Your message dated Wed, 29 May 2019 21:40:00 +0000
with message-id <e93b3905-8ace-092c-67d3-118ab6904...@thykier.net>
and subject line Re: Bug#929736: unblock: firejail/0.9.58.2-2
has caused the Debian Bug report #929736,
regarding unblock: firejail/0.9.58.2-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
929736: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929736
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package firejail
The version in unstable fixes two security issues:
#929732 (debian/patches/seccomp-join.patch):
This issue allowed someone to run a program inside a jail that is protected
by seccomp filters without any seccomp filtering.
The location of the filters inside the jail was writable, so it could
be overwritten/deleted, so programs that were afterwards joined into the jail
had no filter applied.
#929733 (debian/patches/truncation.patch):
A race was possible that allowed someone inside the jail to truncate
the firejail binary outside the jail under certain conditions.
(The jailed program needs to be run as root, and it needs to be terminated
from the outside as root.)
Thanks in advance.
Kind regards,
Reiner
unblock firejail/0.9.58.2-2
diff -Nru firejail-0.9.58.2/debian/changelog firejail-0.9.58.2/debian/changelog
--- firejail-0.9.58.2/debian/changelog 2019-02-08 20:06:02.000000000 +0100
+++ firejail-0.9.58.2/debian/changelog 2019-05-29 21:06:42.000000000 +0200
@@ -1,3 +1,16 @@
+firejail (0.9.58.2-2) unstable; urgency=high
+
+ * Cherry-pick security fix for seccomp bypass issue. (Closes: #929732)
+ Seccomp filters were writable inside the jail, so they could be
+ overwritten/truncated. Another jail that was then joined with the first
+ one, had no seccomp filters applied.
+ * Cherry-pick security fix for binary truncation issue. (Closes: #929733)
+ When the jailed program was running as root, and firejail was killed
+ from the outside (as root), the jailed program had the possibility to
+ truncate the firejail binary outside the jail.
+
+ -- Reiner Herrmann <rei...@reiner-h.de> Wed, 29 May 2019 21:06:42 +0200
+
firejail (0.9.58.2-1) unstable; urgency=medium
* New upstream release.
diff -Nru firejail-0.9.58.2/debian/patches/seccomp-join.patch
firejail-0.9.58.2/debian/patches/seccomp-join.patch
--- firejail-0.9.58.2/debian/patches/seccomp-join.patch 1970-01-01
01:00:00.000000000 +0100
+++ firejail-0.9.58.2/debian/patches/seccomp-join.patch 2019-05-29
18:57:28.000000000 +0200
@@ -0,0 +1,91 @@
+From: smitsohu <smits...@gmail.com>
+Subject: [PATCH] mount runtime seccomp files read-only (#2602)
+Bug: https://github.com/netblue30/firejail/issues/2718
+Bug-Debian: https://bugs.debian.org/929732
+Origin: upstream, https://github.com/netblue30/firejail/commit/eecf35c
+
+avoid creating locations in the file system that are both writable and
+executable (in this case for processes with euid of the user).
+
+for the same reason also remove user owned libfiles
+when it is not needed any more
+
+--- a/src/firejail/firejail.h
++++ b/src/firejail/firejail.h
+@@ -57,13 +57,14 @@
+ #define RUN_LIB_FILE "/run/firejail/mnt/libfiles"
+ #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc"
+
+-#define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp.list" // list
of seccomp files installed
+-#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" //
protocol filter
+-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"
// configured filter
+-#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" //
32bit arch filter installed on 64bit architectures
+-#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx"
// filter for memory-deny-write-execute
+-#define RUN_SECCOMP_BLOCK_SECONDARY
"/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking
filter
+-#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec"
// filter for post-exec library
++#define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp"
++#define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list"
// list of seccomp files installed
++#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol"
// protocol filter
++#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp"
// configured filter
++#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp/seccomp.32"
// 32bit arch filter installed on 64bit architectures
++#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx"
// filter for memory-deny-write-execute
++#define RUN_SECCOMP_BLOCK_SECONDARY
"/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch
blocking filter
++#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec"
// filter for post-exec library
+ #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")
