From 7a7ff5e7feaa2d7ed0eee4c8cc425178bea26ba5ab4c1864bc0c1606fd7d71f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Sat, 7 Jan 2017 09:27:56 +0000 Subject: [PATCH] Accepting request 448835 from home:tiwai:branches:Virtualization MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Update to version 0.9.44.2: Security fixes: * overwrite /etc/resolv.conf found by Martin Carpenter * TOCTOU exploit for –get and –put found by Daniel Hodson * invalid environment exploit found by Martin Carpenter * several security enhancements Bugfixes: * crashing VLC by pressing Ctrl-O * use user configured icons in KDE * mkdir and mkfile are not applied to private directories * cannot open files on Deluge running under KDE * –private=dir where dir is the user home directory * cannot start Vivaldi browser * cannot start mupdf * ssh profile problems * –quiet * quiet in git profile * memory corruption - Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259): firejail-CVE-2017-5180-fix1.patch firejail-CVE-2017-5180-fix2.patch OBS-URL: https://build.opensuse.org/request/show/448835 OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=5 --- firejail-0.9.44.2.tar.xz | 3 + firejail-0.9.44.tar.xz | 3 - firejail-CVE-2017-5180-fix1.patch | 72 ++++++++ firejail-CVE-2017-5180-fix2.patch | 268 ++++++++++++++++++++++++++++++ firejail.changes | 25 +++ firejail.spec | 6 +- 6 files changed, 373 insertions(+), 4 deletions(-) create mode 100644 firejail-0.9.44.2.tar.xz delete mode 100644 firejail-0.9.44.tar.xz create mode 100644 firejail-CVE-2017-5180-fix1.patch create mode 100644 firejail-CVE-2017-5180-fix2.patch diff --git a/firejail-0.9.44.2.tar.xz b/firejail-0.9.44.2.tar.xz new file mode 100644 index 0000000..a34a708 --- /dev/null +++ b/firejail-0.9.44.2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c5adef1943daa33049c4c39e5a19a0d02b897f1b1581be094ec600490dde8851 +size 213092 diff --git a/firejail-0.9.44.tar.xz b/firejail-0.9.44.tar.xz deleted file mode 100644 index 0c5a229..0000000 --- a/firejail-0.9.44.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2cd8ba061a546b593e52748ebbcd8dbdac55973aaeff21250ada43fe3405992c -size 212532 diff --git a/firejail-CVE-2017-5180-fix1.patch b/firejail-CVE-2017-5180-fix1.patch new file mode 100644 index 0000000..1b38475 --- /dev/null +++ b/firejail-CVE-2017-5180-fix1.patch @@ -0,0 +1,72 @@ +From 60d4b478f65c60bcc825bb56f85fd6c4fd48b250 Mon Sep 17 00:00:00 2001 +From: netblue30 +Date: Wed, 4 Jan 2017 11:59:46 -0500 +Subject: [PATCH] security fix + +--- + src/firejail/fs_home.c | 14 ++++++++++++++ + src/firejail/pulseaudio.c | 15 +++++++++++++++ + 2 files changed, 29 insertions(+) + +--- a/src/firejail/fs_home.c ++++ b/src/firejail/fs_home.c +@@ -171,6 +171,13 @@ static void copy_xauthority(void) { + char *dest; + if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) + errExit("asprintf"); ++ ++ // if destination is a symbolic link, exit the sandbox!!! ++ if (is_link(dest)) { ++ fprintf(stderr, "Error: %s is a symbolic link\n", dest); ++ exit(1); ++ } ++ + // copy, set permissions and ownership + int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); + if (rv) +@@ -189,6 +196,13 @@ static void copy_asoundrc(void) { + char *dest; + if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) + errExit("asprintf"); ++ ++ // if destination is a symbolic link, exit the sandbox!!! ++ if (is_link(dest)) { ++ fprintf(stderr, "Error: %s is a symbolic link\n", dest); ++ exit(1); ++ } ++ + // copy, set permissions and ownership + int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); + if (rv) +--- a/src/firejail/pulseaudio.c ++++ b/src/firejail/pulseaudio.c +@@ -138,7 +138,15 @@ void pulseaudio_init(void) { + (void) rv; + } + } ++ else { ++ // make sure the directory is owned by the user ++ if (s.st_uid != getuid()) { ++ fprintf(stderr, "Error: user .config directory is not owned by the current user\n"); ++ exit(1); ++ } ++ } + free(dir1); ++ + if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) + errExit("asprintf"); + if (stat(dir1, &s) == -1) { +@@ -150,6 +158,13 @@ void pulseaudio_init(void) { + (void) rv; + } + } ++ else { ++ // make sure the directory is owned by the user ++ if (s.st_uid != getuid()) { ++ fprintf(stderr, "Error: user .config/pulse directory is not owned by the current user\n"); ++ exit(1); ++ } ++ } + free(dir1); + + diff --git a/firejail-CVE-2017-5180-fix2.patch b/firejail-CVE-2017-5180-fix2.patch new file mode 100644 index 0000000..9062d12 --- /dev/null +++ b/firejail-CVE-2017-5180-fix2.patch @@ -0,0 +1,268 @@ +From e74fdab5d2125ce8f058c1630ce7cce19cbdac16 Mon Sep 17 00:00:00 2001 +From: netblue30 +Date: Wed, 4 Jan 2017 18:13:45 -0500 +Subject: [PATCH] security fixes + +--- + src/firejail/fs_home.c | 118 +++++++++++++++++++++++++++++++++++++--------- + src/firejail/pulseaudio.c | 47 +++++++++++++----- + src/firejail/util.c | 4 - + 3 files changed, 134 insertions(+), 35 deletions(-) + +--- a/src/firejail/fs_home.c ++++ b/src/firejail/fs_home.c +@@ -108,6 +108,14 @@ static int store_xauthority(void) { + + char *src; + char *dest = RUN_XAUTHORITY_FILE; ++ // create an empty file ++ FILE *fp = fopen(dest, "w"); ++ if (fp) { ++ fprintf(fp, "\n"); ++ SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); ++ fclose(fp); ++ } ++ + if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) + errExit("asprintf"); + +@@ -117,12 +125,28 @@ static int store_xauthority(void) { + fprintf(stderr, "Warning: invalid .Xauthority file\n"); + return 0; + } +- +- int rv = copy_file(src, dest, -1, -1, 0600); +- if (rv) { +- fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); +- return 0; ++ ++ pid_t child = fork(); ++ if (child < 0) ++ errExit("fork"); ++ if (child == 0) { ++ // drop privileges ++ drop_privs(0); ++ ++ // copy, set permissions and ownership ++ int rv = copy_file(src, dest, getuid(), getgid(), 0600); ++ if (rv) ++ fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); ++ else { ++ fs_logger2("clone", dest); ++ } ++#ifdef HAVE_GCOV ++ __gcov_flush(); ++#endif ++ _exit(0); + } ++ // wait for the child to finish ++ waitpid(child, NULL, 0); + return 1; // file copied + } + +@@ -135,6 +159,14 @@ static int store_asoundrc(void) { + + char *src; + char *dest = RUN_ASOUNDRC_FILE; ++ // create an empty file ++ FILE *fp = fopen(dest, "w"); ++ if (fp) { ++ fprintf(fp, "\n"); ++ SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); ++ fclose(fp); ++ } ++ + if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1) + errExit("asprintf"); + +@@ -154,11 +186,27 @@ static int store_asoundrc(void) { + free(rp); + } + +- int rv = copy_file(src, dest, -1, -1, -0644); +- if (rv) { +- fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); +- return 0; ++ pid_t child = fork(); ++ if (child < 0) ++ errExit("fork"); ++ if (child == 0) { ++ // drop privileges ++ drop_privs(0); ++ ++ // copy, set permissions and ownership ++ int rv = copy_file(src, dest, getuid(), getgid(), 0644); ++ if (rv) ++ fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); ++ else { ++ fs_logger2("clone", dest); ++ } ++#ifdef HAVE_GCOV ++ __gcov_flush(); ++#endif ++ _exit(0); + } ++ // wait for the child to finish ++ waitpid(child, NULL, 0); + return 1; // file copied + } + +@@ -178,13 +226,27 @@ static void copy_xauthority(void) { + exit(1); + } + +- // copy, set permissions and ownership +- int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); +- if (rv) +- fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); +- else { +- fs_logger2("clone", dest); ++ pid_t child = fork(); ++ if (child < 0) ++ errExit("fork"); ++ if (child == 0) { ++ // drop privileges ++ drop_privs(0); ++ ++ // copy, set permissions and ownership ++ int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); ++ if (rv) ++ fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); ++ else { ++ fs_logger2("clone", dest); ++ } ++#ifdef HAVE_GCOV ++ __gcov_flush(); ++#endif ++ _exit(0); + } ++ // wait for the child to finish ++ waitpid(child, NULL, 0); + + // delete the temporary file + unlink(src); +@@ -203,13 +265,27 @@ static void copy_asoundrc(void) { + exit(1); + } + +- // copy, set permissions and ownership +- int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); +- if (rv) +- fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); +- else { +- fs_logger2("clone", dest); ++ pid_t child = fork(); ++ if (child < 0) ++ errExit("fork"); ++ if (child == 0) { ++ // drop privileges ++ drop_privs(0); ++ ++ // copy, set permissions and ownership ++ int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); ++ if (rv) ++ fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); ++ else { ++ fs_logger2("clone", dest); ++ } ++#ifdef HAVE_GCOV ++ __gcov_flush(); ++#endif ++ _exit(0); + } ++ // wait for the child to finish ++ waitpid(child, NULL, 0); + + // delete the temporary file + unlink(src); +--- a/src/firejail/pulseaudio.c ++++ b/src/firejail/pulseaudio.