Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package firejail firejail 0.9.44.4-1 contains fixes for 3 CVEs compared to the version in stretch (CVE-2017-5180, CVE-2017-5206, CVE-2017-5207). Please lower the migration time for it. Kind regards, Reiner unblock firejail/0.9.44.4-1
diff -Nru firejail-0.9.44.2/configure firejail-0.9.44.4/configure --- firejail-0.9.44.2/configure 2016-12-02 14:18:09.000000000 +0100 +++ firejail-0.9.44.4/configure 2017-01-07 13:58:37.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.44.2. +# Generated by GNU Autoconf 2.69 for firejail 0.9.44.4. # # Report bugs to <netblu...@yahoo.com>. # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.44.2' -PACKAGE_STRING='firejail 0.9.44.2' +PACKAGE_VERSION='0.9.44.4' +PACKAGE_STRING='firejail 0.9.44.4' PACKAGE_BUGREPORT='netblu...@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1259,7 +1259,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.44.2 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.44.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1320,7 +1320,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.44.2:";; + short | recursive ) echo "Configuration of firejail 0.9.44.4:";; esac cat <<\_ACEOF @@ -1424,7 +1424,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.44.2 +firejail configure 0.9.44.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1726,7 +1726,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.44.2, which was +It was created by firejail $as_me 0.9.44.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4303,7 +4303,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.44.2, which was +This file was extended by firejail $as_me 0.9.44.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4357,7 +4357,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.44.2 +firejail config.status 0.9.44.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru firejail-0.9.44.2/configure.ac firejail-0.9.44.4/configure.ac --- firejail-0.9.44.2/configure.ac 2016-12-02 14:17:36.000000000 +0100 +++ firejail-0.9.44.4/configure.ac 2017-01-07 13:57:38.000000000 +0100 @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.44.2, netblu...@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.44.4, netblu...@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff -Nru firejail-0.9.44.2/debian/changelog firejail-0.9.44.4/debian/changelog --- firejail-0.9.44.2/debian/changelog 2016-12-04 21:44:08.000000000 +0100 +++ firejail-0.9.44.4/debian/changelog 2017-01-07 20:24:40.000000000 +0100 @@ -1,3 +1,24 @@ +firejail (0.9.44.4-1) unstable; urgency=high + + * New upstream release. + - Security fixes for: CVE-2017-5180, CVE-2017-5206, CVE-2017-5207 + (Closes: #850528, #850558) + * Drop patches applied upstream. + + -- Reiner Herrmann <rei...@reiner-h.de> Sat, 07 Jan 2017 20:24:40 +0100 + +firejail (0.9.44.2-3) unstable; urgency=high + + * Add followup fix for CVE-2017-5180 (Closes: #850160). + + -- Reiner Herrmann <rei...@reiner-h.de> Fri, 06 Jan 2017 13:44:25 +0100 + +firejail (0.9.44.2-2) unstable; urgency=high + + * Add upstream fix for CVE-2017-5180 (Closes: #850160). + + -- Reiner Herrmann <rei...@reiner-h.de> Wed, 04 Jan 2017 23:56:30 +0100 + firejail (0.9.44.2-1) unstable; urgency=medium * New upstream release. diff -Nru firejail-0.9.44.2/platform/rpm/old-mkrpm.sh firejail-0.9.44.4/platform/rpm/old-mkrpm.sh --- firejail-0.9.44.2/platform/rpm/old-mkrpm.sh 2016-12-03 20:14:29.000000000 +0100 +++ firejail-0.9.44.4/platform/rpm/old-mkrpm.sh 2017-01-07 17:43:11.000000000 +0100 @@ -1,5 +1,5 @@ #!/bin/bash -VERSION="0.9.44.2" +VERSION="0.9.44.4" rm -fr ~/rpmbuild rm -f firejail-$VERSION-1.x86_64.rpm @@ -458,6 +458,9 @@ chmod u+s /usr/bin/firejail %changelog +* Sat Jan 7 2017 netblue30 <netblu...@yahoo.com> 0.9.44.4-1 + - security release + * Sat Dec 3 2016 netblue30 <netblu...@yahoo.com> 0.9.44.2-1 - bugfix release diff -Nru firejail-0.9.44.2/RELNOTES firejail-0.9.44.4/RELNOTES --- firejail-0.9.44.2/RELNOTES 2016-12-04 14:08:49.000000000 +0100 +++ firejail-0.9.44.4/RELNOTES 2017-01-07 17:52:27.000000000 +0100 @@ -1,7 +1,15 @@ +firejail (0.9.44.4) baseline; urgency=low + * security: --bandwidth root shell found by Martin Carpenter + * security: disabled --allow-debuggers when running on kernel + versions prior to 4.8; a kernel bug in ptrace system call + allows a full bypass of seccomp filter; problem reported by Lizzie Dixon + * security: root exploit found by Sebastian Krahmer (CVE-2017-5180) + -- netblue30 <netblu...