Upstream has issued an advisory today (February 8): https://www.openwall.com/lists/oss-security/2021/02/08/5 The issue is fixed upstream in 0.9.64.4. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 0.9.64.4
CVE-2021-26910 has been assigned for this: https://www.openwall.com/lists/oss-security/2021/02/09/1
Summary: firejail new security issue fixed upstream in 0.9.64.4 => firejail new security issue fixed upstream in 0.9.64.4 (CVE-2021-26910)
Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
Pushed fixed versions to mga7, mga8 (and cauldron). mga7 SRPM/RPM: firejail-0.9.56-2.3.mga7 mga8 SRPM/RPM: firejail-0.9.64-1.1.mga8
Version: Cauldron => 8Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOAssignee: jani.valimaa => qa-bugs
Mga7-64 simple test OK: Clean update $ firejail falkon -> browsing OK
CC: (none) => fri
Debian has issued an advisory for this on February 9: https://www.debian.org/security/2021/dsa-4849
Advisory: ======================== Updated firejail package fixes security vulnerability: Roman Fiedler discovered a vulnerability in the OverlayFS code in firejail, which could result in root privilege escalation. This update disables OverlayFS support in firejail (CVE-2021-26910). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26910 https://www.debian.org/security/2021/dsa-4849
Updated on each release on the same hardware, both 64-bit Plasma installs. No installation issues. Referred to https://bugs.mageia.org/show_bug.cgi?id=27059#c4 for a testing procedure, performed on both releases: $ echo "My name is TJ" > TJ $ firefox ~/TJ & The contents of the file TJ were shown in Firefox. $ firejail firefox ~/TJ & Created a "file not found" page in Firefox, indicating that access to the file TJ had been denied. On the MGA8 release, the commands to run Firefox all produced some warning messages about a Gtk "windows decorations" .conf file not being found before eventually opening the Firefox window, where there were no such messages on MGA7. The warnings also appeared if the command was simply "firefox" which leads me to believe that if an issue, it is not related to this bug. Giving this an OK on each release, and validating. Advisory in Comment 5.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory committed to svn.
Keywords: (none) => advisoryStatus comment: Fixed upstream in 0.9.64.4 => (none)CC: (none) => ouaurelienCVE: (none) => CVE-2021-26910
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0120.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED