Bug 1174986 – VUL-0: CVE-2020-17367,CVE-2020-17368: firejail -- security update

Bug 1174986 - (CVE-2020-17367) VUL-0: CVE-2020-17367,CVE-2020-17368: firejail -- security update

(CVE-2020-17367)
Summary:	VUL-0: CVE-2020-17367,CVE-2020-17368: firejail -- security update

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 15.2
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor (vote)
Target Milestone:	---
Assigned To:	Sebastian Wagner
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/264830/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-08-07 08:13 UTC by Robert Frohl
Modified:	2020-08-16 14:36 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2020-08-07 08:13:21 UTC

CVE-2020-17367

Tim Starling discovered two vulnerabilities in firejail, a sandbox
program to restrict the running environment of untrusted applications.

CVE-2020-17367
It was reported that firejail does not respect the end-of-options
    separator ("--"), allowing an attacker with control over the command
    line options of the sandboxed application, to write data to a
    specified file.
CVE-2020-17368
It was reported that firejail when redirecting output via --output
    or --output-stderr, concatenates all command line arguments into a
    single string that is passed to a shell. An attacker who has control
    over the command line arguments of the sandboxed application could
    take advantage of this flaw to run arbitrary commands.

For the stable distribution (buster), these problems have been fixed in
version 0.9.58.2-2+deb10u1.
We recommend that you upgrade your firejail packages.
For the detailed security status of firejail please refer to its

security tracker page at:
https://security-tracker.debian.org/tracker/firejail

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17367
http://www.debian.org/security/-1/dsa-4742
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-17367.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17368
http://www.debian.org/security/-1/dsa-4742
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-17368.html

Comment 1 Sebastian Wagner 2020-08-08 17:45:29 UTC

Submitted fixes to Factory and Leap 15.2

Comment 2 OBSbugzilla Bot 2020-08-08 18:20:07 UTC

This is an autogenerated message for OBS integration:
This bug (1174986) was mentioned in
https://build.opensuse.org/request/show/825005 Factory / firejail
https://build.opensuse.org/request/show/825006 15.2 / firejail

Comment 3 Swamp Workflow Management 2020-08-14 19:23:44 UTC

openSUSE-SU-2020:1208-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1174986
CVE References: CVE-2020-17367,CVE-2020-17368
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    firejail-0.9.62-lp152.3.3.1

Comment 4 Sebastian Wagner 2020-08-16 14:36:29 UTC

Requests have been accepted