Accepting request 825005 from Virtualization

- Add patches fix-CVE-2020-17367.patch and fix-CVE-2020-17368.patch to fix CVE-2020-17367 and CVE-2020-17368 and boo#1174986 OBS-URL: https://build.opensuse.org/request/show/825005 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firejail?expand=0&rev=7
2020-08-10 12:57:56 +00:00 · 2020-08-10 12:57:56 +00:00 · a2f2028508
commit a2f2028508
parent a0a118038b 20cd8acbae
4 changed files with 167 additions and 0 deletions
--- a/firejail.changes
+++ b/firejail.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Sat Aug  8 16:56:43 UTC 2020 - Sebastian Wagner <sebix+novell.com@sebix.at>
+
+- Add patches fix-CVE-2020-17367.patch and fix-CVE-2020-17368.patch to fix CVE-2020-17367 and CVE-2020-17368 and boo#1174986
+
 -------------------------------------------------------------------
 Wed Apr 29 11:30:38 UTC 2020 - Michael Vetter <mvetter@suse.com>

--- a/firejail.spec
+++ b/firejail.spec
@ -27,6 +27,10 @@ Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.
 Source1:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz.asc
 # PATCH-FIX-OPENSUSE firejail-0.9.62-fix-usr-etc.patch -- https://github.com/netblue30/firejail/issues/3145 two patches combined, source see file
 Patch0:         firejail-0.9.62-fix-usr-etc.patch
+# PATHCH-FIX-UPSTREAM fix-CVE-2020-17367 -- fixes boo#1174986
+Patch1:         https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch#/fix-CVE-2020-17367.patch
+# PATHCH-FIX-UPSTREAM fix-CVE-2020-17368 -- fixes boo#1174986
+Patch2:         https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch#/fix-CVE-2020-17368.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  libapparmor-devel
@ -45,6 +49,8 @@ Linux namespace support. It supports sandboxing specific users upon login.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
 sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py

