Accepting request 827727 from Virtualization

OBS-URL: https://build.opensuse.org/request/show/827727 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firejail?expand=0&rev=8
2020-08-19 16:54:50 +00:00 · 2020-08-19 16:54:50 +00:00 · 845ba07aea
commit 845ba07aea
parent a2f2028508 30f9931e5a
8 changed files with 33 additions and 178 deletions
--- a/firejail-0.9.62.4.tar.xz
+++ b/firejail-0.9.62.4.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2a2738bded0d4c96ea17094dacdba175516a193d50ce3e743fce7ac1ade7260c
+size 382780
--- a/firejail-0.9.62.4.tar.xz.asc
+++ b/firejail-0.9.62.4.tar.xz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAl86gd4ACgkQLMs2rfxY
+SadQgAf+PMlVCZ+CYNxPoKVV+iXntZTbYrHkfcofVqY4A6ADKUelDb/BEHuuoR5R
+92FMUnN3bh11sMG/NAwqOX5kCNtl33EMYf9xv5dVAf/H5GZjNjYak93Lpu9wJFOD
+NWSAqIqEEWzCov5mJ5+yLdtCJ+Cvx7cMrumod26MzFnGVxXXGvaq8mljGQt7Muxy
+pVEyDwcHIjKKYjSvzP3o1038NuI8My9Gl7Wz/ZCGhkUL1j9u0kYktk7gt3/fE/ju
+QM3f7ZmCsJIrCmHF++3Va1a/U3z6UQaxNTmJ0XyqqzdZ6xv1+WuGXPAfwgdLaxht
+RxipeRnr6o/MaeNGOGPNhiNF+4vY4A==
+=A5n+
+-----END PGP SIGNATURE-----
--- a/firejail-0.9.62.tar.xz
+++ b/firejail-0.9.62.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0568081ce950c5240e1b2fca7014b798f589657249e17283a14e20e41f8d5ae0
-size 383760
--- a/firejail-0.9.62.tar.xz.asc
+++ b/firejail-0.9.62.tar.xz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEE+VEWSZX1xABqc0EeLMs2rfxYSacFAl4I7awACgkQLMs2rfxY
-Safs/wf/dNChQ4y4HnL8syZK/+Q4lO1MDQ/e1F64CnO5m4qha/o7KAmug+b5Gdqx
-WUlX9sUuC0QpIqTem04Kz8/W7JBY0zR08Zxr5JQxIcxIWsxeat/xS4RAdygJP5on
-OTrN8dl1sf46BosO5KhKhg3l96d22vvHB+WW5k0+DrTCATQ2kE5ZNOAEKdXyRLm1
-8M/cZrdKsm6lNBQUabua1CEOCNBTGysMeVRx13gkMpDNpNurBFgyxmGKmdUyVvZz
-KpCsQMBLzPcK9cYrsMgc30ObSbThc+pFLgu4X6DgRgj6jNSCwiWaGQGPtvvDz3aV
-T/07J6CZXgjxFgrCdXdgDSdo4S5fbw==
-=twT2
-----END PGP SIGNATURE-----
--- a/firejail.changes
+++ b/firejail.changes
@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Wed Aug 19 06:15:16 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 0.9.62.4
+  * fix AppArmor broken in the previous release
+  * miscellaneous fixes
+
+-------------------------------------------------------------------
+Thu Aug 13 06:13:57 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 0.9.62.2
+  * fix CVE-2020-17367
+  * fix CVE-2020-17368
+  * additional hardening and bug fixes
+- Remove fix-CVE-2020-17368.patch
+- Remove fix-CVE-2020-17367.patch
+
 -------------------------------------------------------------------
 Sat Aug  8 16:56:43 UTC 2020 - Sebastian Wagner <sebix+novell.com@sebix.at>

--- a/firejail.spec
+++ b/firejail.spec
@ -17,7 +17,7 @@


 Name:           firejail
-Version:        0.9.62
+Version:        0.9.62.4
 Release:        0
 Summary:        Linux namepaces sandbox program
 License:        GPL-2.0-only
@ -27,10 +27,6 @@ Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.
 Source1:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz.asc
 # PATCH-FIX-OPENSUSE firejail-0.9.62-fix-usr-etc.patch -- https://github.com/netblue30/firejail/issues/3145 two patches combined, source see file
 Patch0:         firejail-0.9.62-fix-usr-etc.patch
-# PATHCH-FIX-UPSTREAM fix-CVE-2020-17367 -- fixes boo#1174986
-Patch1:         https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch#/fix-CVE-2020-17367.patch
-# PATHCH-FIX-UPSTREAM fix-CVE-2020-17368 -- fixes boo#1174986
-Patch2:         https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch#/fix-CVE-2020-17368.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  libapparmor-devel
@ -49,8 +45,6 @@ Linux namespace support. It supports sandboxing specific users upon login.
 %prep
 %setup -q
 %patch0 -p1
-%patch1 -p1
-%patch2 -p1
 sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py

 %build
@ -84,7 +78,7 @@ exit 0
 %dir %{_sysconfdir}/%{name}
 %config %{_sysconfdir}/%{name}/*
 %config %{_sysconfdir}/apparmor.d/firejail-default
-%config %{_sysconfdir}/apparmor.d/local/firejail-local
+%config %{_sysconfdir}/apparmor.d/local/firejail-default
 %dir %{_sysconfdir}/apparmor.d
 %dir %{_sysconfdir}/apparmor.d/local

