pool/firejail
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 827725 from home:polslinux:branches:Virtualization

Browse Source 
- Update to 0.9.62.4
  * fix AppArmor broken in the previous release
  * miscellaneous fixes
- Update to 0.9.62.2
  * fix CVE-2020-17367
  * fix CVE-2020-17368
  * additional hardening and bug fixes
- Remove fix-CVE-2020-17368.patch
- Remove fix-CVE-2020-17367.patch

OBS-URL: https://build.opensuse.org/request/show/827725
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=28
This commit is contained in:
Sebastian Wagner 2020-08-19 06:28:03 +00:00 committed by Git OBS Bridge
parent 20cd8acbae
commit 30f9931e5a
8 changed files with 33 additions and 178 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
firejail-0.9.62.4.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2a2738bded0d4c96ea17094dacdba175516a193d50ce3e743fce7ac1ade7260c
size 382780

11
firejail-0.9.62.4.tar.xz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAl86gd4ACgkQLMs2rfxY
SadQgAf+PMlVCZ+CYNxPoKVV+iXntZTbYrHkfcofVqY4A6ADKUelDb/BEHuuoR5R
92FMUnN3bh11sMG/NAwqOX5kCNtl33EMYf9xv5dVAf/H5GZjNjYak93Lpu9wJFOD
NWSAqIqEEWzCov5mJ5+yLdtCJ+Cvx7cMrumod26MzFnGVxXXGvaq8mljGQt7Muxy
pVEyDwcHIjKKYjSvzP3o1038NuI8My9Gl7Wz/ZCGhkUL1j9u0kYktk7gt3/fE/ju
QM3f7ZmCsJIrCmHF++3Va1a/U3z6UQaxNTmJ0XyqqzdZ6xv1+WuGXPAfwgdLaxht
RxipeRnr6o/MaeNGOGPNhiNF+4vY4A==
=A5n+
-----END PGP SIGNATURE-----

3
firejail-0.9.62.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0568081ce950c5240e1b2fca7014b798f589657249e17283a14e20e41f8d5ae0
size 383760

11
firejail-0.9.62.tar.xz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAl4I7awACgkQLMs2rfxY
Safs/wf/dNChQ4y4HnL8syZK/+Q4lO1MDQ/e1F64CnO5m4qha/o7KAmug+b5Gdqx
WUlX9sUuC0QpIqTem04Kz8/W7JBY0zR08Zxr5JQxIcxIWsxeat/xS4RAdygJP5on
OTrN8dl1sf46BosO5KhKhg3l96d22vvHB+WW5k0+DrTCATQ2kE5ZNOAEKdXyRLm1
8M/cZrdKsm6lNBQUabua1CEOCNBTGysMeVRx13gkMpDNpNurBFgyxmGKmdUyVvZz
KpCsQMBLzPcK9cYrsMgc30ObSbThc+pFLgu4X6DgRgj6jNSCwiWaGQGPtvvDz3aV
T/07J6CZXgjxFgrCdXdgDSdo4S5fbw==
=twT2
-----END PGP SIGNATURE-----

17
firejail.changes
View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Wed Aug 19 06:15:16 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
- Update to 0.9.62.4
* fix AppArmor broken in the previous release
* miscellaneous fixes
-------------------------------------------------------------------
Thu Aug 13 06:13:57 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
- Update to 0.9.62.2
* fix CVE-2020-17367
* fix CVE-2020-17368
* additional hardening and bug fixes
- Remove fix-CVE-2020-17368.patch
- Remove fix-CVE-2020-17367.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Aug 8 16:56:43 UTC 2020 - Sebastian Wagner <sebix+novell.com@sebix.at> Sat Aug 8 16:56:43 UTC 2020 - Sebastian Wagner <sebix+novell.com@sebix.at>

10
firejail.spec
View File

@ -17,7 +17,7 @@
Name: firejail Name: firejail
Version: 0.9.62 Version: 0.9.62.4
Release: 0 Release: 0
Summary: Linux namepaces sandbox program Summary: Linux namepaces sandbox program
License: GPL-2.0-only License: GPL-2.0-only
@ -27,10 +27,6 @@ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.
Source1: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz.asc Source1: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz.asc
# PATCH-FIX-OPENSUSE firejail-0.9.62-fix-usr-etc.patch -- https://github.com/netblue30/firejail/issues/3145 two patches combined, source see file # PATCH-FIX-OPENSUSE firejail-0.9.62-fix-usr-etc.patch -- https://github.com/netblue30/firejail/issues/3145 two patches combined, source see file
Patch0: firejail-0.9.62-fix-usr-etc.patch Patch0: firejail-0.9.62-fix-usr-etc.patch
# PATHCH-FIX-UPSTREAM fix-CVE-2020-17367 -- fixes boo#1174986
Patch1: https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch#/fix-CVE-2020-17367.patch
# PATHCH-FIX-UPSTREAM fix-CVE-2020-17368 -- fixes boo#1174986
Patch2: https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch#/fix-CVE-2020-17368.patch
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: libapparmor-devel BuildRequires: libapparmor-devel
@ -49,8 +45,6 @@ Linux namespace support. It supports sandboxing specific users upon login.
%prep %prep
%setup -q %setup -q
%patch0 -p1 %patch0 -p1
%patch1 -p1
%patch2 -p1
sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py
%build %build
@ -84,7 +78,7 @@ exit 0
%dir %{_sysconfdir}/%{name} %dir %{_sysconfdir}/%{name}
%config %{_sysconfdir}/%{name}/* %config %{_sysconfdir}/%{name}/*
%config %{_sysconfdir}/apparmor.d/firejail-default %config %{_sysconfdir}/apparmor.d/firejail-default
%config %{_sysconfdir}/apparmor.d/local/firejail-local %config %{_sysconfdir}/apparmor.d/local/firejail-default
%dir %{_sysconfdir}/apparmor.d %dir %{_sysconfdir}/apparmor.d
%dir %{_sysconfdir}/apparmor.d/local %dir %{_sysconfdir}/apparmor.d/local

