Bug 1174986 - (CVE-2020-17367) VUL-0: CVE-2020-17367,CVE-2020-17368: firejail -- security update
(CVE-2020-17367)
VUL-0: CVE-2020-17367,CVE-2020-17368: firejail -- security update
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.2
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Sebastian Wagner
Security Team bot
https://smash.suse.de/issue/264830/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-07 08:13 UTC by Robert Frohl
Modified: 2020-08-16 14:36 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2020-08-07 08:13:21 UTC
CVE-2020-17367

Tim Starling discovered two vulnerabilities in firejail, a sandbox
program to restrict the running environment of untrusted applications.

CVE-2020-17367
It was reported that firejail does not respect the end-of-options
    separator ("--"), allowing an attacker with control over the command
    line options of the sandboxed application, to write data to a
    specified file.
CVE-2020-17368
It was reported that firejail when redirecting output via --output
    or --output-stderr, concatenates all command line arguments into a
    single string that is passed to a shell. An attacker who has control
    over the command line arguments of the sandboxed application could
    take advantage of this flaw to run arbitrary commands.

For the stable distribution (buster), these problems have been fixed in
version 0.9.58.2-2+deb10u1.
We recommend that you upgrade your firejail packages.
For the detailed security status of firejail please refer to its

security tracker page at:
https://security-tracker.debian.org/tracker/firejail

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17367
http://www.debian.org/security/-1/dsa-4742
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-17367.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17368
http://www.debian.org/security/-1/dsa-4742
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-17368.html
Comment 1 Sebastian Wagner 2020-08-08 17:45:29 UTC
Submitted fixes to Factory and Leap 15.2
Comment 2 OBSbugzilla Bot 2020-08-08 18:20:07 UTC
This is an autogenerated message for OBS integration:
This bug (1174986) was mentioned in
https://build.opensuse.org/request/show/825005 Factory / firejail
https://build.opensuse.org/request/show/825006 15.2 / firejail
Comment 3 Swamp Workflow Management 2020-08-14 19:23:44 UTC
openSUSE-SU-2020:1208-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1174986
CVE References: CVE-2020-17367,CVE-2020-17368
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    firejail-0.9.62-lp152.3.3.1
Comment 4 Sebastian Wagner 2020-08-16 14:36:29 UTC
Requests have been accepted