@yahoo.com> Sat, 7 Jan 2017 10:00:00 -0500 + firejail (0.9.44.2) baseline; urgency=low - * security: overwrite /etc/resolv.conf found by Martin Carpenter + * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson - * security: invalid environment exploit found by Martin Carpenter + * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122) * security: several security enhancements * bugfix: crashing VLC by pressing Ctrl-O * bugfix: use user configured icons in KDE @@ -17,7 +25,7 @@ -- netblue30 <netblu...@yahoo.com> Fri, 2 Dec 2016 08:00:00 -0500 firejail (0.9.44) baseline; urgency=low - * CVE-2016-7545 submitted by Aleksey Manevich + * CVE-2016-9016 submitted by Aleksey Manevich * modifs: removed man firejail-config * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --private-dev @@ -124,6 +132,29 @@ * bugfixes -- netblue30 <netblu...@yahoo.com> Sun, 29 May 2016 08:00:00 -0500 +firejail (0.9.38.8) baseline; urgency=low + * security: root exploit found by Sebastian Krahmer (CVE-2017-5180) + -- netblue30 <netblu...@yahoo.com> Sat, 7 Jan 2017 10:00:00 -0500 + +firejail (0.9.38.6) baseline; urgency=low + * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) + * bugfix: crashing VLC by pressing Ctrl-O + -- netblue30 <netblu...@yahoo.com> Fri, 16 Dec 2016 10:00:00 -0500 + +firejail (0.9.38.4) baseline; urgency=low + * CVE-2016-7545 submitted by Aleksey Manevich + * bugfixes + -- netblue30 <netblu...@yahoo.com> Mon, 10 Oct 2016 10:00:00 -0500 + +firejail (0.9.38.2) baseline; urgency=low + * security: --whitelist deleted files, submitted by Vasya Novikov + * security: disable x32 ABI, submitted by Jann Horn + * security: tighten --chroot, submitted by Jann Horn + * security: terminal sandbox escape, submitted by Stephan Sokolow + * feature: clean local overlay storage directory (--overlay-clean) + * bugfixes + -- netblue30 <netblu...@yahoo.com> Tue, 23 Aug 2016 10:00:00 -0500 + firejail (0.9.38) baseline; urgency=low * IPv6 support (--ip6 and --netfilter6) * --join command enhancement (--join-network, --join-filesystem) @@ -134,11 +165,12 @@ * added KMail, Seamonkey, Telegram, Mathematica, uGet, * and mupen64plus profiles * --chroot in user mode allowed only if seccomp support is available - * in current Linux kernel + * in current Linux kernel (CVE-2016-10123) * deprecated --private-home feature * the first protocol list installed takes precedence - * --tmpfs option allowed only running as root + * --tmpfs option allowed only running as root (CVE-2016-10117) * added --private-tmp option + * weak permissions (CVE-2016-10119, CVE-2016-10120, CVE-2016-10121) * bugfixes -- netblue30 <netblu...@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 diff -Nru firejail-0.9.44.2/src/firejail/bandwidth.c firejail-0.9.44.4/src/firejail/bandwidth.c --- firejail-0.9.44.2/src/firejail/bandwidth.c 2016-11-08 02:42:06.000000000 +0100 +++ firejail-0.9.44.4/src/firejail/bandwidth.c 2017-01-07 04:53:55.000000000 +0100 @@ -450,15 +450,8 @@ if (setregid(0, 0)) errExit("setregid"); - if (!cfg.shell) - cfg.shell = guess_shell(); - if (!cfg.shell) { - fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n"); - exit(1); - } - char *arg[4]; - arg[0] = cfg.shell; + arg[0] = "/bin/sh"; arg[1] = "-c"; arg[2] = cmd; arg[3] = NULL; diff -Nru firejail-0.9.44.2/src/firejail/firejail.h firejail-0.9.44.4/src/firejail/firejail.h --- firejail-0.9.44.2/src/firejail/firejail.h 2016-11-02 16:08:15.000000000 +0100 +++ firejail-0.9.44.4/src/firejail/firejail.h 2017-01-07 04:52:35.000000000 +0100 @@ -463,6 +463,7 @@ uid_t get_group_id(const char *group); int remove_directory(const char *path); void flush_stdin(void); +int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); // fs_var.c void fs_var_log(void); // mounting /var/log diff -Nru firejail-0.9.44.2/src/firejail/fs_home.c firejail-0.9.44.4/src/firejail/fs_home.c --- firejail-0.9.44.2/src/firejail/fs_home.c 2016-11-02 16:08:15.000000000 +0100 +++ firejail-0.9.44.4/src/firejail/fs_home.c 2017-01-07 04:52:35.000000000 +0100 @@ -108,6 +108,14 @@ char *src; char *dest = RUN_XAUTHORITY_FILE; + // create an empty file + FILE *fp = fopen(dest, "w"); + if (fp) { + fprintf(fp, "\n"); + SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); + fclose(fp); + } + if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) errExit("asprintf"); @@ -117,12 +125,25 @@ fprintf(stderr, "Warning: invalid .Xauthority file\n"); return 0; } - - int rv = copy_file(src, dest, -1, -1, 0600); - if (rv) { - fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); - return 0; + + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + // copy, set permissions and ownership + int rv = copy_file(src, dest, getuid(), getgid(), 0600); + if (rv) + fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); + else { + fs_logger2("clone", dest); + } + _exit(0); } + // wait for the child to finish + waitpid(child, NULL, 0); return 1; // file copied } @@ -135,6 +156,14 @@ char *src; char *dest = RUN_ASOUNDRC_FILE; + // create an empty file + FILE *fp = fopen(dest, "w"); + if (fp) { + fprintf(fp, "\n"); + SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); + fclose(fp); + } + if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1) errExit("asprintf"); @@ -142,6 +171,7 @@ if (stat(src, &s) == 0) { if (is_link(src)) { // make sure the real path of the file is inside the home directory + /* coverity[toctou] */ char* rp = realpath(src, NULL); if (!rp) { fprintf(stderr, "Error: Cannot access %s\n", src); @@ -154,11 +184,24 @@ free(rp); } - int rv = copy_file(src, dest, -1, -1, -0644); - if (rv) { - fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); - return 0; + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + // copy, set permissions and ownership + int rv = copy_file(src, dest, getuid(), getgid(), 0644); + if (rv) + fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); + else { + fs_logger2("clone", dest); + } + _exit(0); } + // wait for the child to finish + waitpid(child, NULL, 0); return 1; // file copied } @@ -171,13 +214,31 @@ char *dest; if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) errExit("asprintf"); - // copy, set permissions and ownership - int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); - if (rv) - fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); - else { - fs_logger2("clone", dest); + + // if destination is a symbolic link, exit the sandbox!!! + if (is_link(dest)) { + fprintf(stderr, "Error: %s is a symbolic link\n", dest); + exit(1); + } + + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + // copy, set permissions and ownership + int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); + if (rv) + fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); + else { + fs_logger2("clone", dest); + } + _exit(0); } + // wait for the child to finish + waitpid(child, NULL, 0); // delete the temporary file unlink(src); @@ -189,18 +250,37 @@ char *dest; if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) errExit("asprintf"); - // copy, set permissions and ownership - int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); - if (rv) - fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); - else { - fs_logger2("clone", dest); + + // if destination is a symbolic link, exit the sandbox!!! + if (is_link(dest)) { + fprintf(stderr, "Error: %s is a symbolic link\n", dest); + exit(1); + } + + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + // copy, set permissions and ownership + int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); + if (rv) + fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); + else { + fs_logger2("clone", dest); + } + _exit(0); } + // wait for the child to finish + waitpid(child, NULL, 0); // delete the temporary file unlink(src); } + // private mode (--private=homedir): // mount homedir on top of /home/user, // tmpfs on top of /root in nonroot mode, diff -Nru firejail-0.9.44.2/src/firejail/main.c firejail-0.9.44.4/src/firejail/main.c --- firejail-0.9.44.2/src/firejail/main.c 2016-11-12 14:44:32.000000000 +0100 +++ firejail-0.9.44.4/src/firejail/main.c 2017-01-07 04:52:35.000000000 +0100 @@ -35,6 +35,7 @@ #include <signal.h> #include <time.h> #include <net/if.h> +#include <sys/utsname.h> #if 0 #include <sys/times.h> @@ -802,6 +803,24 @@ // detect --allow-debuggers for (i = 1; i < argc; i++) { if (strcmp(argv[i], "--allow-debuggers") == 0) { + // check kernel version + struct utsname u; + int rv = uname(&u); + if (rv != 0) + errExit("uname"); + int major; + int minor; + if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { + fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); + exit(1); + } + if (major < 4 || (major == 4 && minor < 8)) { + fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. " + "A bug in ptrace call allows a full bypass of the seccomp filter. " + "Your current kernel version is %d.