robot 2022-10-01 19:49:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0348.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED