Accepting request 827725 from home:polslinux:branches:Virtualization
- Update to 0.9.62.4 * fix AppArmor broken in the previous release * miscellaneous fixes - Update to 0.9.62.2 * fix CVE-2020-17367 * fix CVE-2020-17368 * additional hardening and bug fixes - Remove fix-CVE-2020-17368.patch - Remove fix-CVE-2020-17367.patch OBS-URL: https://build.opensuse.org/request/show/827725 OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=28
This commit is contained in:
parent
20cd8acbae
commit
30f9931e5a
3
firejail-0.9.62.4.tar.xz
Normal file
3
firejail-0.9.62.4.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:2a2738bded0d4c96ea17094dacdba175516a193d50ce3e743fce7ac1ade7260c
|
||||
size 382780
|
11
firejail-0.9.62.4.tar.xz.asc
Normal file
11
firejail-0.9.62.4.tar.xz.asc
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAl86gd4ACgkQLMs2rfxY
|
||||
SadQgAf+PMlVCZ+CYNxPoKVV+iXntZTbYrHkfcofVqY4A6ADKUelDb/BEHuuoR5R
|
||||
92FMUnN3bh11sMG/NAwqOX5kCNtl33EMYf9xv5dVAf/H5GZjNjYak93Lpu9wJFOD
|
||||
NWSAqIqEEWzCov5mJ5+yLdtCJ+Cvx7cMrumod26MzFnGVxXXGvaq8mljGQt7Muxy
|
||||
pVEyDwcHIjKKYjSvzP3o1038NuI8My9Gl7Wz/ZCGhkUL1j9u0kYktk7gt3/fE/ju
|
||||
QM3f7ZmCsJIrCmHF++3Va1a/U3z6UQaxNTmJ0XyqqzdZ6xv1+WuGXPAfwgdLaxht
|
||||
RxipeRnr6o/MaeNGOGPNhiNF+4vY4A==
|
||||
=A5n+
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:0568081ce950c5240e1b2fca7014b798f589657249e17283a14e20e41f8d5ae0
|
||||
size 383760
|
@ -1,11 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAl4I7awACgkQLMs2rfxY
|
||||
Safs/wf/dNChQ4y4HnL8syZK/+Q4lO1MDQ/e1F64CnO5m4qha/o7KAmug+b5Gdqx
|
||||
WUlX9sUuC0QpIqTem04Kz8/W7JBY0zR08Zxr5JQxIcxIWsxeat/xS4RAdygJP5on
|
||||
OTrN8dl1sf46BosO5KhKhg3l96d22vvHB+WW5k0+DrTCATQ2kE5ZNOAEKdXyRLm1
|
||||
8M/cZrdKsm6lNBQUabua1CEOCNBTGysMeVRx13gkMpDNpNurBFgyxmGKmdUyVvZz
|
||||
KpCsQMBLzPcK9cYrsMgc30ObSbThc+pFLgu4X6DgRgj6jNSCwiWaGQGPtvvDz3aV
|
||||
T/07J6CZXgjxFgrCdXdgDSdo4S5fbw==
|
||||
=twT2
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,20 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 19 06:15:16 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
|
||||
|
||||
- Update to 0.9.62.4
|
||||
* fix AppArmor broken in the previous release
|
||||
* miscellaneous fixes
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 13 06:13:57 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
|
||||
|
||||
- Update to 0.9.62.2
|
||||
* fix CVE-2020-17367
|
||||
* fix CVE-2020-17368
|
||||
* additional hardening and bug fixes
|
||||
- Remove fix-CVE-2020-17368.patch
|
||||
- Remove fix-CVE-2020-17367.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Aug 8 16:56:43 UTC 2020 - Sebastian Wagner <sebix+novell.com@sebix.at>
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: firejail
|
||||
Version: 0.9.62
|
||||
Version: 0.9.62.4
|
||||
Release: 0
|
||||
Summary: Linux namepaces sandbox program
|
||||
License: GPL-2.0-only
|
||||
@ -27,10 +27,6 @@ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.
