From 30f9931e5a5ad8d25da793ce1e7715ed864e3255bafc0ad3ec8963642e027611 Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Wed, 19 Aug 2020 06:28:03 +0000 Subject: [PATCH] Accepting request 827725 from home:polslinux:branches:Virtualization - Update to 0.9.62.4 * fix AppArmor broken in the previous release * miscellaneous fixes - Update to 0.9.62.2 * fix CVE-2020-17367 * fix CVE-2020-17368 * additional hardening and bug fixes - Remove fix-CVE-2020-17368.patch - Remove fix-CVE-2020-17367.patch OBS-URL: https://build.opensuse.org/request/show/827725 OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=28 --- firejail-0.9.62.4.tar.xz | 3 + firejail-0.9.62.4.tar.xz.asc | 11 ++++ firejail-0.9.62.tar.xz | 3 - firejail-0.9.62.tar.xz.asc | 11 ---- firejail.changes | 17 +++++ firejail.spec | 10 +-- fix-CVE-2020-17367.patch | 35 ---------- fix-CVE-2020-17368.patch | 121 ----------------------------------- 8 files changed, 33 insertions(+), 178 deletions(-) create mode 100644 firejail-0.9.62.4.tar.xz create mode 100644 firejail-0.9.62.4.tar.xz.asc delete mode 100644 firejail-0.9.62.tar.xz delete mode 100644 firejail-0.9.62.tar.xz.asc delete mode 100644 fix-CVE-2020-17367.patch delete mode 100644 fix-CVE-2020-17368.patch diff --git a/firejail-0.9.62.4.tar.xz b/firejail-0.9.62.4.tar.xz new file mode 100644 index 0000000..ac11ff8 --- /dev/null +++ b/firejail-0.9.62.4.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2a2738bded0d4c96ea17094dacdba175516a193d50ce3e743fce7ac1ade7260c +size 382780 diff --git a/firejail-0.9.62.4.tar.xz.asc b/firejail-0.9.62.4.tar.xz.asc new file mode 100644 index 0000000..ef9f743 --- /dev/null +++ b/firejail-0.9.62.4.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAl86gd4ACgkQLMs2rfxY +SadQgAf+PMlVCZ+CYNxPoKVV+iXntZTbYrHkfcofVqY4A6ADKUelDb/BEHuuoR5R +92FMUnN3bh11sMG/NAwqOX5kCNtl33EMYf9xv5dVAf/H5GZjNjYak93Lpu9wJFOD +NWSAqIqEEWzCov5mJ5+yLdtCJ+Cvx7cMrumod26MzFnGVxXXGvaq8mljGQt7Muxy +pVEyDwcHIjKKYjSvzP3o1038NuI8My9Gl7Wz/ZCGhkUL1j9u0kYktk7gt3/fE/ju +QM3f7ZmCsJIrCmHF++3Va1a/U3z6UQaxNTmJ0XyqqzdZ6xv1+WuGXPAfwgdLaxht +RxipeRnr6o/MaeNGOGPNhiNF+4vY4A== +=A5n+ +-----END PGP SIGNATURE----- diff --git a/firejail-0.9.62.tar.xz b/firejail-0.9.62.tar.xz deleted file mode 100644 index f1c9d1c..0000000 --- a/firejail-0.9.62.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0568081ce950c5240e1b2fca7014b798f589657249e17283a14e20e41f8d5ae0 -size 383760 diff --git a/firejail-0.9.62.tar.xz.asc b/firejail-0.9.62.tar.xz.asc deleted file mode 100644 index b5a16ae..0000000 --- a/firejail-0.9.62.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAl4I7awACgkQLMs2rfxY -Safs/wf/dNChQ4y4HnL8syZK/+Q4lO1MDQ/e1F64CnO5m4qha/o7KAmug+b5Gdqx -WUlX9sUuC0QpIqTem04Kz8/W7JBY0zR08Zxr5JQxIcxIWsxeat/xS4RAdygJP5on -OTrN8dl1sf46BosO5KhKhg3l96d22vvHB+WW5k0+DrTCATQ2kE5ZNOAEKdXyRLm1 -8M/cZrdKsm6lNBQUabua1CEOCNBTGysMeVRx13gkMpDNpNurBFgyxmGKmdUyVvZz -KpCsQMBLzPcK9cYrsMgc30ObSbThc+pFLgu4X6DgRgj6jNSCwiWaGQGPtvvDz3aV -T/07J6CZXgjxFgrCdXdgDSdo4S5fbw== -=twT2 ------END PGP SIGNATURE----- diff --git a/firejail.changes b/firejail.changes index 45f0eeb..c7d76da 100644 --- a/firejail.changes +++ b/firejail.