Bug 28322 - firejail new security issue fixed upstream in 0.9.64.4 (CVE-2021-26910)
Summary: firejail new security issue fixed upstream in 0.9.64.4 (CVE-2021-26910)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-02-08 16:41 CET by David Walser
Modified: 2021-03-12 02:27 CET (History)
4 users (show)

See Also:
Source RPM: firejail-0.9.64-1.mga8.src.rpm
CVE: CVE-2021-26910
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-02-08 16:41:27 CET 
Upstream has issued an advisory today (February 8):
https://www.openwall.com/lists/oss-security/2021/02/08/5

The issue is fixed upstream in 0.9.64.4.

Mageia 7 is also affected.
David Walser 2021-02-08 16:41:41 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 0.9.64.4

Comment 1 David Walser 2021-02-09 15:30:24 CET 
CVE-2021-26910 has been assigned for this:
https://www.openwall.com/lists/oss-security/2021/02/09/1

Summary: firejail new security issue fixed upstream in 0.9.64.4 => firejail new security issue fixed upstream in 0.9.64.4 (CVE-2021-26910)

David Walser 2021-02-10 16:37:22 CET

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO

Comment 2 Jani Välimaa 2021-02-25 15:06:07 CET 
Pushed fixed versions to mga7, mga8 (and cauldron).

mga7 SRPM/RPM:
firejail-0.9.56-2.3.mga7

mga8 SRPM/RPM:
firejail-0.9.64-1.1.mga8

Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Assignee: jani.valimaa => qa-bugs

Comment 3 Morgan Leijström 2021-02-26 00:10:26 CET 
Mga7-64 simple test OK:
Clean update
$ firejail falkon -> browsing OK

CC: (none) => fri

Comment 4 David Walser 2021-02-26 16:33:30 CET 
Debian has issued an advisory for this on February 9:
https://www.debian.org/security/2021/dsa-4849
Comment 5 David Walser 2021-03-03 01:53:03 CET 
Advisory:
========================

Updated firejail package fixes security vulnerability:

Roman Fiedler discovered a vulnerability in the OverlayFS code in firejail,
which could result in root privilege escalation. This update disables
OverlayFS support in firejail (CVE-2021-26910).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26910
https://www.debian.org/security/2021/dsa-4849
Comment 6 Thomas Andrews 2021-03-07 23:27:59 CET 
Updated on each release on the same hardware, both 64-bit Plasma installs. No installation issues.

Referred to https://bugs.mageia.org/show_bug.cgi?id=27059#c4 for a testing procedure, performed on both releases:

$ echo "My name is TJ" > TJ

$ firefox ~/TJ &

The contents of the file TJ were shown in Firefox.

$ firejail firefox ~/TJ &

Created a "file not found" page in Firefox, indicating that access to the file TJ had been denied.

On the MGA8 release, the commands to run Firefox all produced some warning messages about a Gtk "windows decorations" .conf file not being found before eventually opening the Firefox window, where there were no such messages on MGA7. The warnings also appeared if the command was simply "firefox" which leads me to believe that if an issue, it is not related to this bug.

Giving this an OK on each release, and validating. Advisory in Comment 5.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Aurelien Oudelet 2021-03-11 23:16:36 CET 
Advisory committed to svn.

Keywords: (none) => advisory
Status comment: Fixed upstream in 0.9.64.4 => (none)
CC: (none) => ouaurelien
CVE: (none) => CVE-2021-26910

Comment 8 Mageia Robot 2021-03-12 02:27:26 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0120.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.