Bug 26013 - firejail new security issues CVE-2019-12499 and CVE-2019-12589
Summary: firejail new security issues CVE-2019-12499 and CVE-2019-12589
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-01-04 18:28 CET by Morgan Leijström
Modified: 2020-03-06 17:15 CET (History)
5 users (show)

See Also:
Source RPM: firejail-0.9.56-2.mga7.src.rpm, firetools-0.9.52-3.mga7.src.rpm
CVE:
Status comment:


Attachments

Description Morgan Leijström 2020-01-04 18:28:51 CET
...and some more protection details, profiles, GUI improvement.


Version-Release number:
Our old version: 0.9.56 from sep 2018
Current released dec 2019: 0.9.62 ( both firejail & firetools )

https://firejail.wordpress.com/download-2/release-notes/
https://firejailtools.wordpress.com/release-notes/


One stated regression, noted in the release notes: from ver 0.9.60 may 2019 it drop support for flatpak/snap packages.
But as this is a security related package, and upstream have chosen it, i guess it is best to have this tool updated.

Note! two version interdependant (I suppose) packages: firejail & firetools
Comment 1 Lewis Smith 2020-01-04 21:45:41 CET
Thanks for the notice.
> two version interdependant (I suppose) packages: firejail & firetools
In fact our current pkgs are *not* at the same release. Perhaps it does not matter.

Does the regression noted (drop support for flatpak/snap packages) matter for our packages?

Assigning to wally as the registered & active maintainer for both these SRPMs.

Assignee: bugsquad => jani.valimaa
Source RPM: firejail-0.9.56-2.mga7.src.rpm => firejail-0.9.56-2.mga7.src.rpm, firetools-0.9.52-3.mga7.src.rpm

Comment 2 Morgan Leijström 2020-01-04 22:12:15 CET
Regarding flatpak and snap, we do not package any software in either format AFAIK, but we provide flatpak environment rpm to run flatpak programs our users retrieve from some other place. 

If a user today use firejail to run flatpak programs, user can not with the new version.  User then have to run the flatpak program without firejail protection, or get it in Appimage format if available - which firejail now have improved support for. (currently the version we have fail on one Appimage i want to use)

( We should update flatpak for security reasons as well as for applications compatibility - Bug 25544 )
Comment 3 David Walser 2020-01-05 05:18:33 CET
It sounds like this proposed update would probably violate our updates policy.
Comment 4 Morgan Leijström 2020-01-05 15:56:12 CET
For security it is good to update.
For compatibility with most binaries and appimage it is good.
Only for flatpak it is not good. 

Is it possible to update in cauldron and 7 backport?
Comment 5 David Walser 2020-02-27 23:16:14 CET
Fedora has issued an advisory for this today (February 27):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RGVULJ6IKVDO6UAVIQRHQVSKOUD6QDWM/

They updated to 0.9.62 (the security issues are fixed in 0.9.60).

Hopefully we can just backport the security fixes.

Summary: Firejail and Firetools have bugfixes incl one low pri security... => firejail new security issues CVE-2019-12499 and CVE-2019-12589
Status comment: (none) => Fixed upstream in 0.9.60
Severity: normal => major

David Walser 2020-02-27 23:16:52 CET

QA Contact: (none) => security
Component: RPM Packages => Security

Comment 6 Morgan Leijström 2020-02-28 12:20:00 CET
https://bugs.mageia.org/show_bug.cgi?id=25544#c6 :
(In reply to Neal Gompa from comment #6)
> You're not supposed to use firejail with flatpak...
> 
> Anyway, I'm working on the rebase for Cauldron and figuring out what to do
> for Mageia 7.

As we do not have snap, and firejail is not to be used with flatpack, i can not see why we should not update to 0.62?
Comment 7 David Walser 2020-02-28 12:24:42 CET
Because we don't update packages to newer versions in stable Mageia just because "newer version" when they break things.  Cauldron has it up to date, and for Mageia we have the security fixes backported (thanks to Jani), following our policies.
Comment 8 David Walser 2020-02-28 12:27:48 CET
Advisory:
========================

Updated firejail package fixes security vulnerabilities:

Firejail before 0.9.60 allows truncation (resizing to length 0) of the firejail
binary on the host by running exploit code inside a firejail sandbox and having
the sandbox terminated. To succeed, certain conditions need to be fulfilled:
The jail (with the exploit code inside) needs to be started as root, and it
also needs to be terminated as root from the host (either by stopping it
ungracefully (e.g., SIGKILL), or by using the --shutdown control command)
(CVE-2019-12499).

In Firejail before 0.9.60, seccomp filters are writable inside the jail,
leading to a lack of intended seccomp restrictions for a process that is joined
to the jail after a filter has been modified by an attacker (CVE-2019-12589).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12589
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RGVULJ6IKVDO6UAVIQRHQVSKOUD6QDWM/
========================

Updated packages in core/updates_testing:
========================
firejail-0.9.56-2.1.mga7

from firejail-0.9.56-2.1.mga7.src.rpm

CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs
Status comment: Fixed upstream in 0.9.60 => (none)

Comment 9 Morgan Leijström 2020-02-28 12:32:43 CET
OK thanks.

I think advisory text should state the security fixes from 0.60 are backported to our 0.9.56-2.1
Comment 10 David Walser 2020-02-28 12:35:00 CET
Um, as with any other advisory, that's obviously implied.
Comment 11 Morgan Leijström 2020-02-28 12:38:23 CET
OK sorry for being bureaucratic :)
Comment 12 Herman Viaene 2020-02-29 10:58:35 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
Googled for info and  found https://firejail.wordpress.com/documentation-2/firefox-guide/
Closed firefox, and at CLI:
$ firejail firefox -no-remote
Firefox comes up empty as its home pages are Google and http://madb.mageia.org/tools/updates
Pointed browser to /// and found that access to the system are restricted as described in the tutorial
OK for me

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 13 Thomas Andrews 2020-03-01 14:34:48 CET
Validating. Advisory in Comment 8.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-03-06 15:04:44 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 14 Mageia Robot 2020-03-06 17:15:35 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0115.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.