- Update to version 0.9.44.4:

* --bandwidth root shell found by Martin Carpenter (CVE-2017-5207) * disabled --allow-debuggers when running on kernel versions prior to 4.8; a kernel bug in ptrace system call allows a full bypass of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206) * root exploit found by Sebastian Krahmer (CVE-2017-5180) - Update to version 0.9.44.6: * new fix for CVE-2017-5180 reported by Sebastian Krahmer last week * major cleanup of file copying code * tightening the rules for --chroot and --overlay features * ported Gentoo compile patch * Nvidia drivers bug in --private-dev * fix ASSERT_PERMS_FD macro * allow local customization using .local files under /etc/firejail backported from our development branch * spoof machine-id backported from our development branch - Remove obsoleted patches: firejail-CVE-2017-5180-fix1.patch firejail-CVE-2017-5180-fix2.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=6
2017-01-16 15:36:03 +00:00 · 2017-01-16 15:36:03 +00:00 · f1a8cd5699
commit f1a8cd5699
parent 7a7ff5e7fe
6 changed files with 27 additions and 348 deletions
--- a/firejail-0.9.44.2.tar.xz
+++ b/firejail-0.9.44.2.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:c5adef1943daa33049c4c39e5a19a0d02b897f1b1581be094ec600490dde8851
 size 213092
--- a/firejail-0.9.44.6.tar.xz
+++ b/firejail-0.9.44.6.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:6f7b1c3e497d90a5ed21465991727a8099af3839b8642cc17c0664962cd55787
 size 214564
--- a/firejail-CVE-2017-5180-fix1.patch
+++ b/firejail-CVE-2017-5180-fix1.patch
@ -1,72 +0,0 @@
 From 60d4b478f65c60bcc825bb56f85fd6c4fd48b250 Mon Sep 17 00:00:00 2001
 From: netblue30 <netblue30@yahoo.com>
 Date: Wed, 4 Jan 2017 11:59:46 -0500
 Subject: [PATCH] security fix
 ---
 src/firejail/fs_home.c    |   14 ++++++++++++++
 src/firejail/pulseaudio.c |   15 +++++++++++++++
 2 files changed, 29 insertions(+)
 --- a/src/firejail/fs_home.c
 +++ b/src/firejail/fs_home.c
@@ -171,6 +171,13 @@ static void copy_xauthority(void) {
 	char *dest;
 	if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
 		errExit("asprintf");
 +	
 +	// if destination is a symbolic link, exit the sandbox!!!
 +	if (is_link(dest)) {
 +		fprintf(stderr, "Error: %s is a symbolic link\n", dest);
 +		exit(1);
 +	}
 +
 	// copy, set permissions and ownership
 	int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
 	if (rv)
@@ -189,6 +196,13 @@ static void copy_asoundrc(void) {
 	char *dest;
 	if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
 		errExit("asprintf");
 +	
 +	// if destination is a symbolic link, exit the sandbox!!!
 +	if (is_link(dest)) {
 +		fprintf(stderr, "Error: %s is a symbolic link\n", dest);
 +		exit(1);
 +	}
 +
 	// copy, set permissions and ownership
 	int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
 	if (rv)
 --- a/src/firejail/pulseaudio.c
 +++ b/src/firejail/pulseaudio.c
@@ -138,7 +138,15 @@ void pulseaudio_init(void) {
 			(void) rv;
 		}
 	}
 +	else {
 +		// make sure the directory is owned by the user
 +		if (s.st_uid != getuid()) {
 +			fprintf(stderr, "Error: user .config directory is not owned by the current user\n");
 +			exit(1);
 +		}
 +	}
 	free(dir1);
 +	
 	if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
 		errExit("asprintf");
 	if (stat(dir1, &s) == -1) {
@@ -150,6 +158,13 @@ void pulseaudio_init(void) {
 			(void) rv;
 		}
 	}
 +	else {
 +		// make sure the directory is owned by the user
 +		if (s.st_uid != getuid()) {
 +			fprintf(stderr, "Error: user .config/pulse directory is not owned by the current user\n");
 +			exit(1);
 +		}
 +	}
 	free(dir1);
--- a/firejail-CVE-2017-5180-fix2.patch
+++ b/firejail-CVE-2017-5180-fix2.patch
@ -1,268 +0,0 @@
 From e74fdab5d2125ce8f058c1630ce7cce19cbdac16 Mon Sep 17 00:00:00 2001
 From: netblue30 <netblue30@yahoo.com>
 Date: Wed, 4 Jan 2017 18:13:45 -0500
 Subject: [PATCH] security fixes
 ---
 src/firejail/fs_home.c    |  118 +++++++++++++++++++++++++++++++++++++---------
 src/firejail/pulseaudio.c |   47 +++++++++++++-----
 src/firejail/util.c       |    4 -
 3 files changed, 134 insertions(+), 35 deletions(-)
 --- a/src/firejail/fs_home.c
 +++ b/src/firejail/fs_home.c
