Bugzilla – Bug 1174986
VUL-0: CVE-2020-17367,CVE-2020-17368: firejail -- security update
Last modified: 2020-08-16 14:36:29 UTC
Tim Starling discovered two vulnerabilities in firejail, a sandbox
program to restrict the running environment of untrusted applications.
It was reported that firejail does not respect the end-of-options
separator ("--"), allowing an attacker with control over the command
line options of the sandboxed application, to write data to a
It was reported that firejail when redirecting output via --output
or --output-stderr, concatenates all command line arguments into a
single string that is passed to a shell. An attacker who has control
over the command line arguments of the sandboxed application could
take advantage of this flaw to run arbitrary commands.
For the stable distribution (buster), these problems have been fixed in
We recommend that you upgrade your firejail packages.
For the detailed security status of firejail please refer to its
security tracker page at:
Submitted fixes to Factory and Leap 15.2
This is an autogenerated message for OBS integration:
This bug (1174986) was mentioned in
https://build.opensuse.org/request/show/825005 Factory / firejail
https://build.opensuse.org/request/show/825006 15.2 / firejail
openSUSE-SU-2020:1208-1: An update that fixes two vulnerabilities is now available.
Category: security (moderate)
Bug References: 1174986
CVE References: CVE-2020-17367,CVE-2020-17368
openSUSE Leap 15.2 (src): firejail-0.9.62-lp188.8.131.52
Requests have been accepted