commit firejail for openSUSE:Factory

root Mon, 10 Aug 2020 05:58:51 -0700

Hello community,

here is the log from the commit of package firejail for openSUSE:Factory 
checked in at 2020-08-10 14:57:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/firejail (Old)
 and      /work/SRC/openSUSE:Factory/.firejail.new.3399 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "firejail"

Mon Aug 10 14:57:56 2020 rev:7 rq:825005 version:0.9.62

Changes:
--------
--- /work/SRC/openSUSE:Factory/firejail/firejail.changes        2020-05-03 
22:47:48.367224464 +0200
+++ /work/SRC/openSUSE:Factory/.firejail.new.3399/firejail.changes      
2020-08-10 14:58:15.336008645 +0200
@@ -1,0 +2,5 @@
+Sat Aug  8 16:56:43 UTC 2020 - Sebastian Wagner <[email protected]>
+
+- Add patches fix-CVE-2020-17367.patch and fix-CVE-2020-17368.patch to fix 
CVE-2020-17367 and CVE-2020-17368 and boo#1174986
+
+-------------------------------------------------------------------

New:
----
  fix-CVE-2020-17367.patch
  fix-CVE-2020-17368.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ firejail.spec ++++++
--- /var/tmp/diff_new_pack.n0Vj4C/_old  2020-08-10 14:58:19.176010673 +0200
+++ /var/tmp/diff_new_pack.n0Vj4C/_new  2020-08-10 14:58:19.176010673 +0200
@@ -27,6 +27,10 @@
 Source1:        
http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz.asc
 # PATCH-FIX-OPENSUSE firejail-0.9.62-fix-usr-etc.patch -- 
https://github.com/netblue30/firejail/issues/3145 two patches combined, source 
see file
 Patch0:         firejail-0.9.62-fix-usr-etc.patch
+# PATHCH-FIX-UPSTREAM fix-CVE-2020-17367 -- fixes boo#1174986
+Patch1:         
https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch#/fix-CVE-2020-17367.patch
+# PATHCH-FIX-UPSTREAM fix-CVE-2020-17368 -- fixes boo#1174986
+Patch2:         
https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch#/fix-CVE-2020-17368.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  libapparmor-devel
@@ -45,6 +49,8 @@
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
 sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py 
contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py
 
 %build


++++++ fix-CVE-2020-17367.patch ++++++
>From 2c734d6350ad321fccbefc5ef0382199ac331b37 Mon Sep 17 00:00:00 2001
From: Reiner Herrmann <[email protected]>
Date: Wed, 29 Jul 2020 20:16:16 +0200
Subject: [PATCH] firejail: don't interpret output arguments after
 end-of-options tag

Firejail was parsing --output and --output-stderr options even after
the end-of-options separator ("--"), which would allow someone who
has control over command line options of the sandboxed application,
to write data to a specified file.

Fixes: CVE-2020-17367

Reported-by: Tim Starling <[email protected]>
---
 src/firejail/output.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/firejail/output.c b/src/firejail/output.c
index d4a7f464a..6e678afd3 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -30,6 +30,12 @@ void check_output(int argc, char **argv) {
        int enable_stderr = 0;
 
        for (i = 1; i < argc; i++) {
+               if (strncmp(argv[i], "--", 2) != 0) {
+                       return;
+               }
+               if (strcmp(argv[i], "--") == 0) {
+                       return;
+               }
                if (strncmp(argv[i], "--output=", 9) == 0) {
                        outindex = i;
                        break;
++++++ fix-CVE-2020-17368.patch ++++++
>From 34193604fed04cad2b7b6b0f1a3a0428afd9ed5b Mon Sep 17 00:00:00 2001
From: Reiner Herrmann <[email protected]>
Date: Wed, 29 Jul 2020 20:22:52 +0200
Subject: [PATCH] firejail: don't pass command line through shell when
 redirecting output

When redirecting output via --output or --output-stderr, firejail was
concatenating all command line arguments into a single string
that was passed to a shell. As the arguments were no longer escaped,
the shell was able to interpret them.
Someone who has control over the command line arguments of the
sandboxed application could use this to run arbitrary other commands.

Instead of passing it through a shell for piping the output to ftee,
the pipeline is now manually created and the processes are executed
directly.

Fixes: CVE-2020-17368

Reported-by: Tim Starling <[email protected]>
---
 src/firejail/output.c | 80 +++++++++++++++++++++++++++++--------------
 1 file changed, 54 insertions(+), 26 deletions(-)

diff --git a/src/firejail/output.c b/src/firejail/output.c
index 6e678afd3..0e961bb61 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -77,38 +77,66 @@ void check_output(int argc, char **argv) {
                }
        }
 
-       // build the new command line
-       int len = 0;
-       for (i = 0; i < argc; i++) {
-               len += strlen(argv[i]) + 1; // + ' '
+       int pipefd[2];
+       if (pipe(pipefd) == -1) {
+               errExit("pipe");
        }
-       len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command
 
-       char *cmd = malloc(len + 1); // + '\0'
-       if (!cmd)
-               errExit("malloc");
+       pid_t pid = fork();
+       if (pid == -1) {
+               errExit("fork");
+       } else if (pid == 0) {
+               /* child */
+               if (dup2(pipefd[0], STDIN_FILENO) == -1) {
+                       errExit("dup2");
+               }
+               close(pipefd[1]);
+               if (pipefd[0] != STDIN_FILENO) {
+                       close(pipefd[0]);
+               }
 
-       char *ptr = cmd;
-       for (i = 0; i < argc; i++) {
-               if (strncmp(argv[i], "--output=", 9) == 0)
-                       continue;
-               if (strncmp(argv[i], "--output-stderr=", 16) == 0)
-                       continue;
-               ptr += sprintf(ptr, "%s ", argv[i]);
+               char *args[3];
+               args[0] = LIBDIR "/firejail/ftee";
+               args[1] = outfile;
+               args[2] = NULL;
+               execv(args[0], args);
+               perror("execvp");
+               exit(1);
        }
 
-       if (enable_stderr)
-               sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile);
-       else
-               sprintf(ptr, " | %s/firejail/ftee %s", LIBDIR, outfile);
+       /* parent */
+       if (dup2(pipefd[1], STDOUT_FILENO) == -1) {
+               errExit("dup2");
+       }
+       if (enable_stderr && dup2(STDOUT_FILENO, STDERR_FILENO) == -1) {
+               errExit("dup2");
+       }
+       close(pipefd[0]);
+       if (pipefd[1] != STDOUT_FILENO) {
+               close(pipefd[1]);
+       }
 
-       // run command
-       char *a[4];
-       a[0] = "/bin/bash";
-       a[1] = "-c";
-       a[2] = cmd;
-       a[3] = NULL;
-       execvp(a[0], a);
+       char **args = calloc(argc + 1, sizeof(char *));
+       if (!args) {
+               errExit("calloc");
+       }
+       bool found_separator = false;
+       /* copy argv into args, but drop --output(-stderr) arguments */
+       for (int i = 0, j = 0; i < argc; i++) {
+               if (!found_separator && i > 0) {
+                       if (strncmp(argv[i], "--output=", 9) == 0) {
+                               continue;
+                       }
+                       if (strncmp(argv[i], "--output-stderr=", 16) == 0) {
+                               continue;
+                       }
+                       if (strncmp(argv[i], "--", 2) != 0 || strcmp(argv[i], 
"--") == 0) {
+                               found_separator = true;
+                       }
+               }
+               args[j++] = argv[i];
+       }
+       execvp(args[0], args);
 
        perror("execvp");
        exit(1);

commit firejail for openSUSE:Factory

Reply via email to