Bug 28322 - firejail new security issue fixed upstream in (CVE-2021-26910)
Summary: firejail new security issue fixed upstream in (CVE-2021-26910)
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2021-02-08 16:41 CET by David Walser
Modified: 2021-03-12 02:27 CET (History)
4 users (show)

See Also:
Source RPM: firejail-0.9.64-1.mga8.src.rpm
CVE: CVE-2021-26910
Status comment:


Description David Walser 2021-02-08 16:41:27 CET
Upstream has issued an advisory today (February 8):

The issue is fixed upstream in

Mageia 7 is also affected.
David Walser 2021-02-08 16:41:41 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in

Comment 1 David Walser 2021-02-09 15:30:24 CET
CVE-2021-26910 has been assigned for this:

Summary: firejail new security issue fixed upstream in => firejail new security issue fixed upstream in (CVE-2021-26910)

David Walser 2021-02-10 16:37:22 CET

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO

Comment 2 Jani Välimaa 2021-02-25 15:06:07 CET
Pushed fixed versions to mga7, mga8 (and cauldron).

mga7 SRPM/RPM:

mga8 SRPM/RPM:

Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Assignee: jani.valimaa => qa-bugs

Comment 3 Morgan Leijström 2021-02-26 00:10:26 CET
Mga7-64 simple test OK:
Clean update
$ firejail falkon -> browsing OK

CC: (none) => fri

Comment 4 David Walser 2021-02-26 16:33:30 CET
Debian has issued an advisory for this on February 9:
Comment 5 David Walser 2021-03-03 01:53:03 CET

Updated firejail package fixes security vulnerability:

Roman Fiedler discovered a vulnerability in the OverlayFS code in firejail,
which could result in root privilege escalation. This update disables
OverlayFS support in firejail (CVE-2021-26910).

Comment 6 Thomas Andrews 2021-03-07 23:27:59 CET
Updated on each release on the same hardware, both 64-bit Plasma installs. No installation issues.

Referred to https://bugs.mageia.org/show_bug.cgi?id=27059#c4 for a testing procedure, performed on both releases:

$ echo "My name is TJ" > TJ

$ firefox ~/TJ &

The contents of the file TJ were shown in Firefox.

$ firejail firefox ~/TJ &

Created a "file not found" page in Firefox, indicating that access to the file TJ had been denied.

On the MGA8 release, the commands to run Firefox all produced some warning messages about a Gtk "windows decorations" .conf file not being found before eventually opening the Firefox window, where there were no such messages on MGA7. The warnings also appeared if the command was simply "firefox" which leads me to believe that if an issue, it is not related to this bug.

Giving this an OK on each release, and validating. Advisory in Comment 5.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Aurelien Oudelet 2021-03-11 23:16:36 CET
Advisory committed to svn.

Keywords: (none) => advisory
Status comment: Fixed upstream in => (none)
CC: (none) => ouaurelien
CVE: (none) => CVE-2021-26910

Comment 8 Mageia Robot 2021-03-12 02:27:26 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.