Upstream has issued an advisory today (February 8):
The issue is fixed upstream in 0.9.64.4.
Mageia 7 is also affected.
Fixed upstream in 0.9.64.4
CVE-2021-26910 has been assigned for this:
firejail new security issue fixed upstream in 0.9.64.4 =>
firejail new security issue fixed upstream in 0.9.64.4 (CVE-2021-26910)
Pushed fixed versions to mga7, mga8 (and cauldron).
MGA8TOO, MGA7TOO =>
Mga7-64 simple test OK:
$ firejail falkon -> browsing OK
Debian has issued an advisory for this on February 9:
Updated firejail package fixes security vulnerability:
Roman Fiedler discovered a vulnerability in the OverlayFS code in firejail,
which could result in root privilege escalation. This update disables
OverlayFS support in firejail (CVE-2021-26910).
Updated on each release on the same hardware, both 64-bit Plasma installs. No installation issues.
Referred to https://bugs.mageia.org/show_bug.cgi?id=27059#c4 for a testing procedure, performed on both releases:
$ echo "My name is TJ" > TJ
$ firefox ~/TJ &
The contents of the file TJ were shown in Firefox.
$ firejail firefox ~/TJ &
Created a "file not found" page in Firefox, indicating that access to the file TJ had been denied.
On the MGA8 release, the commands to run Firefox all produced some warning messages about a Gtk "windows decorations" .conf file not being found before eventually opening the Firefox window, where there were no such messages on MGA7. The warnings also appeared if the command was simply "firefox" which leads me to believe that if an issue, it is not related to this bug.
Giving this an OK on each release, and validating. Advisory in Comment 5.
MGA7TOO MGA7-64-OK MGA8-64-OKCC:
Advisory committed to svn.
Fixed upstream in 0.9.64.4 =>
An update for this issue has been pushed to the Mageia Updates repository.