Accepting request 448835 from home:tiwai:branches:Virtualization

- Update to version 0.9.44.2:
  Security fixes:
  * overwrite /etc/resolv.conf found by Martin Carpenter
  * TOCTOU exploit for –get and –put found by Daniel Hodson
  * invalid environment exploit found by Martin Carpenter
  * several security enhancements
  Bugfixes:
  * crashing VLC by pressing Ctrl-O
  * use user configured icons in KDE
  * mkdir and mkfile are not applied to private directories
  * cannot open files on Deluge running under KDE
  * –private=dir where dir is the user home directory
  * cannot start Vivaldi browser
  * cannot start mupdf
  * ssh profile problems
  * –quiet
  * quiet in git profile
  * memory corruption
- Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259):
  firejail-CVE-2017-5180-fix1.patch
  firejail-CVE-2017-5180-fix2.patch

OBS-URL: https://build.opensuse.org/request/show/448835
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=5

firejail-0.9.44.2.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c5adef1943daa33049c4c39e5a19a0d02b897f1b1581be094ec600490dde8851
+size 213092

firejail-0.9.44.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2cd8ba061a546b593e52748ebbcd8dbdac55973aaeff21250ada43fe3405992c
-size 212532

firejail-CVE-2017-5180-fix1.patch

@@ -0,0 +1,72 @@
+From 60d4b478f65c60bcc825bb56f85fd6c4fd48b250 Mon Sep 17 00:00:00 2001
+From: netblue30 <netblue30@yahoo.com>
+Date: Wed, 4 Jan 2017 11:59:46 -0500
+Subject: [PATCH] security fix
+
+---
+ src/firejail/fs_home.c    |   14 ++++++++++++++
+ src/firejail/pulseaudio.c |   15 +++++++++++++++
+ 2 files changed, 29 insertions(+)
+
+--- a/src/firejail/fs_home.c
++++ b/src/firejail/fs_home.c
+@@ -171,6 +171,13 @@ static void copy_xauthority(void) {
+ 	char *dest;
+ 	if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
+ 		errExit("asprintf");
++	
++	// if destination is a symbolic link, exit the sandbox!!!
++	if (is_link(dest)) {
++		fprintf(stderr, "Error: %s is a symbolic link\n", dest);
++		exit(1);
++	}
++
+ 	// copy, set permissions and ownership
+ 	int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
+ 	if (rv)
+@@ -189,6 +196,13 @@ static void copy_asoundrc(void) {
+ 	char *dest;
+ 	if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
+ 		errExit("asprintf");
++	
++	// if destination is a symbolic link, exit the sandbox!!!
++	if (is_link(dest)) {
++		fprintf(stderr, "Error: %s is a symbolic link\n", dest);
++		exit(1);
++	}
++
+ 	// copy, set permissions and ownership
+ 	int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
+ 	if (rv)
+--- a/src/firejail/pulseaudio.c
++++ b/src/firejail/pulseaudio.c
+@@ -138,7 +138,15 @@ void pulseaudio_init(void) {
+ 			(void) rv;
+ 		}
+ 	}
++	else {
++		// make sure the directory is owned by the user
++		if (s.st_uid != getuid()) {
++			fprintf(stderr, "Error: user .config directory is not owned by the current user\n");
++			exit(1);
++		}
++	}
+ 	free(dir1);
++	
+ 	if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
+ 		errExit("asprintf");
+ 	if (stat(dir1, &s) == -1) {
+@@ -150,6 +158,13 @@ void pulseaudio_init(void) {
+ 			(void) rv;
+ 		}
+ 	}
++	else {
++		// make sure the directory is owned by the user
++		if (s.st_uid != getuid()) {
++			fprintf(stderr, "Error: user .config/pulse directory is not owned by the current user\n");
++			exit(1);
++		}
++	}
+ 	free(dir1);
+ 	
+ 	