@@ -108,6 +108,14 @@ static int store_xauthority(void) {
 	char *src;
 	char *dest = RUN_XAUTHORITY_FILE;
 +	// create an empty file 
 +	FILE *fp = fopen(dest, "w");
 +	if (fp) {
 +		fprintf(fp, "\n");
 +		SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
 +		fclose(fp);
 +	}
 +	
 	if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1)
 		errExit("asprintf");
@@ -117,12 +125,28 @@ static int store_xauthority(void) {
 			fprintf(stderr, "Warning: invalid .Xauthority file\n");
 			return 0;
 		}
 -			
 -		int rv = copy_file(src, dest, -1, -1, 0600);
 -		if (rv) {
 -			fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
 -			return 0;
 +
 +		pid_t child = fork();
 +		if (child < 0)
 +			errExit("fork");
 +		if (child == 0) {
 +			// drop privileges
 +			drop_privs(0);
 +	
 +			// copy, set permissions and ownership
 +			int rv = copy_file(src, dest, getuid(), getgid(), 0600);
 +			if (rv)
 +				fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
 +			else {
 +				fs_logger2("clone", dest);
 +			}
 +#ifdef HAVE_GCOV
 +			__gcov_flush();
 +#endif
 +			_exit(0);
 		}
 +		// wait for the child to finish
 +		waitpid(child, NULL, 0);
 		return 1; // file copied
 	}
@@ -135,6 +159,14 @@ static int store_asoundrc(void) {
 	char *src;
 	char *dest = RUN_ASOUNDRC_FILE;
 +	// create an empty file 
 +	FILE *fp = fopen(dest, "w");
 +	if (fp) {
 +		fprintf(fp, "\n");
 +		SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
 +		fclose(fp);
 +	}
 +	
 	if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1)
 		errExit("asprintf");
@@ -154,11 +186,27 @@ static int store_asoundrc(void) {
 			free(rp);
 		}
 -		int rv = copy_file(src, dest, -1, -1, -0644);
 -		if (rv) {
 -			fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
 -			return 0;
 +		pid_t child = fork();
 +		if (child < 0)
 +			errExit("fork");
 +		if (child == 0) {
 +			// drop privileges
 +			drop_privs(0);
 +	
 +			// copy, set permissions and ownership
 +			int rv = copy_file(src, dest, getuid(), getgid(), 0644);
 +			if (rv)
 +				fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
 +			else {
 +				fs_logger2("clone", dest);
 +			}
 +#ifdef HAVE_GCOV
 +			__gcov_flush();
 +#endif
 +			_exit(0);
 		}
 +		// wait for the child to finish
 +		waitpid(child, NULL, 0);
 		return 1; // file copied
 	}
@@ -178,13 +226,27 @@ static void copy_xauthority(void) {
 		exit(1);
 	}
 -	// copy, set permissions and ownership
 -	int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
 -	if (rv)
 -		fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
 -	else {
 -		fs_logger2("clone", dest);
 +	pid_t child = fork();
 +	if (child < 0)
 +		errExit("fork");
 +	if (child == 0) {
 +		// drop privileges
 +		drop_privs(0);
 +
 +		// copy, set permissions and ownership
 +		int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
 +		if (rv)
 +			fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
 +		else {
 +			fs_logger2("clone", dest);
 +		}
 +#ifdef HAVE_GCOV
 +		__gcov_flush();
 +#endif
 +		_exit(0);
 	}
 +	// wait for the child to finish
 +	waitpid(child, NULL, 0);
 	// delete the temporary file
 	unlink(src);
@@ -203,13 +265,27 @@ static void copy_asoundrc(void) {
 		exit(1);
 	}
 -	// copy, set permissions and ownership
 -	int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
 -	if (rv)
 -		fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
 -	else {
 -		fs_logger2("clone", dest);
 +	pid_t child = fork();
 +	if (child < 0)
 +		errExit("fork");
 +	if (child == 0) {
 +		// drop privileges
 +		drop_privs(0);
 +
 +		// copy, set permissions and ownership
 +		int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
 +		if (rv)
 +			fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
 +		else {
 +			fs_logger2("clone", dest);
 +		}
 +#ifdef HAVE_GCOV
 +		__gcov_flush();
 +#endif
 +		_exit(0);
 	}
 +	// wait for the child to finish
 +	waitpid(child, NULL, 0);
 	// delete the temporary file
 	unlink(src);
 --- a/src/firejail/pulseaudio.c
 +++ b/src/firejail/pulseaudio.c
@@ -21,6 +21,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
 +#include <sys/wait.h>
 #include <dirent.h>
 static void disable_file(const char *path, const char *file) {
