Your message dated Wed, 29 May 2019 19:33:31 +0000
with message-id <[email protected]>
and subject line Bug#929732: fixed in firejail 0.9.58.2-2
has caused the Debian Bug report #929732,
regarding firejail: seccomp bypass when joining jails
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
929732: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929732
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: firejail
Version: 0.9.52-1
Severity: critical
Tags: security upstream pending fixed-upstream
Forwarded: https://github.com/netblue30/firejail/issues/2718
X-Debbugs-CC: [email protected]
A bug in firejail allows bypassing seccomp protection when
an existing jail is joined with another one [2].
Upstream description [0]:
> Seccomp filters are copied into /run/firejail/mnt, and are writable
> within the jail. A malicious process can modify files from inside the
> jail. Processes that are later joined to the jail will not have seccomp
> filters applied.
A fix is available [1] and also released in the new upstream version 0.9.60.
I will upload a backported fix to 0.9.58.2-1 to unstable soon.
The earliest acknowledged version that is affected is 0.9.52 (upstream
provides a patch for this version in [0]), but likely earlier versions
are affected as well.
According to [2], a CVE number has been requested.
[0]
https://github.com/netblue30/firejail/commit/30f6000e72bd8d9eee6a0d2e700d69ed9be3aa29
[1]
https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
[2] https://github.com/netblue30/firejail/issues/2718
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: firejail
Source-Version: 0.9.58.2-2
We believe that the bug you reported is fixed in the latest version of
firejail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reiner Herrmann <[email protected]> (supplier of updated firejail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 May 2019 21:06:42 +0200
Source: firejail
Architecture: source
Version: 0.9.58.2-2
Distribution: unstable
Urgency: high
Maintainer: Reiner Herrmann <[email protected]>
Changed-By: Reiner Herrmann <[email protected]>
Closes: 929732 929733
Changes:
firejail (0.9.58.2-2) unstable; urgency=high
.
* Cherry-pick security fix for seccomp bypass issue. (Closes: #929732)
Seccomp filters were writable inside the jail, so they could be
overwritten/truncated. Another jail that was then joined with the first
one, had no seccomp filters applied.
* Cherry-pick security fix for binary truncation issue. (Closes: #929733)
When the jailed program was running as root, and firejail was killed
from the outside (as root), the jailed program had the possibility to
truncate the firejail binary outside the jail.
Checksums-Sha1:
465593c08200ef411ce2efb628b62bd80e3b7cb8 2489 firejail_0.9.58.2-2.dsc
62daa05a45c60c10b94fc3d03d29b4281a2d0713 13356
firejail_0.9.58.2-2.debian.tar.xz
3afaf6ed7398611e20e6124c232f360eb0ea056f 5561
firejail_0.9.58.2-2_source.buildinfo
Checksums-Sha256:
088a95f3ba986b97183b2654817e74c4c8659d9a9ad4a99dacfd8da74f48c73d 2489
firejail_0.9.58.2-2.dsc
1e8aad6ea5cebea03fd96016a2d5be69c8b9fc72c782adf168d0dcdad8cc264e 13356
firejail_0.9.58.2-2.debian.tar.xz
a532acf96c3d07ab05b0c001139d1e611a4d96ddb50d674ab71eb35964b2ea84 5561
firejail_0.9.58.2-2_source.buildinfo
Files:
ecd8954cef22c1e8867682515b87c8fb 2489 utils optional firejail_0.9.58.2-2.dsc
c54b379a0c10cb43da7db1ad7da49edb 13356 utils optional
firejail_0.9.58.2-2.debian.tar.xz
780d17157665f16ab58ff60cd549950d 5561 utils optional
firejail_0.9.58.2-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE2Pb6feok2Q1urHM7zPBJKNsO6qcFAlzu2HAACgkQzPBJKNsO
6qew+w/+K3a5QQEFz5LRCJmukcWivg/lYjTqLdbeRz2tseSK1J2SVmLgFCWDbh7f
PXfKhnE28FvyPYNbDOFNVF72s9xlE4YgDMqLco8mLVtqlkLEGVGSv3ba3lDZ/GNt
QpSaqMYpSrg+QxfxOdmfZf/OTB+hwc52EIT4YQl8qA968ml5SlyBZyEZbF3VneJm
0FfctbHdJQO02v6pyXKI4ZSHsGLPE30A/5vwz7G9qr3fITAKn/V4ZhdBvH7hQPiZ
oCRl3M06PSaVw0l9OdbKJU+gRwXUVcVw0A5iyUEWVo8+Tzc9qaIXKujsXW5Wp97a
8tevQoU8yvO5gGggh+0FUVt8REm4yzuHg2aaLI4ymEq7dsHLKmAj4TIulUnYuPGL
1qk7c2Pjpb+F9wIqkzCKqND/VA7vLfhho6Rxv/ZtwXaJV3zGa+/rCAYlbBYgeh7a
GJjjmitcSbWutBrdKTB6cnGT7dPmDcCNwRhSO9fNwJzeUjnM6wALyvVQ8BepuXII
m9z9a8viE0i2l+Ka72Bu25QFCTsW5s93GO/W4ruw60/dgVOZmr4pNYEi2PB4eHuv
D8Uj8jk2hgcuuKgkLbZ0mqA6jEqpUnY3nUHnX84qpUD2fuOwcW6H7lfwDK+yY21s
JbLb1SMxxrDywHJrrHUYPESWfMiKpa0DgZj4B4mrFGqJ0uQLigY=
=3Unw
-----END PGP SIGNATURE-----
--- End Message ---