|
||||
Source1: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz.asc
|
||||
# PATCH-FIX-OPENSUSE firejail-0.9.62-fix-usr-etc.patch -- https://github.com/netblue30/firejail/issues/3145 two patches combined, source see file
|
||||
Patch0: firejail-0.9.62-fix-usr-etc.patch
|
||||
# PATHCH-FIX-UPSTREAM fix-CVE-2020-17367 -- fixes boo#1174986
|
||||
Patch1: https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch#/fix-CVE-2020-17367.patch
|
||||
# PATHCH-FIX-UPSTREAM fix-CVE-2020-17368 -- fixes boo#1174986
|
||||
Patch2: https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch#/fix-CVE-2020-17368.patch
|
||||
BuildRequires: fdupes
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libapparmor-devel
|
||||
@ -49,8 +45,6 @@ Linux namespace support. It supports sandboxing specific users upon login.
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py
|
||||
|
||||
%build
|
||||
@ -84,7 +78,7 @@ exit 0
|
||||
%dir %{_sysconfdir}/%{name}
|
||||
%config %{_sysconfdir}/%{name}/*
|
||||
%config %{_sysconfdir}/apparmor.d/firejail-default
|
||||
%config %{_sysconfdir}/apparmor.d/local/firejail-local
|
||||
%config %{_sysconfdir}/apparmor.d/local/firejail-default
|
||||
%dir %{_sysconfdir}/apparmor.d
|
||||
%dir %{_sysconfdir}/apparmor.d/local
|
||||
|
||||
|
@ -1,35 +0,0 @@
|
||||
From 2c734d6350ad321fccbefc5ef0382199ac331b37 Mon Sep 17 00:00:00 2001
|
||||
From: Reiner Herrmann <reiner@reiner-h.de>
|
||||
Date: Wed, 29 Jul 2020 20:16:16 +0200
|
||||
Subject: [PATCH] firejail: don't interpret output arguments after
|
||||
end-of-options tag
|
||||
|
||||
Firejail was parsing --output and --output-stderr options even after
|
||||
the end-of-options separator ("--"), which would allow someone who
|
||||
has control over command line options of the sandboxed application,
|
||||
to write data to a specified file.
|
||||
|
||||
Fixes: CVE-2020-17367
|
||||
|
||||
Reported-by: Tim Starling <tstarling@wikimedia.org>
|
||||
---
|
||||
src/firejail/output.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/firejail/output.c b/src/firejail/output.c
|
||||
index d4a7f464a..6e678afd3 100644
|
||||
--- a/src/firejail/output.c
|
||||
+++ b/src/firejail/output.c
|
||||
@@ -30,6 +30,12 @@ void check_output(int argc, char **argv) {
|
||||
int enable_stderr = 0;
|
||||
|
||||
for (i = 1; i < argc; i++) {
|
||||
+ if (strncmp(argv[i], "--", 2) != 0) {
|
||||
+ return;
|
||||
+ }
|
||||
+ if (strcmp(argv[i], "--") == 0) {
|
||||
+ return;
|
||||
+ }
|
||||
if (strncmp(argv[i], "--output=", 9) == 0) {
|
||||
outindex = i;
|
||||
break;
|
@ -1,121 +0,0 @@
|
||||
From 34193604fed04cad2b7b6b0f1a3a0428afd9ed5b Mon Sep 17 00:00:00 2001
|
||||
From: Reiner Herrmann <reiner@reiner-h.de>
|
||||
Date: Wed, 29 Jul 2020 20:22:52 +0200
|
||||
Subject: [PATCH] firejail: don't pass command line through shell when
|
||||
redirecting output
|
||||
|
||||
When redirecting output via --output or --output-stderr, firejail was
|
||||
concatenating all command line arguments into a single string
|
||||
that was passed to a shell. As the arguments were no longer escaped,
|
||||
the shell was able to interpret them.
|
||||
Someone who has control over the command line arguments of the
|
||||
sandboxed application could use this to run arbitrary other commands.
|
||||
|
||||
Instead of passing it through a shell for piping the output to ftee,
|
||||
the pipeline is now manually created and the processes are executed
|
||||
directly.