%d.\n", major, minor); + exit(1); + } + arg_allow_debuggers = 1; break; } diff -Nru firejail-0.9.44.2/src/firejail/pulseaudio.c firejail-0.9.44.4/src/firejail/pulseaudio.c --- firejail-0.9.44.2/src/firejail/pulseaudio.c 2016-11-02 16:08:15.000000000 +0100 +++ firejail-0.9.44.4/src/firejail/pulseaudio.c 2017-01-07 04:52:35.000000000 +0100 @@ -1,4 +1,4 @@ -/* + /* * Copyright (C) 2014-2016 Firejail Authors * * This file is part of firejail project @@ -22,6 +22,7 @@ #include <sys/stat.h> #include <sys/mount.h> #include <dirent.h> +#include <sys/wait.h> static void disable_file(const char *path, const char *file) { assert(file); @@ -125,34 +126,67 @@ SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); fclose(fp); + // create ~/.config/pulse directory if not present char *dir1; if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1) errExit("asprintf"); if (stat(dir1, &s) == -1) { - int rv = mkdir(dir1, 0755); - if (rv == 0) { - rv = chown(dir1, getuid(), getgid()); - (void) rv; - rv = chmod(dir1, 0755); - (void) rv; + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + int rv = mkdir(dir1, 0755); + if (rv == 0) { + if (set_perms(dir1, getuid(), getgid(), 0755)) + {;} // do nothing + } + _exit(0); + } + // wait for the child to finish + waitpid(child, NULL, 0); + } + else { + // make sure the directory is owned by the user + if (s.st_uid != getuid()) { + fprintf(stderr, "Error: user .config directory is not owned by the current user\n"); + exit(1); } } free(dir1); + if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) errExit("asprintf"); if (stat(dir1, &s) == -1) { - int rv = mkdir(dir1, 0700); - if (rv == 0) { - rv = chown(dir1, getuid(), getgid()); - (void) rv; - rv = chmod(dir1, 0700); - (void) rv; + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + int rv = mkdir(dir1, 0700); + if (rv == 0) { + if (set_perms(dir1, getuid(), getgid(), 0700)) + {;} // do nothing + } + _exit(0); + } + // wait for the child to finish + waitpid(child, NULL, 0); + } + else { + // make sure the directory is owned by the user + if (s.st_uid != getuid()) { + fprintf(stderr, "Error: user .config/pulse directory is not owned by the current user\n"); + exit(1); } } free(dir1); - // if we have ~/.config/pulse mount the new directory, else set environment variable char *homeusercfg; if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) diff -Nru firejail-0.9.44.2/src/firejail/util.c firejail-0.9.44.4/src/firejail/util.c --- firejail-0.9.44.2/src/firejail/util.c 2016-11-02 16:08:15.000000000 +0100 +++ firejail-0.9.44.4/src/firejail/util.c 2017-01-07 04:52:35.000000000 +0100 @@ -689,4 +689,14 @@ } } } +// return 1 if error +int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode) { + assert(fname); + if (chmod(fname, mode) == -1) + return 1; + if (chown(fname, uid, gid) == -1) + return 1; + return 0; +} + diff -Nru firejail-0.9.44.2/src/man/firejail.txt firejail-0.9.44.4/src/man/firejail.txt --- firejail-0.9.44.2/src/man/firejail.txt 2016-11-02 19:36:03.000000000 +0100 +++ firejail-0.9.44.4/src/man/firejail.txt 2017-01-07 04:52:35.000000000 +0100 @@ -76,7 +76,9 @@ Signal the end of options and disables further option processing. .TP \fB\-\-allow-debuggers -Allow tools such as strace and gdb inside the sandbox. +Allow tools such as strace and gdb inside the sandbox. This option is only available +when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full +bypass of the seccomp filter. .br .br diff -Nru firejail-0.9.44.2/test/environment/environment.sh firejail-0.9.44.4/test/environment/environment.sh --- firejail-0.9.44.2/test/environment/environment.sh 2016-11-02 16:06:37.000000000 +0100 +++ firejail-0.9.44.4/test/environment/environment.sh 2017-01-07 15:18:33.000000000 +0100 @@ -82,12 +82,12 @@ echo "TESTING: quiet (test/environment/quiet.exp)" ./quiet.exp -which strace -if [ "$?" -eq 0 ]; -then - echo "TESTING: --allow-debuggers (test/environment/allow-debuggers.exp)" - ./allow-debuggers.exp -else - echo "TESTING SKIP: strace not found" -fi +#which strace +#if [ "$?" -eq 0 ]; +#then +# echo "TESTING: --allow-debuggers (test/environment/allow-debuggers.exp)" +# ./allow-debuggers.exp +#else +# echo "TESTING SKIP: strace not found" +#fi