firejail-CVE-2017-5180-fix2.patch

@@ -0,0 +1,268 @@
+From e74fdab5d2125ce8f058c1630ce7cce19cbdac16 Mon Sep 17 00:00:00 2001
+From: netblue30 <netblue30@yahoo.com>
+Date: Wed, 4 Jan 2017 18:13:45 -0500
+Subject: [PATCH] security fixes
+
+---
+ src/firejail/fs_home.c    |  118 +++++++++++++++++++++++++++++++++++++---------
+ src/firejail/pulseaudio.c |   47 +++++++++++++-----
+ src/firejail/util.c       |    4 -
+ 3 files changed, 134 insertions(+), 35 deletions(-)
+
+--- a/src/firejail/fs_home.c
++++ b/src/firejail/fs_home.c
+@@ -108,6 +108,14 @@ static int store_xauthority(void) {
+ 
+ 	char *src;
+ 	char *dest = RUN_XAUTHORITY_FILE;
++	// create an empty file 
++	FILE *fp = fopen(dest, "w");
++	if (fp) {
++		fprintf(fp, "\n");
++		SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
++		fclose(fp);
++	}
++	
+ 	if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1)
+ 		errExit("asprintf");
+ 	
+@@ -117,12 +125,28 @@ static int store_xauthority(void) {
+ 			fprintf(stderr, "Warning: invalid .Xauthority file\n");
+ 			return 0;
+ 		}
+-			
+-		int rv = copy_file(src, dest, -1, -1, 0600);
+-		if (rv) {
+-			fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
+-			return 0;
++
++		pid_t child = fork();
++		if (child < 0)
++			errExit("fork");
++		if (child == 0) {
++			// drop privileges
++			drop_privs(0);
++	
++			// copy, set permissions and ownership
++			int rv = copy_file(src, dest, getuid(), getgid(), 0600);
++			if (rv)
++				fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
++			else {
++				fs_logger2("clone", dest);
++			}
++#ifdef HAVE_GCOV
++			__gcov_flush();
++#endif
++			_exit(0);
+ 		}
++		// wait for the child to finish
++		waitpid(child, NULL, 0);
+ 		return 1; // file copied
+ 	}
+ 	
+@@ -135,6 +159,14 @@ static int store_asoundrc(void) {
+ 
+ 	char *src;
+ 	char *dest = RUN_ASOUNDRC_FILE;
++	// create an empty file 
++	FILE *fp = fopen(dest, "w");
++	if (fp) {
++		fprintf(fp, "\n");
++		SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
++		fclose(fp);
++	}
++	
+ 	if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1)
+ 		errExit("asprintf");
+ 	
+@@ -154,11 +186,27 @@ static int store_asoundrc(void) {
+ 			free(rp);
+ 		}
+ 
+-		int rv = copy_file(src, dest, -1, -1, -0644);
+-		if (rv) {
+-			fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
+-			return 0;
++		pid_t child = fork();
++		if (child < 0)
++			errExit("fork");
++		if (child == 0) {
++			// drop privileges
++			drop_privs(0);
++	
++			// copy, set permissions and ownership
++			int rv = copy_file(src, dest, getuid(), getgid(), 0644);
++			if (rv)
++				fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
++			else {
++				fs_logger2("clone", dest);
++			}
++#ifdef HAVE_GCOV
++			__gcov_flush();
++#endif
++			_exit(0);
+ 		}
++		// wait for the child to finish
++		waitpid(child, NULL, 0);
+ 		return 1; // file copied
+ 	}
+ 	
+@@ -178,13 +226,27 @@ static void copy_xauthority(void) {
+ 		exit(1);
+ 	}
+ 
+-	// copy, set permissions and ownership
+-	int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
+-	if (rv)
+-		fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
+-	else {
+-		fs_logger2("clone", dest);
++	pid_t child = fork();
++	if (child < 0)
++		errExit("fork");
++	if (child == 0) {
++		// drop privileges
++		drop_privs(0);
++
++		// copy, set permissions and ownership
++		int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
++		if (rv)
++			fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
++		else {
++			fs_logger2("clone", dest);
++		}
++#ifdef HAVE_GCOV
++		__gcov_flush();
++#endif
++		_exit(0);
+ 	}
++	// wait for the child to finish
++	waitpid(child, NULL, 0);
+ 	
+ 	// delete the temporary file
+ 	unlink(src);
+@@ -203,13 +265,27 @@ static void copy_asoundrc(void) {
+ 		exit(1);
+ 	}
+ 
+-	// copy, set permissions and ownership
+-	int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
+-	if (rv)
+-		fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
+-	else {
+-		fs_logger2("clone", dest);
++	pid_t child = fork();
++	if (child < 0)
++		errExit("fork");
++	if (child == 0) {
++		// drop privileges
++		drop_privs(0);
++
++		// copy, set permissions and ownership
++		int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
++		if (rv)
++			fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
++		else {
++			fs_logger2("clone", dest);
++		}
++#ifdef HAVE_GCOV
++		__gcov_flush();
++#endif
++		_exit(0);
+ 	}
++	// wait for the child to finish
++	waitpid(child, NULL, 0);
+ 
+ 	// delete the temporary file
+ 	unlink(src);
+--- a/src/firejail/pulseaudio.c
++++ b/src/firejail/pulseaudio.c
+@@ -21,6 +21,7 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/mount.h>
++#include <sys/wait.h>
+ #include <dirent.h>
+ 
+ static void disable_file(const char *path, const char *file) {
+@@ -130,13 +131,24 @@ void pulseaudio_init(void) {
+ 	if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1)
+ 		errExit("asprintf");
+ 	if (stat(dir1, &s) == -1) {
+-		int rv = mkdir(dir1, 0755);
+-		if (rv == 0) {
+-			rv = chown(dir1, getuid(), getgid());
+-			(void) rv;
+-			rv = chmod(dir1, 0755);
+-			(void) rv;
++		pid_t child = fork();
++		if (child < 0)
++			errExit("fork");
++		if (child == 0) {
++			// drop privileges
++			drop_privs(0);
++	
++			int rv = mkdir(dir1, 0755);
++			if (rv == 0) {
++				rv = chown(dir1, getuid(), getgid());
++				(void) rv;
++				rv = chmod(dir1, 0755);
++				(void) rv;
++			}
++			_exit(0);
+ 		}
++		// wait for the child to finish
++		waitpid(child, NULL, 0);
+ 	}
+ 	else {
+ 		// make sure the directory is owned by the user
+@@ -150,13 +162,24 @@ void pulseaudio_init(void) {
+ 	if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
+ 		errExit("asprintf");
+ 	if (stat(dir1, &s) == -1) {
+-		int rv = mkdir(dir1, 0700);
+-		if (rv == 0) {
+-			rv = chown(dir1, getuid(), getgid());
+-			(void) rv;
+-			rv = chmod(dir1, 0700);
+-			(void) rv;
++		pid_t child = fork();
++		if (child < 0)
++			errExit("fork");
++		if (child == 0) {
++			// drop privileges
++			drop_privs(0);
++	
++			int rv = mkdir(dir1, 0700);
++			if (rv == 0) {
++				rv = chown(dir1, getuid(), getgid());
++				(void) rv;
++				rv = chmod(dir1, 0700);
++				(void) rv;
++			}
++			_exit(0);
+ 		}
++		// wait for the child to finish
++		waitpid(child, NULL, 0);
+ 	}
+ 	else {
+ 		// make sure the directory is owned by the user
+--- a/src/firejail/util.c
++++ b/src/firejail/util.c
+@@ -179,14 +179,14 @@ int copy_file(const char *srcname, const
+ 	// open source
+ 	int src = open(srcname, O_RDONLY);
+ 	if (src < 0) {
+-		fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname);
++		fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname);
+ 		return -1;
+ 	}
+ 
+ 	// open destination
+ 	int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+ 	if (dst < 0) {
+-		fprintf(stderr, "Warning: cannot open %s, file not copied\n", destname);
++		fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname);
+ 		close(src);
+ 		return -1;
+ 	}

