1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202305-19 ] Firejail: Local Privilege Escalati

    From [email protected]@21:1/5 to All on Wed May 3 12:30:01 2023
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202305-19
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: Firejail: Local Privilege Escalation
    Date: May 03, 2023
    Bugs: #850748
    ID: 202305-19

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in Firejail which could result in
    local root privilege escalation.

    Background
    ==========

    A SUID program that reduces the risk of security breaches by restricting
    the running environment of untrusted applications using Linux namespaces
    and seccomp-bpf.

    Affected packages
    =================

    -------------------------------------------------------------------
    Package / Vulnerable / Unaffected
    ------------------------------------------------------------------- Traceback (most recent call last):
    File "/usr/local/lib/python3.9/site-packages/glsamaker/models/glsa.py", line 326, in generate_mail_table
    return self._generate_mail_table()
    File "/usr/local/lib/python3.9/site-packages/glsamaker/models/glsa.py", line 297, in _generate_mail_table
    vuln.range_types_rev[vuln.pkg_range], vuln.version
    KeyError: None


    Description
    ===========

    Firejail does not sufficiently validate the user's environment prior to
    using it as the root user when using the --join command line option.

    Impact
    ======

    An unprivileged user can exploit this vulnerability to achieve local
    root privileges.

    Workaround
    ==========

    System administrators can mitigate this vulnerability via adding either "force-nonewprivs yes" or "join no" to the Firejail configuration file
    in /etc/firejail/firejail.config.

    Resolution
    ==========

    Gentoo has discontinued support for sys-apps/firejail-lts. Users should
    unmerge it in favor of sys-apps/firejail:

    # emerge --ask --depclean --verbose "sys-apps/firejail-lts"
    # emerge --ask --verbose "sys-apps/firejail"

    All Firejail users should upgrade to the latest version:

    # emerge --ask --oneshot --verbose ">=sys-apps/firejail-0.9.70"

    References
    ==========

    [ 1 ] CVE-2022-31214
    https://nvd.nist.gov/vuln/detail/CVE-2022-31214

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202305-19

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to [email protected] or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2023 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmRSMbkACgkQFMQkOaVy +9mJKA//buRpVqvbgYXJV7jhSccbj/UIm+kM67GGRasOAJGnKn4qqngHOxjH7Qbz MoofBSKfwHaEq4v0p9WvHnFMEjilegMFU7nnJVSo+rimNeAl4Ef+dzhhjuWxnBcR U938SojqZzTcMQHP1hTyEekRlvQWsuSIhQfTJVQdIBXBLu333jJFNy9SnOIGyzS6 1P06LvTQzkML1IaKIC9dIL82rMmOLM9cJhDvrmBiJ7QwuaBlpCOkp6TdF/+gjU43 SFhEADEFAZrMfqdHRUTXKeaLQw1btVNqcmAWi2WK3+8Pfn824G2n+n1lIWveLqwR wxj8GWFpBbkeBc9PkqPFAJfuq65qd3IHgUlE46AN0ImP2jnQD00h3FYMHJfrySF2 etnXi59Gc/QkEBkYQjguVJvKj+VGOaljAKNcu27mw+9ySSgP1Qg4nHxZKveuwNwN s/espFdQ1SDZOuUhIzONkxcz/G2Dem/+3IPTmkOxD1N8eyn9tZklzjMRpR1e39ty jvcGcvnwMb3UCNAeHq0FpgIkG9k8j4xSaVeB+ZJEH+8qV3HKKnUmX2f3V6R0ngvm dtfK/8PXvO8T/ahNj1f/z88WQ8BQEQh+wnMX1sxD5WafRT6aQogecja+yF3ARSr1 NNQZsz2IFx34hoY4FH7tIscFLYLA20ovam9owb5irV6jACG9JBk=
    =+0Lr
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sam James@21:1/5 to All on Thu May 4 09:20:01 2023
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202305-19
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: Firejail: Local Privilege Escalation
    Date: May 03, 2023
    Bugs: #850748
    ID: 202305-19

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in Firejail which could result in
    local root privilege escalation.

    Background
    ==========

    A SUID program that reduces the risk of security breaches by restricting
    the running environment of untrusted applications using Linux namespaces
    and seccomp-bpf.

    Affected packages
    =================

    -------------------------------------------------------------------
    Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
    sys-apps/firejail < 0.9.70 >= 0.9.70
    sys-apps/firejail-lts * N/A

    Description
    ===========

    Firejail does not sufficiently validate the user's environment prior to
    using it as the root user when using the --join command line option.

    Impact
    ======

    An unprivileged user can exploit this vulnerability to achieve local
    root privileges.

    Workaround
    ==========

    System administrators can mitigate this vulnerability via adding either "force-nonewprivs yes" or "join no" to the Firejail configuration file
    in /etc/firejail/firejail.config.

    Resolution
    ==========

    Gentoo has discontinued support for sys-apps/firejail-lts. Users should
    unmerge it in favor of sys-apps/firejail:

    # emerge --ask --depclean --verbose "sys-apps/firejail-lts"
    # emerge --ask --verbose "sys-apps/firejail"

    All Firejail users should upgrade to the latest version:

    # emerge --ask --oneshot --verbose ">=sys-apps/firejail-0.9.70"

    References
    ==========

    [ 1 ] CVE-2022-31214
    https://nvd.nist.gov/vuln/detail/CVE-2022-31214

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202305-19

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to [email protected] or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2023 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5


    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iOUEARYKAI0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCZFNa7F8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MA8cc2FtQGdlbnRv by5vcmcACgkQc4QJ9SDfkZDVJwD/QyxeOqFkdcod3+vbuKPnrAJ5lvu8uvaYNWvX z5VVv5QBAL07fn9DjM6JcrZj5UX0O/G85aDEhOMcxmxzExPmiWME
    VJ
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)