Source: firejail Version: 0.9.58.2-1 Severity: important Tags: security upstream pending fixed-upstream Forwarded: https://github.com/netblue30/firejail/issues/2401 X-Debbugs-CC: t...@security.debian.org
Firejail is affected by an issue similar to CVE-2019-5736. Under certain conditions the firejail binary outside the jail can be truncated [0]: > * The sandbox must be running exploit code. > * The sandbox must be running as root. > * The sandbox parent is killed instantly by an unhandled signal, i.e. > something different from SIGTERM (kill <pid>) or SIGINT (ctrl+c). This cannot > be done from inside the sandbox (because of the pid namespace), and also it > cannot be done from the outside without root privileges. As only root > him/herself is able to kill the sandbox in this way, this kind of attack is > not relevant with regards to Firejail's SUID property. Which can also be exploited with firejail's --shutdown command: > And that was wrong, --shutdown also had this problem (now fixed in shutdown.c) I set severity to important, as it requires root privileges inside and outside the jail to exploit it. It is fixed in [1] (and amended in [2]), and in the new upstream release 0.9.60. The earliest affected version is currently unknown. I will upload the fix to unstable soon, together with #929732. [0] https://github.com/netblue30/firejail/issues/2401 [1] https://github.com/netblue30/firejail/commit/fcba07c [2] https://github.com/netblue30/firejail/commit/faa1ec7
signature.asc
Description: PGP signature