Debian has issued an advisory on August 6: https://www.debian.org/security/2020/dsa-4742 The Debian Security Tracker is down at the moment, so I don't have much info on these, but Ubuntu has links to upstream commits to fix the issues: https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-17367.html https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-17368.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
This belongs unambiguously to wally, so assigning it to you.
Assignee: bugsquad => jani.valimaa
Patched packages uploaded by Jani for Mageia 7 and Cauldron. Advisory: ======================== Updated firejail package fixes security vulnerabilities: It was reported that firejail does not respect the end-of-options separator ("--"), allowing an attacker with control over the command line options of the sandboxed application, to write data to a specified file (CVE-2020-17367). It was reported that firejail when redirecting output via --output or --output-stderr, concatenates all command line arguments into a single string that is passed to a shell. An attacker who has control over the command line arguments of the sandboxed application could take advantage of this flaw to run arbitrary commands (CVE-2020-17368). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17367 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17368 https://www.debian.org/security/2020/dsa-4742 ======================== Updated packages in core/updates_testing: ======================== firejail-0.9.56-2.2.mga7 from firejail-0.9.56-2.2.mga7.src.rpm
Assignee: jani.valimaa => qa-bugsVersion: Cauldron => 7CC: (none) => jani.valimaaWhiteboard: MGA7TOO => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 26013 for testing (and the tutorial it refers to). Closed fire fox and it CLI: $ firejail firefox -no-remote Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 21974, child pid 21975 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Post-exec seccomp protector enabled Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, Child process initialized in 116.63 ms (firefox:7): libnotify-WARNING **: 11:22:36.823: Failed to connect to proxy The resulting firefox shows up - in contradiction with bug 26013 - with ots home page displayed completely. In fact, this editing is done in this session. What is consistent with the tutorial, are the limitations when pointing rhe browser to ///, so this proves that the firefox session is running in firejail. Not sure what to do with this ?????
CC: (none) => herman.viaene
The main use of firejail is used to limit which files on the local system can be accessed. $ echo test>test $ firefox ~/test & shows the contents of the file file:///home/dave/test After closing the tab and firefox ... $ firejail firefox ~/test & shows ... File not found Firefox can't find the file at /home/dave/test. Check the file name for capitalisation or other typing errors. Check to see if the file was moved, renamed or deleted. with a "Try Again" button, showing that firefox was denied access to that file since ~/* is not in the whitelist in /etc/firejail/firefox.profile
CC: (none) => davidwhodginsWhiteboard: (none) => MGA7-64-OK
Just an FYI Jani, firejail 0.9.62.2 has been released with these fixes: https://github.com/netblue30/firejail/releases/tag/0.9.62.2
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory and package list in Comment 2.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0328.html
Status: NEW => RESOLVEDResolution: (none) => FIXED