--- a/fix-CVE-2020-17367.patch
+++ b/fix-CVE-2020-17367.patch
@ -1,35 +0,0 @@
-From 2c734d6350ad321fccbefc5ef0382199ac331b37 Mon Sep 17 00:00:00 2001
-From: Reiner Herrmann <reiner@reiner-h.de>
-Date: Wed, 29 Jul 2020 20:16:16 +0200
-Subject: [PATCH] firejail: don't interpret output arguments after
- end-of-options tag
-
-Firejail was parsing --output and --output-stderr options even after
-the end-of-options separator ("--"), which would allow someone who
-has control over command line options of the sandboxed application,
-to write data to a specified file.
-
-Fixes: CVE-2020-17367
-
-Reported-by: Tim Starling <tstarling@wikimedia.org>
---
- src/firejail/output.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/firejail/output.c b/src/firejail/output.c
-index d4a7f464a..6e678afd3 100644
--- a/src/firejail/output.c
-+++ b/src/firejail/output.c
-@@ -30,6 +30,12 @@ void check_output(int argc, char **argv) {
- 	int enable_stderr = 0;
- 
- 	for (i = 1; i < argc; i++) {
-+		if (strncmp(argv[i], "--", 2) != 0) {
-+			return;
-+		}
-+		if (strcmp(argv[i], "--") == 0) {
-+			return;
-+		}
- 		if (strncmp(argv[i], "--output=", 9) == 0) {
- 			outindex = i;
- 			break;
--- a/fix-CVE-2020-17368.patch
+++ b/fix-CVE-2020-17368.patch
@ -1,121 +0,0 @@
-From 34193604fed04cad2b7b6b0f1a3a0428afd9ed5b Mon Sep 17 00:00:00 2001
-From: Reiner Herrmann <reiner@reiner-h.de>
-Date: Wed, 29 Jul 2020 20:22:52 +0200
-Subject: [PATCH] firejail: don't pass command line through shell when
- redirecting output
-
-When redirecting output via --output or --output-stderr, firejail was
-concatenating all command line arguments into a single string
-that was passed to a shell. As the arguments were no longer escaped,
-the shell was able to interpret them.
-Someone who has control over the command line arguments of the
-sandboxed application could use this to run arbitrary other commands.
-
-Instead of passing it through a shell for piping the output to ftee,
-the pipeline is now manually created and the processes are executed
-directly.
-
-Fixes: CVE-2020-17368
-
-Reported-by: Tim Starling <tstarling@wikimedia.org>
---
- src/firejail/output.c | 80 +++++++++++++++++++++++++++++--------------
- 1 file changed, 54 insertions(+), 26 deletions(-)
-
-diff --git a/src/firejail/output.c b/src/firejail/output.c
-index 6e678afd3..0e961bb61 100644
--- a/src/firejail/output.c
-+++ b/src/firejail/output.c
-@@ -77,38 +77,66 @@ void check_output(int argc, char **argv) {
- 		}
- 	}
- 
-	// build the new command line
-	int len = 0;
-	for (i = 0; i < argc; i++) {
-		len += strlen(argv[i]) + 1; // + ' '
-+	int pipefd[2];
-+	if (pipe(pipefd) == -1) {
-+		errExit("pipe");
- 	}
-	len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command
- 
-	char *cmd = malloc(len + 1); // + '\0'
-	if (!cmd)
-		errExit("malloc");
-+	pid_t pid = fork();
-+	if (pid == -1) {
-+		errExit("fork");
-+	} else if (pid == 0) {
-+		/* child */
-+		if (dup2(pipefd[0], STDIN_FILENO) == -1) {
-+			errExit("dup2");
-+		}
-+		close(pipefd[1]);
-+		if (pipefd[0] != STDIN_FILENO) {
-+			close(pipefd[0]);
-+		}
- 
-	char *ptr = cmd;
-	for (i = 0; i < argc; i++) {
-		if (strncmp(argv[i], "--output=", 9) == 0)
-			continue;
-		if (strncmp(argv[i], "--output-stderr=", 16) == 0)
-			continue;
-		ptr += sprintf(ptr, "%s ", argv[i]);
-+		char *args[3];
-+		args[0] = LIBDIR "/firejail/ftee";
-+		args[1] = outfile;
-+		args[2] = NULL;
-+		execv(args[0], args);
-+		perror("execvp");
-+		exit(1);
- 	}
- 
-	if (enable_stderr)
-		sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile);
-	else
-		sprintf(ptr, " | %s/firejail/ftee %s", LIBDIR, outfile);
-+	/* parent */
-+	if (dup2(pipefd[1], STDOUT_FILENO) == -1) {
-+		errExit("dup2");
-+	}
-+	if (enable_stderr && dup2(STDOUT_FILENO, STDERR_FILENO) == -1) {
-+		errExit("dup2");
-+	}
-+	close(pipefd[0]);
-+	if (pipefd[1] != STDOUT_FILENO) {
-+		close(pipefd[1]);
-+	}
- 
-	// run command
-	char *a[4];
-	a[0] = "/bin/bash";
-	a[1] = "-c";
-	a[2] = cmd;
-	a[3] = NULL;
-	execvp(a[0], a);
-+	char **args = calloc(argc + 1, sizeof(char *));
-+	if (!args) {
-+		errExit("calloc");
-+	}
-+	bool found_separator = false;
-+	/* copy argv into args, but drop --output(-stderr) arguments */
-+	for (int i = 0, j = 0; i < argc; i++) {
-+		if (!found_separator && i > 0) {
-+			if (strncmp(argv[i], "--output=", 9) == 0) {
-+				continue;
-+			}
-+			if (strncmp(argv[i], "--output-stderr=", 16) == 0) {
-+				continue;
-+			}
-+			if (strncmp(argv[i], "--", 2) != 0 || strcmp(argv[i], "--") == 0) {
-+				found_separator = true;
-+			}
-+		}
-+		args[j++] = argv[i];
-+	}
-+	execvp(args[0], args);
- 
- 	perror("execvp");
- 	exit(1);