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + + static void disable_file(const char *path, const char *file) { +@@ -130,13 +131,24 @@ void pulseaudio_init(void) { + if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1) + errExit("asprintf"); + if (stat(dir1, &s) == -1) { +- int rv = mkdir(dir1, 0755); +- if (rv == 0) { +- rv = chown(dir1, getuid(), getgid()); +- (void) rv; +- rv = chmod(dir1, 0755); +- (void) rv; ++ pid_t child = fork(); ++ if (child < 0) ++ errExit("fork"); ++ if (child == 0) { ++ // drop privileges ++ drop_privs(0); ++ ++ int rv = mkdir(dir1, 0755); ++ if (rv == 0) { ++ rv = chown(dir1, getuid(), getgid()); ++ (void) rv; ++ rv = chmod(dir1, 0755); ++ (void) rv; ++ } ++ _exit(0); + } ++ // wait for the child to finish ++ waitpid(child, NULL, 0); + } + else { + // make sure the directory is owned by the user +@@ -150,13 +162,24 @@ void pulseaudio_init(void) { + if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) + errExit("asprintf"); + if (stat(dir1, &s) == -1) { +- int rv = mkdir(dir1, 0700); +- if (rv == 0) { +- rv = chown(dir1, getuid(), getgid()); +- (void) rv; +- rv = chmod(dir1, 0700); +- (void) rv; ++ pid_t child = fork(); ++ if (child < 0) ++ errExit("fork"); ++ if (child == 0) { ++ // drop privileges ++ drop_privs(0); ++ ++ int rv = mkdir(dir1, 0700); ++ if (rv == 0) { ++ rv = chown(dir1, getuid(), getgid()); ++ (void) rv; ++ rv = chmod(dir1, 0700); ++ (void) rv; ++ } ++ _exit(0); + } ++ // wait for the child to finish ++ waitpid(child, NULL, 0); + } + else { + // make sure the directory is owned by the user +--- a/src/firejail/util.c ++++ b/src/firejail/util.c +@@ -179,14 +179,14 @@ int copy_file(const char *srcname, const + // open source + int src = open(srcname, O_RDONLY); + if (src < 0) { +- fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname); ++ fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname); + return -1; + } + + // open destination + int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + if (dst < 0) { +- fprintf(stderr, "Warning: cannot open %s, file not copied\n", destname); ++ fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname); + close(src); + return -1; + } diff --git a/firejail.changes b/firejail.changes index 349cf00..c7b44e6 100644 --- a/firejail.changes +++ b/firejail.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Thu Jan 5 10:38:43 CET 2017 - tiwai@suse.de + +- Update to version 0.9.44.2: + Security fixes: + * overwrite /etc/resolv.conf found by Martin Carpenter + * TOCTOU exploit for –get and –put found by Daniel Hodson + * invalid environment exploit found by Martin Carpenter + * several security enhancements + Bugfixes: + * crashing VLC by pressing Ctrl-O + * use user configured icons in KDE + * mkdir and mkfile are not applied to private directories + * cannot open files on Deluge running under KDE + * –private=dir where dir is the user home directory + * cannot start Vivaldi browser + * cannot start mupdf + * ssh profile problems + * –quiet + * quiet in git profile + * memory corruption +- Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259): + firejail-CVE-2017-5180-fix1.patch + firejail-CVE-2017-5180-fix2.patch + ------------------------------------------------------------------- Thu Oct 27 17:49:48 CEST 2016 - tiwai@suse.de diff --git a/firejail.spec b/firejail.spec index 0d2f282..e47d03d 100644 --- a/firejail.spec +++ b/firejail.spec @@ -17,7 +17,7 @@ Name: firejail -Version: 0.9.44 +Version: 0.9.44.2 Release: 0 Summary: Linux namepaces sandbox program License: GPL-2.0 @@ -25,6 +25,8 @@ Group: Productivity/Security Url: https://firejail.wordpress.com/ Source0: %{name}-%{version}.tar.xz Source1: %{name}.rpmlintrc +Patch1: firejail-CVE-2017-5180-fix1.patch +Patch2: firejail-CVE-2017-5180-fix2.patch BuildRequires: libapparmor-devel BuildRequires: gcc-c++ Requires(pre): permissions @@ -40,6 +42,8 @@ Linux namespace support. It supports sandboxing specific users upon login. %prep %setup -q +%patch1 -p1 +%patch2 -p1 %build %configure --docdir=%{_docdir}/%{name} \