firejail.changes

@@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Thu Jan  5 10:38:43 CET 2017 - tiwai@suse.de
+
+- Update to version 0.9.44.2:
+  Security fixes:
+  * overwrite /etc/resolv.conf found by Martin Carpenter
+  * TOCTOU exploit for –get and –put found by Daniel Hodson
+  * invalid environment exploit found by Martin Carpenter
+  * several security enhancements
+  Bugfixes:
+  * crashing VLC by pressing Ctrl-O
+  * use user configured icons in KDE
+  * mkdir and mkfile are not applied to private directories
+  * cannot open files on Deluge running under KDE
+  * –private=dir where dir is the user home directory
+  * cannot start Vivaldi browser
+  * cannot start mupdf
+  * ssh profile problems
+  * –quiet
+  * quiet in git profile
+  * memory corruption
+- Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259):
+  firejail-CVE-2017-5180-fix1.patch
+  firejail-CVE-2017-5180-fix2.patch
+
 -------------------------------------------------------------------
 Thu Oct 27 17:49:48 CEST 2016 - tiwai@suse.de
 

firejail.spec

@@ -17,7 +17,7 @@
 
 
 Name:           firejail
-Version:        0.9.44
+Version:        0.9.44.2
 Release:        0
 Summary:        Linux namepaces sandbox program
 License:        GPL-2.0
@@ -25,6 +25,8 @@ Group:          Productivity/Security
 Url:            https://firejail.wordpress.com/
 Source0:        %{name}-%{version}.tar.xz
 Source1:        %{name}.rpmlintrc
+Patch1:         firejail-CVE-2017-5180-fix1.patch
+Patch2:         firejail-CVE-2017-5180-fix2.patch
 BuildRequires:  libapparmor-devel
 BuildRequires:  gcc-c++
 Requires(pre):  permissions
@@ -40,6 +42,8 @@ Linux namespace support. It supports sandboxing specific users upon login.
 
 %prep
 %setup -q
+%patch1 -p1
+%patch2 -p1
 
 %build
 %configure --docdir=%{_docdir}/%{name} \