35
fix-CVE-2020-17367.patch
View File

@ -1,35 +0,0 @@
From 2c734d6350ad321fccbefc5ef0382199ac331b37 Mon Sep 17 00:00:00 2001
From: Reiner Herrmann <reiner@reiner-h.de>
Date: Wed, 29 Jul 2020 20:16:16 +0200
Subject: [PATCH] firejail: don't interpret output arguments after
end-of-options tag
Firejail was parsing --output and --output-stderr options even after
the end-of-options separator ("--"), which would allow someone who
has control over command line options of the sandboxed application,
to write data to a specified file.
Fixes: CVE-2020-17367
Reported-by: Tim Starling <tstarling@wikimedia.org>
---
src/firejail/output.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/firejail/output.c b/src/firejail/output.c
index d4a7f464a..6e678afd3 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -30,6 +30,12 @@ void check_output(int argc, char **argv) {
int enable_stderr = 0;
for (i = 1; i < argc; i++) {
+ if (strncmp(argv[i], "--", 2) != 0) {
+ return;
+ }
+ if (strcmp(argv[i], "--") == 0) {
+ return;
+ }
if (strncmp(argv[i], "--output=", 9) == 0) {
outindex = i;
break;

121
fix-CVE-2020-17368.patch
View File

@ -1,121 +0,0 @@
From 34193604fed04cad2b7b6b0f1a3a0428afd9ed5b Mon Sep 17 00:00:00 2001
From: Reiner Herrmann <reiner@reiner-h.de>
Date: Wed, 29 Jul 2020 20:22:52 +0200
Subject: [PATCH] firejail: don't pass command line through shell when
redirecting output
When redirecting output via --output or --output-stderr, firejail was
concatenating all command line arguments into a single string
that was passed to a shell. As the arguments were no longer escaped,
the shell was able to interpret them.
Someone who has control over the command line arguments of the
sandboxed application could use this to run arbitrary other commands.
Instead of passing it through a shell for piping the output to ftee,
the pipeline is now manually created and the processes are executed
directly.
Fixes: CVE-2020-17368
Reported-by: Tim Starling <tstarling@wikimedia.org>
---
src/firejail/output.c | 80 +++++++++++++++++++++++++++++--------------
1 file changed, 54 insertions(+), 26 deletions(-)
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 6e678afd3..0e961bb61 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -77,38 +77,66 @@ void check_output(int argc, char **argv) {
}
}
- // build the new command line
- int len = 0;
- for (i = 0; i < argc; i++) {
- len += strlen(argv[i]) + 1; // + ' '
+ int pipefd[2];
+ if (pipe(pipefd) == -1) {
+ errExit("pipe");
}
- len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command
- char *cmd = malloc(len + 1); // + '\0'
- if (!cmd)
- errExit("malloc");
+ pid_t pid = fork();
+ if (pid == -1) {
+ errExit("fork");
+ } else if (pid == 0) {
+ /* child */
+ if (dup2(pipefd[0], STDIN_FILENO) == -1) {
+ errExit("dup2");
+ }
+ close(pipefd[1]);
+ if (pipefd[0] != STDIN_FILENO) {
+ close(pipefd[0]);
+ }
- char *ptr = cmd;
- for (i = 0; i < argc; i++) {
- if (strncmp(argv[i], "--output=", 9) == 0)
- continue;
- if (strncmp(argv[i], "--output-stderr=", 16) == 0)
- continue;
- ptr += sprintf(ptr, "%s ", argv[i]);
+ char *args[3];
+ args[0] = LIBDIR "/firejail/ftee";
+ args[1] = outfile;
+ args[2] = NULL;
+ execv(args[0], args);
+ perror("execvp");
+ exit(1);
}
- if (enable_stderr)
- sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile);
- else
- sprintf(ptr, " | %s/firejail/ftee %s", LIBDIR, outfile);
+ /* parent */
+ if (dup2(pipefd[1], STDOUT_FILENO) == -1) {
+ errExit("dup2");
+ }
+ if (enable_stderr && dup2(STDOUT_FILENO, STDERR_FILENO) == -1) {
+ errExit("dup2");
+ }
+ close(pipefd[0]);
+ if (pipefd[1] != STDOUT_FILENO) {
+ close(pipefd[1]);
+ }
- // run command
- char *a[4];
- a[0] = "/bin/bash";
- a[1] = "-c";
- a[2] = cmd;
- a[3] = NULL;
- execvp(a[0], a);
+ char **args = calloc(argc + 1, sizeof(char *));
+ if (!args) {
+ errExit("calloc");
+ }
+ bool found_separator = false;
+ /* copy argv into args, but drop --output(-stderr) arguments */
+ for (int i = 0, j = 0; i < argc; i++) {
+ if (!found_separator && i > 0) {
+ if (strncmp(argv[i], "--output=", 9) == 0) {
+ continue;
+ }
+ if (strncmp(argv[i], "--output-stderr=", 16) == 0) {
+ continue;
+ }
+ if (strncmp(argv[i], "--", 2) != 0 || strcmp(argv[i], "--") == 0) {
+ found_separator = true;
+ }
+ }
+ args[j++] = argv[i];
+ }
+ execvp(args[0], args);
perror("execvp");
exit(1);