@@ -130,13 +131,24 @@ void pulseaudio_init(void) {
 	if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1)
 		errExit("asprintf");
 	if (stat(dir1, &s) == -1) {
 -		int rv = mkdir(dir1, 0755);
 -		if (rv == 0) {
 -			rv = chown(dir1, getuid(), getgid());
 -			(void) rv;
 -			rv = chmod(dir1, 0755);
 -			(void) rv;
 +		pid_t child = fork();
 +		if (child < 0)
 +			errExit("fork");
 +		if (child == 0) {
 +			// drop privileges
 +			drop_privs(0);
 +	
 +			int rv = mkdir(dir1, 0755);
 +			if (rv == 0) {
 +				rv = chown(dir1, getuid(), getgid());
 +				(void) rv;
 +				rv = chmod(dir1, 0755);
 +				(void) rv;
 +			}
 +			_exit(0);
 		}
 +		// wait for the child to finish
 +		waitpid(child, NULL, 0);
 	}
 	else {
 		// make sure the directory is owned by the user
@@ -150,13 +162,24 @@ void pulseaudio_init(void) {
 	if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
 		errExit("asprintf");
 	if (stat(dir1, &s) == -1) {
 -		int rv = mkdir(dir1, 0700);
 -		if (rv == 0) {
 -			rv = chown(dir1, getuid(), getgid());
 -			(void) rv;
 -			rv = chmod(dir1, 0700);
 -			(void) rv;
 +		pid_t child = fork();
 +		if (child < 0)
 +			errExit("fork");
 +		if (child == 0) {
 +			// drop privileges
 +			drop_privs(0);
 +	
 +			int rv = mkdir(dir1, 0700);
 +			if (rv == 0) {
 +				rv = chown(dir1, getuid(), getgid());
 +				(void) rv;
 +				rv = chmod(dir1, 0700);
 +				(void) rv;
 +			}
 +			_exit(0);
 		}
 +		// wait for the child to finish
 +		waitpid(child, NULL, 0);
 	}
 	else {
 		// make sure the directory is owned by the user
 --- a/src/firejail/util.c
 +++ b/src/firejail/util.c
@@ -179,14 +179,14 @@ int copy_file(const char *srcname, const
 	// open source
 	int src = open(srcname, O_RDONLY);
 	if (src < 0) {
 -		fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname);
 +		fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname);
 		return -1;
 	}
 	// open destination
 	int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
 	if (dst < 0) {
 -		fprintf(stderr, "Warning: cannot open %s, file not copied\n", destname);
 +		fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname);
 		close(src);
 		return -1;
 	}
--- a/firejail.changes
+++ b/firejail.changes
@ -1,3 +1,26 @@
 -------------------------------------------------------------------
 Mon Jan 16 16:33:59 CET 2017 - tiwai@suse.de
 - Update to version 0.9.44.4:
  * --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
  * disabled --allow-debuggers when running on kernel versions prior
    to 4.8; a kernel bug in ptrace system call allows a full bypass
    of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206)
  * root exploit found by Sebastian Krahmer (CVE-2017-5180)
 - Update to version 0.9.44.6:
  * new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
  * major cleanup of file copying code
  * tightening the rules for --chroot and --overlay features
  * ported Gentoo compile patch
  * Nvidia drivers bug in --private-dev
  * fix ASSERT_PERMS_FD macro
  * allow local customization using .local files under /etc/firejail
    backported from our development branch
  * spoof machine-id backported from our development branch
 - Remove obsoleted patches:
  firejail-CVE-2017-5180-fix1.patch
  firejail-CVE-2017-5180-fix2.patch
 -------------------------------------------------------------------
 Thu Jan  5 10:38:43 CET 2017 - tiwai@suse.de
--- a/firejail.spec
+++ b/firejail.spec
@ -17,7 +17,7 @@
 Name:           firejail
-Version:        0.9.44.2
+Version:        0.9.44.6
 Release:        0
 Summary:        Linux namepaces sandbox program
 License:        GPL-2.0
@ -25,8 +25,6 @@ Group:          Productivity/Security
 Url:            https://firejail.wordpress.com/
 Source0:        %{name}-%{version}.tar.xz
 Source1:        %{name}.rpmlintrc
 Patch1:         firejail-CVE-2017-5180-fix1.patch
 Patch2:         firejail-CVE-2017-5180-fix2.patch
 BuildRequires:  libapparmor-devel
 BuildRequires:  gcc-c++
 Requires(pre):  permissions
@ -42,8 +40,6 @@ Linux namespace support. It supports sandboxing specific users upon login.
 %prep
 %setup -q
 %patch1 -p1
 %patch2 -p1
 %build
 %configure --docdir=%{_docdir}/%{name} \