|
||||
|
||||
Fixes: CVE-2020-17368
|
||||
|
||||
Reported-by: Tim Starling <tstarling@wikimedia.org>
|
||||
---
|
||||
src/firejail/output.c | 80 +++++++++++++++++++++++++++++--------------
|
||||
1 file changed, 54 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/src/firejail/output.c b/src/firejail/output.c
|
||||
index 6e678afd3..0e961bb61 100644
|
||||
--- a/src/firejail/output.c
|
||||
+++ b/src/firejail/output.c
|
||||
@@ -77,38 +77,66 @@ void check_output(int argc, char **argv) {
|
||||
}
|
||||
}
|
||||
|
||||
- // build the new command line
|
||||
- int len = 0;
|
||||
- for (i = 0; i < argc; i++) {
|
||||
- len += strlen(argv[i]) + 1; // + ' '
|
||||
+ int pipefd[2];
|
||||
+ if (pipe(pipefd) == -1) {
|
||||
+ errExit("pipe");
|
||||
}
|
||||
- len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command
|
||||
|
||||
- char *cmd = malloc(len + 1); // + '\0'
|
||||
- if (!cmd)
|
||||
- errExit("malloc");
|
||||
+ pid_t pid = fork();
|
||||
+ if (pid == -1) {
|
||||
+ errExit("fork");
|
||||
+ } else if (pid == 0) {
|
||||
+ /* child */
|
||||
+ if (dup2(pipefd[0], STDIN_FILENO) == -1) {
|
||||
+ errExit("dup2");
|
||||
+ }
|
||||
+ close(pipefd[1]);
|
||||
+ if (pipefd[0] != STDIN_FILENO) {
|
||||
+ close(pipefd[0]);
|
||||
+ }
|
||||
|
||||
- char *ptr = cmd;
|
||||
- for (i = 0; i < argc; i++) {
|
||||
- if (strncmp(argv[i], "--output=", 9) == 0)
|
||||
- continue;
|
||||
- if (strncmp(argv[i], "--output-stderr=", 16) == 0)
|
||||
- continue;
|
||||
- ptr += sprintf(ptr, "%s ", argv[i]);
|
||||
+ char *args[3];
|
||||
+ args[0] = LIBDIR "/firejail/ftee";
|
||||
+ args[1] = outfile;
|
||||
+ args[2] = NULL;
|
||||
+ execv(args[0], args);
|
||||
+ perror("execvp");
|
||||
+ exit(1);
|
||||
}
|
||||
|
||||
- if (enable_stderr)
|
||||
- sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile);
|
||||
- else
|
||||
- sprintf(ptr, " | %s/firejail/ftee %s", LIBDIR, outfile);
|
||||
+ /* parent */
|
||||
+ if (dup2(pipefd[1], STDOUT_FILENO) == -1) {
|
||||
+ errExit("dup2");
|
||||
+ }
|
||||
+ if (enable_stderr && dup2(STDOUT_FILENO, STDERR_FILENO) == -1) {
|
||||
+ errExit("dup2");
|
||||
+ }
|
||||
+ close(pipefd[0]);
|
||||
+ if (pipefd[1] != STDOUT_FILENO) {
|
||||
+ close(pipefd[1]);
|
||||
+ }
|
||||
|
||||
- // run command
|
||||
- char *a[4];
|
||||
- a[0] = "/bin/bash";
|
||||
- a[1] = "-c";
|
||||
- a[2] = cmd;
|
||||
- a[3] = NULL;
|
||||
- execvp(a[0], a);
|
||||
+ char **args = calloc(argc + 1, sizeof(char *));
|
||||
+ if (!args) {
|
||||
+ errExit("calloc");
|
||||
+ }
|
||||
+ bool found_separator = false;
|
||||
+ /* copy argv into args, but drop --output(-stderr) arguments */
|
||||
+ for (int i = 0, j = 0; i < argc; i++) {
|
||||
+ if (!found_separator && i > 0) {
|
||||
+ if (strncmp(argv[i], "--output=", 9) == 0) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (strncmp(argv[i], "--output-stderr=", 16) == 0) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (strncmp(argv[i], "--", 2) != 0 || strcmp(argv[i], "--") == 0) {
|
||||
+ found_separator = true;
|
||||
+ }
|
||||
+ }
|
||||
+ args[j++] = argv[i];
|
||||
+ }
|
||||
+ execvp(args[0], args);
|
||||
|
||||
perror("execvp");
|
||||
exit(1);
|
Loading…
Reference in New Issue
Block a user