 %build
--- a/fix-CVE-2020-17367.patch
+++ b/fix-CVE-2020-17367.patch
@ -0,0 +1,35 @@
+From 2c734d6350ad321fccbefc5ef0382199ac331b37 Mon Sep 17 00:00:00 2001
+From: Reiner Herrmann <reiner@reiner-h.de>
+Date: Wed, 29 Jul 2020 20:16:16 +0200
+Subject: [PATCH] firejail: don't interpret output arguments after
+ end-of-options tag
+
+Firejail was parsing --output and --output-stderr options even after
+the end-of-options separator ("--"), which would allow someone who
+has control over command line options of the sandboxed application,
+to write data to a specified file.
+
+Fixes: CVE-2020-17367
+
+Reported-by: Tim Starling <tstarling@wikimedia.org>
+---
+ src/firejail/output.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/firejail/output.c b/src/firejail/output.c
+index d4a7f464a..6e678afd3 100644
+--- a/src/firejail/output.c
+++ b/src/firejail/output.c
+@@ -30,6 +30,12 @@ void check_output(int argc, char **argv) {
+ 	int enable_stderr = 0;
+ 
+ 	for (i = 1; i < argc; i++) {
+		if (strncmp(argv[i], "--", 2) != 0) {
+			return;
+		}
+		if (strcmp(argv[i], "--") == 0) {
+			return;
+		}
+ 		if (strncmp(argv[i], "--output=", 9) == 0) {
+ 			outindex = i;
+ 			break;
--- a/fix-CVE-2020-17368.patch
+++ b/fix-CVE-2020-17368.patch
@ -0,0 +1,121 @@
+From 34193604fed04cad2b7b6b0f1a3a0428afd9ed5b Mon Sep 17 00:00:00 2001
+From: Reiner Herrmann <reiner@reiner-h.de>
+Date: Wed, 29 Jul 2020 20:22:52 +0200
+Subject: [PATCH] firejail: don't pass command line through shell when
+ redirecting output
+
+When redirecting output via --output or --output-stderr, firejail was
+concatenating all command line arguments into a single string
+that was passed to a shell. As the arguments were no longer escaped,
+the shell was able to interpret them.
+Someone who has control over the command line arguments of the
+sandboxed application could use this to run arbitrary other commands.
+
+Instead of passing it through a shell for piping the output to ftee,
+the pipeline is now manually created and the processes are executed
+directly.
+
+Fixes: CVE-2020-17368
+
+Reported-by: Tim Starling <tstarling@wikimedia.org>
+---
+ src/firejail/output.c | 80 +++++++++++++++++++++++++++++--------------
+ 1 file changed, 54 insertions(+), 26 deletions(-)
+
+diff --git a/src/firejail/output.c b/src/firejail/output.c
+index 6e678afd3..0e961bb61 100644
+--- a/src/firejail/output.c
+++ b/src/firejail/output.c
+@@ -77,38 +77,66 @@ void check_output(int argc, char **argv) {
+ 		}
+ 	}
+ 
+-	// build the new command line
+-	int len = 0;
+-	for (i = 0; i < argc; i++) {
+-		len += strlen(argv[i]) + 1; // + ' '
+	int pipefd[2];
+	if (pipe(pipefd) == -1) {
+		errExit("pipe");
+ 	}
+-	len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command
+ 
+-	char *cmd = malloc(len + 1); // + '\0'
+-	if (!cmd)
+-		errExit("malloc");
+	pid_t pid = fork();
+	if (pid == -1) {
+		errExit("fork");
+	} else if (pid == 0) {
+		/* child */
+		if (dup2(pipefd[0], STDIN_FILENO) == -1) {
+			errExit("dup2");
+		}
+		close(pipefd[1]);
+		if (pipefd[0] != STDIN_FILENO) {
+			close(pipefd[0]);
+		}
+ 
+-	char *ptr = cmd;
+-	for (i = 0; i < argc; i++) {
+-		if (strncmp(argv[i], "--output=", 9) == 0)
+-			continue;
+-		if (strncmp(argv[i], "--output-stderr=", 16) == 0)
+-			continue;
+-		ptr += sprintf(ptr, "%s ", argv[i]);
+		char *args[3];
+		args[0] = LIBDIR "/firejail/ftee";
+		args[1] = outfile;
+		args[2] = NULL;
+		execv(args[0], args);
+		perror("execvp");
+		exit(1);
+ 	}
+ 
+-	if (enable_stderr)
+-		sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile);
+-	else
+-		sprintf(ptr, " | %s/firejail/ftee %s", LIBDIR, outfile);
+	/* parent */
+	if (dup2(pipefd[1], STDOUT_FILENO) == -1) {
+		errExit("dup2");
+	}
+	if (enable_stderr && dup2(STDOUT_FILENO, STDERR_FILENO) == -1) {
+		errExit("dup2");
+	}
+	close(pipefd[0]);
+	if (pipefd[1] != STDOUT_FILENO) {
+		close(pipefd[1]);
+	}
+ 
+-	// run command
+-	char *a[4];
+-	a[0] = "/bin/bash";
+-	a[1] = "-c";
+-	a[2] = cmd;
+-	a[3] = NULL;
+-	execvp(a[0], a);
+	char **args = calloc(argc + 1, sizeof(char *));
+	if (!args) {
+		errExit("calloc");
+	}
+	bool found_separator = false;
+	/* copy argv into args, but drop --output(-stderr) arguments */
+	for (int i = 0, j = 0; i < argc; i++) {
+		if (!found_separator && i > 0) {
+			if (strncmp(argv[i], "--output=", 9) == 0) {
+				continue;
+			}
+			if (strncmp(argv[i], "--output-stderr=", 16) == 0) {
+				continue;
+			}
+			if (strncmp(argv[i], "--", 2) != 0 || strcmp(argv[i], "--") == 0) {
+				found_separator = true;
+			}
+		}
+		args[j++] = argv[i];
+	}
+	execvp(args[0], args);
+ 
+ 	perror("execvp");
+ 	exit(1);