Security update for firejail SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0271-1 Final 1 1 2021-02-10T17:03:36Z current 2021-02-10T17:03:36Z 2021-02-10T17:03:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for firejail This update for firejail fixes the following issues: firejail 0.9.64.4 is shipped to openSUSE Leap 15.2 - CVE-2021-26910: Fixed root privilege escalation due to race condition (boo#1181990) Update to 0.9.64.4: * disabled overlayfs, pending multiple fixes * fixed launch firefox for open url in telegram-desktop.profile Update to 0.9.64.2: * allow --tmpfs inside $HOME for unprivileged users * --disable-usertmpfs compile time option * allow AF_BLUETOOTH via --protocol=bluetooth * setup guide for new users: contrib/firejail-welcome.sh * implement netns in profiles * added nolocal6.net IPv6 network filter * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi, new profiles: guvcview, pkglog, kdiff3, CoyIM. Update to version 0.9.64: * replaced --nowrap option with --wrap in firemon * The blocking action of seccomp filters has been changed from killing the process to returning EPERM to the caller. To get the previous behaviour, use --seccomp-error-action=kill or syscall:kill syntax when constructing filters, or override in /etc/firejail/firejail.config file. * Fine-grained D-Bus sandboxing with xdg-dbus-proxy. xdg-dbus-proxy must be installed, if not D-Bus access will be allowed. With this version nodbus is deprecated, in favor of dbus-user none and dbus-system none and will be removed in a future version. * DHCP client support * firecfg only fix dektop-files if started with sudo * SELinux labeling support * custom 32-bit seccomp filter support * restrict ${RUNUSER} in several profiles * blacklist shells such as bash in several profiles * whitelist globbing * mkdir and mkfile support for /run/user directory * support ignore for include * --include on the command line * splitting up media players whitelists in whitelist-players.inc * new condition: HAS_NOSOUND * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11 * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool * new profiles: desktopeditors, impressive, planmaker18, planmaker18free * new profiles: presentations18, presentations18free, textmaker18, teams * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro * new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux * new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin * new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski * new profiles: swell-foop, fdns, five-or-more, steam-runtime * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper * new profiles: gapplication, openarena_ded, element-desktop, cawbird * new profiles: freetube, strawberry, jitsi-meet-desktop * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar * new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send * new profiles: qrencode, ytmdesktop, twitch * new profiles: xournalpp, chromium-freeworld, equalx - Make the AppArmor profile compatible with AppArmor 3.0 (add missing include <tunables/global>) Update to 0.9.62.4 * fix AppArmor broken in the previous release * miscellaneous fixes Update to 0.9.62.2 * fix CVE-2020-17367 * fix CVE-2020-17368 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-271 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JJKSV64EI6OP7AKHJQVLFPJPOUXRN47F/ E-Mail link for openSUSE-SU-2021:0271-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1181990 SUSE Bug 1181990 https://www.suse.com/security/cve/CVE-2020-17367/ SUSE CVE CVE-2020-17367 page https://www.suse.com/security/cve/CVE-2020-17368/ SUSE CVE CVE-2020-17368 page https://www.suse.com/security/cve/CVE-2021-26910/ SUSE CVE CVE-2021-26910 page openSUSE Leap 15.2 firejail-0.9.64.4-lp152.3.6.1 firejail-0.9.64.4-lp152.3.6.1 as a component of openSUSE Leap 15.2 Firejail through 0.9.62 does not honor the -- end-of-options indicator after the --output option, which may lead to command injection. CVE-2020-17367 openSUSE Leap 15.2:firejail-0.9.64.4-lp152.3.6.1 critical 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JJKSV64EI6OP7AKHJQVLFPJPOUXRN47F/ https://www.suse.com/security/cve/CVE-2020-17367.html CVE-2020-17367 https://bugzilla.suse.com/1174986 SUSE Bug 1174986 Firejail through 0.9.62 mishandles shell metacharacters during use of the --output or --output-stderr option, which may lead to command injection. CVE-2020-17368 openSUSE Leap 15.2:firejail-0.9.64.4-lp152.3.6.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JJKSV64EI6OP7AKHJQVLFPJPOUXRN47F/ https://www.suse.com/security/cve/CVE-2020-17368.html CVE-2020-17368 https://bugzilla.suse.com/1174986 SUSE Bug 1174986 Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation. CVE-2021-26910 openSUSE Leap 15.2:firejail-0.9.64.4-lp152.3.6.1 important 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JJKSV64EI6OP7AKHJQVLFPJPOUXRN47F/ https://www.suse.com/security/cve/CVE-2021-26910.html CVE-2021-26910 https://bugzilla.suse.com/1181990 SUSE Bug 1181990