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Wed Aug 19 06:15:16 UTC 2020 - Paolo Stivanin + +- Update to 0.9.62.4 + * fix AppArmor broken in the previous release + * miscellaneous fixes + +------------------------------------------------------------------- +Thu Aug 13 06:13:57 UTC 2020 - Paolo Stivanin + +- Update to 0.9.62.2 + * fix CVE-2020-17367 + * fix CVE-2020-17368 + * additional hardening and bug fixes +- Remove fix-CVE-2020-17368.patch +- Remove fix-CVE-2020-17367.patch + ------------------------------------------------------------------- Sat Aug 8 16:56:43 UTC 2020 - Sebastian Wagner diff --git a/firejail.spec b/firejail.spec index be7bc4a..37a06ee 100644 --- a/firejail.spec +++ b/firejail.spec @@ -17,7 +17,7 @@ Name: firejail -Version: 0.9.62 +Version: 0.9.62.4 Release: 0 Summary: Linux namepaces sandbox program License: GPL-2.0-only @@ -27,10 +27,6 @@ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar. Source1: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz.asc # PATCH-FIX-OPENSUSE firejail-0.9.62-fix-usr-etc.patch -- https://github.com/netblue30/firejail/issues/3145 two patches combined, source see file Patch0: firejail-0.9.62-fix-usr-etc.patch -# PATHCH-FIX-UPSTREAM fix-CVE-2020-17367 -- fixes boo#1174986 -Patch1: https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch#/fix-CVE-2020-17367.patch -# PATHCH-FIX-UPSTREAM fix-CVE-2020-17368 -- fixes boo#1174986 -Patch2: https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch#/fix-CVE-2020-17368.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: libapparmor-devel @@ -49,8 +45,6 @@ Linux namespace support. It supports sandboxing specific users upon login. %prep %setup -q %patch0 -p1 -%patch1 -p1 -%patch2 -p1 sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py %build @@ -84,7 +78,7 @@ exit 0 %dir %{_sysconfdir}/%{name} %config %{_sysconfdir}/%{name}/* %config %{_sysconfdir}/apparmor.d/firejail-default -%config %{_sysconfdir}/apparmor.d/local/firejail-local +%config %{_sysconfdir}/apparmor.d/local/firejail-default %dir %{_sysconfdir}/apparmor.d %dir %{_sysconfdir}/apparmor.d/local diff --git a/fix-CVE-2020-17367.patch b/fix-CVE-2020-17367.patch deleted file mode 100644 index e3591f9..0000000 --- a/fix-CVE-2020-17367.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 2c734d6350ad321fccbefc5ef0382199ac331b37 Mon Sep 17 00:00:00 2001 -From: Reiner Herrmann -Date: Wed, 29 Jul 2020 20:16:16 +0200 -Subject: [PATCH] firejail: don't interpret output arguments after - end-of-options tag - -Firejail was parsing --output and --output-stderr options even after -the end-of-options separator ("--"), which would allow someone who -has control over command line options of the sandboxed application, -to write data to a specified file. - -Fixes: CVE-2020-17367 - -Reported-by: Tim Starling ---- - src/firejail/output.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/firejail/output.c b/src/firejail/output.c -index d4a7f464a..6e678afd3 100644 ---- a/src/firejail/output.c -+++ b/src/firejail/output.c -@@ -30,6 +30,12 @@ void check_output(int argc, char **argv) { - int enable_stderr = 0; - - for (i = 1; i < argc; i++) { -+ if (strncmp(argv[i], "--", 2) != 0) { -+ return; -+ } -+ if (strcmp(argv[i], "--") == 0) { -+ return; -+ } - if (strncmp(argv[i], "--output=", 9) == 0) { - outindex = i; - break; diff --git a/fix-CVE-2020-17368.patch b/fix-CVE-2020-17368.patch deleted file mode 100644 index df97325..0000000 --- a/fix-CVE-2020-17368.