I can't currently post patches, something seems broken in Launchpad. So here is the full patch in a comment:
diff -Nru firejail-0.9.62/debian/changelog firejail-0.9.62/debian/changelog --- firejail-0.9.62/debian/changelog 2020-01-20 18:53:34.000000000 +0000 +++ firejail-0.9.62/debian/changelog 2021-03-27 15:20:50.000000000 +0000 @@ -1,3 +1,12 @@ +firejail (0.9.62-3ubuntu0.1) focal-security; urgency=low + + * SECURITY UPDATE: bypass of access restrictions (LP: #1916767) + - disable OverlayFS support which contains a TOCTOU race condition + between a stat operation and an OverlayFS mount. + - CVE-2021-26910 + + -- Reiner Herrmann <rei...@reiner-h.de> Sat, 27 Mar 2021 15:20:50 +0000 + firejail (0.9.62-3) unstable; urgency=medium * Import upstream profile fixes: diff -Nru firejail-0.9.62/debian/control firejail-0.9.62/debian/control --- firejail-0.9.62/debian/control 2020-01-01 19:14:43.000000000 +0000 +++ firejail-0.9.62/debian/control 2021-03-27 15:18:59.000000000 +0000 @@ -1,7 +1,8 @@ Source: firejail Section: utils Priority: optional -Maintainer: Reiner Herrmann <rei...@reiner-h.de> +Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com> +XSBC-Original-Maintainer: Reiner Herrmann <rei...@reiner-h.de> Build-Depends: debhelper-compat (= 12), dh-apparmor, libapparmor-dev, pkg-config Standards-Version: 4.4.1 Rules-Requires-Root: no diff -Nru firejail-0.9.62/debian/patches/CVE-2021-26910.patch firejail-0.9.62/debian/patches/CVE-2021-26910.patch --- firejail-0.9.62/debian/patches/CVE-2021-26910.patch 1970-01-01 00:00:00.000000000 +0000 +++ firejail-0.9.62/debian/patches/CVE-2021-26910.patch 2021-03-27 15:20:50.000000000 +0000 @@ -0,0 +1,32 @@ +Author: netblue30 <netblu...@protonmail.com> +Description: disable overlayfs, which is broken on current kernel releases + and has security vulnerabilities (CVE-2021-26910) +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767 + +Index: firejail-0.9.62/configure.ac +=================================================================== +--- firejail-0.9.62.orig/configure.ac ++++ firejail-0.9.62/configure.ac +@@ -52,13 +52,16 @@ AC_SUBST([EXTRA_CFLAGS]) + AC_SUBST([EXTRA_LDFLAGS]) + + ++# overlayfs features temporarely disabled pending fixes + HAVE_OVERLAYFS="" +-AC_ARG_ENABLE([overlayfs], +- AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) +-AS_IF([test "x$enable_overlayfs" != "xno"], [ +- HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" +- AC_SUBST(HAVE_OVERLAYFS) +-]) ++AC_SUBST(HAVE_OVERLAYFS) ++# ++#AC_ARG_ENABLE([overlayfs], ++# AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) ++#AS_IF([test "x$enable_overlayfs" != "xno"], [ ++# HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" ++# AC_SUBST(HAVE_OVERLAYFS) ++#]) + + HAVE_FIRETUNNEL="" + AC_ARG_ENABLE([firetunnel], diff -Nru firejail-0.9.62/debian/patches/series firejail-0.9.62/debian/patches/series --- firejail-0.9.62/debian/patches/series 2020-01-20 17:59:35.000000000 +0000 +++ firejail-0.9.62/debian/patches/series 2021-03-27 15:12:56.000000000 +0000 @@ -5,3 +5,4 @@ m4_check_compile_flag.patch fix-tests.patch profile-fixes.patch +CVE-2021-26910.patch ** Tags added: patch patch-accepted-debian patch-accepted-upstream ** Changed in: firejail (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1916767 Title: firejail version in Ubuntu 20.04 LTS is vulnarable to CVE-2021-26910 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