// default filter built during make
+ #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") //
default filter built during make
+ #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")
// 32bit arch filter built during make
+@@ -94,7 +95,6 @@
+ #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc"
+ #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname"
+ #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts"
+-#define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf"
+ #define RUN_MACHINEID "/run/firejail/mnt/machine-id"
+ #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload"
+ #define RUN_UTMP_FILE "/run/firejail/mnt/utmp"
+--- a/src/firejail/fs_lib.c
++++ b/src/firejail/fs_lib.c
+@@ -133,6 +133,7 @@
+ fslib_duplicate(buf);
+ }
+ fclose(fp);
++ unlink(RUN_LIB_FILE);
+ }
+
+
+--- a/src/firejail/preproc.c
++++ b/src/firejail/preproc.c
+@@ -86,6 +86,8 @@
+ fs_logger2("tmpfs", RUN_MNT_DIR);
+
+ #ifdef HAVE_SECCOMP
++ create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755);
++
+ if (arg_seccomp_block_secondary)
+ copy_file(PATH_SECCOMP_BLOCK_SECONDARY,
RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
+ else {
+--- a/src/firejail/sandbox.c
++++ b/src/firejail/sandbox.c
+@@ -1064,9 +1064,6 @@
+ // save state of nonewprivs
+ save_nonewprivs();
+
+- // set capabilities
+- set_caps();
+-
+ // set cpu affinity
+ if (cfg.cpus) {
+ save_cpu(); // save cpu affinity mask to CPU_CFG file
+@@ -1118,8 +1115,13 @@
+ int rv = unlink(RUN_SECCOMP_MDWX);
+ (void) rv;
+ }
++ // make seccomp filters read-only
++ fs_rdonly(RUN_SECCOMP_DIR);
+ #endif
+
++ // set capabilities
++ set_caps();
++
+ //****************************************
+ // communicate progress of sandbox set up
+ // to --join
diff -Nru firejail-0.9.58.2/debian/patches/series
firejail-0.9.58.2/debian/patches/series
--- firejail-0.9.58.2/debian/patches/series 2019-02-08 19:34:04.000000000
+0100
+++ firejail-0.9.58.2/debian/patches/series 2019-05-29 20:50:09.000000000
+0200
@@ -1,3 +1,5 @@
disable-internet-tests.patch
config-hardening.patch
apparmor-include.patch
+seccomp-join.patch
+truncation.patch
diff -Nru firejail-0.9.58.2/debian/patches/truncation.patch
firejail-0.9.58.2/debian/patches/truncation.patch
--- firejail-0.9.58.2/debian/patches/truncation.patch 1970-01-01
01:00:00.000000000 +0100
+++ firejail-0.9.58.2/debian/patches/truncation.patch 2019-05-29
21:05:54.000000000 +0200
@@ -0,0 +1,44 @@
+From: smitsohu <smits...@gmail.com>
+Subject: [PATCH] shutdown option: give sandbox time to terminate
+Bug: https://github.com/netblue30/firejail/issues/2401
+Bug-Debian: https://bugs.debian.org/929733
+Origin: upstream, https://github.com/netblue30/firejail/commit/fcba07c and
faa1ec7
+
+Similarly to CVE-2019-5736, the binary (firejail) could be truncated outside
the
+jail from the inside under certain conditions.
+This was possible if the jailed program was running as root, and it was killed
+from the outside (as root), e.g. with SIGKILL or --shutdown.
+
+--- a/src/firejail/shutdown.c
++++ b/src/firejail/shutdown.c
+@@ -52,15 +52,17 @@
+ printf("Sending SIGTERM to %u\n", pid);
+ kill(pid, SIGTERM);
+
+- // wait for not more than 10 seconds
+- sleep(2);
+- int monsec = 8;
++ // wait for not more than 11 seconds
++ int monsec = 11;
+ char *monfile;
+ if (asprintf(&monfile, "/proc/%d/cmdline", pid) == -1)
+ errExit("asprintf");
+ int killdone = 0;
+
+ while (monsec) {
++ sleep(1);
++ monsec--;
++
+ FILE *fp = fopen(monfile, "r");
+ if (!fp) {
+ killdone = 1;
+@@ -75,9 +77,6 @@
+ killdone = 1;
+ break;
+ }
+-
+- sleep(1);
+- monsec--;
+ }
+ free(monfile);
+
--- End Message ---
--- Begin Message ---
Reiner Herrmann:
> Package: release.debian.org
> Severity: normal
> User: release.debian....@packages.debian.org
> Usertags: unblock
>
> Please unblock package firejail
>
> The version in unstable fixes two security issues:
>
> #929732 (debian/patches/seccomp-join.patch):
> This issue allowed someone to run a program inside a jail that is protected
> by seccomp filters without any seccomp filtering.
> The location of the filters inside the jail was writable, so it could
> be overwritten/deleted, so programs that were afterwards joined into the jail
> had no filter applied.
>
> #929733 (debian/patches/truncation.patch):
> A race was possible that allowed someone inside the jail to truncate
> the firejail binary outside the jail under certain conditions.
> (The jailed program needs to be run as root, and it needs to be terminated
> from the outside as root.)
>
> Thanks in advance.
>
> Kind regards,
> Reiner
>
> unblock firejail/0.9.58.2-2
>
Unblocked, thanks.
~Niels
--- End Message ---