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 34193604fed04cad2b7b6b0f1a3a0428afd9ed5b Mon Sep 17 00:00:00 2001 -From: Reiner Herrmann -Date: Wed, 29 Jul 2020 20:22:52 +0200 -Subject: [PATCH] firejail: don't pass command line through shell when - redirecting output - -When redirecting output via --output or --output-stderr, firejail was -concatenating all command line arguments into a single string -that was passed to a shell. As the arguments were no longer escaped, -the shell was able to interpret them. -Someone who has control over the command line arguments of the -sandboxed application could use this to run arbitrary other commands. - -Instead of passing it through a shell for piping the output to ftee, -the pipeline is now manually created and the processes are executed -directly. - -Fixes: CVE-2020-17368 - -Reported-by: Tim Starling ---- - src/firejail/output.c | 80 +++++++++++++++++++++++++++++-------------- - 1 file changed, 54 insertions(+), 26 deletions(-) - -diff --git a/src/firejail/output.c b/src/firejail/output.c -index 6e678afd3..0e961bb61 100644 ---- a/src/firejail/output.c -+++ b/src/firejail/output.c -@@ -77,38 +77,66 @@ void check_output(int argc, char **argv) { - } - } - -- // build the new command line -- int len = 0; -- for (i = 0; i < argc; i++) { -- len += strlen(argv[i]) + 1; // + ' ' -+ int pipefd[2]; -+ if (pipe(pipefd) == -1) { -+ errExit("pipe"); - } -- len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command - -- char *cmd = malloc(len + 1); // + '\0' -- if (!cmd) -- errExit("malloc"); -+ pid_t pid = fork(); -+ if (pid == -1) { -+ errExit("fork"); -+ } else if (pid == 0) { -+ /* child */ -+ if (dup2(pipefd[0], STDIN_FILENO) == -1) { -+ errExit("dup2"); -+ } -+ close(pipefd[1]); -+ if (pipefd[0] != STDIN_FILENO) { -+ close(pipefd[0]); -+ } - -- char *ptr = cmd; -- for (i = 0; i < argc; i++) { -- if (strncmp(argv[i], "--output=", 9) == 0) -- continue; -- if (strncmp(argv[i], "--output-stderr=", 16) == 0) -- continue; -- ptr += sprintf(ptr, "%s ", argv[i]); -+ char *args[3]; -+ args[0] = LIBDIR "/firejail/ftee"; -+ args[1] = outfile; -+ args[2] = NULL; -+ execv(args[0], args); -+ perror("execvp"); -+ exit(1); - } - -- if (enable_stderr) -- sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile); -- else -- sprintf(ptr, " | %s/firejail/ftee %s", LIBDIR, outfile); -+ /* parent */ -+ if (dup2(pipefd[1], STDOUT_FILENO) == -1) { -+ errExit("dup2"); -+ } -+ if (enable_stderr && dup2(STDOUT_FILENO, STDERR_FILENO) == -1) { -+ errExit("dup2"); -+ } -+ close(pipefd[0]); -+ if (pipefd[1] != STDOUT_FILENO) { -+ close(pipefd[1]); -+ } - -- // run command -- char *a[4]; -- a[0] = "/bin/bash"; -- a[1] = "-c"; -- a[2] = cmd; -- a[3] = NULL; -- execvp(a[0], a); -+ char **args = calloc(argc + 1, sizeof(char *)); -+ if (!args) { -+ errExit("calloc"); -+ } -+ bool found_separator = false; -+ /* copy argv into args, but drop --output(-stderr) arguments */ -+ for (int i = 0, j = 0; i < argc; i++) { -+ if (!found_separator && i > 0) { -+ if (strncmp(argv[i], "--output=", 9) == 0) { -+ continue; -+ } -+ if (strncmp(argv[i], "--output-stderr=", 16) == 0) { -+ continue; -+ } -+ if (strncmp(argv[i], "--", 2) != 0 || strcmp(argv[i], "--") == 0) { -+ found_separator = true; -+ } -+ } -+ args[j++] = argv[i]; -+ } -+ execvp(args[0], args); - - perror("execvp"); - exit(1);