Debian Bug report logs -
#1012510
firejail: CVE-2022-31214: local root exploit reachable via --join logic
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 8 Jun 2022 14:54:02 UTC
Severity: grave
Tags: security, upstream
Found in versions firejail/0.9.68-3, firejail/0.9.64.4-2
Fixed in version firejail/0.9.68-4
Done: Reiner Herrmann <reiner@reiner-h.de>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Reiner Herrmann <reiner@reiner-h.de>:
Bug#1012510; Package src:firejail.
(Wed, 08 Jun 2022 14:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Reiner Herrmann <reiner@reiner-h.de>.
(Wed, 08 Jun 2022 14:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: firejail
Version: 0.9.68-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for firejail.
CVE-2022-31214[0]:
| local root exploit reachable via --join logic
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31214
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31214
[1] https://www.openwall.com/lists/oss-security/2022/06/08/10
[2] https://github.com/netblue30/firejail/commit/27cde3d7d1e4e16d4190932347c7151dc2a84c50
[3] https://github.com/netblue30/firejail/commit/dab835e7a0eb287822016f5ae4e87f46e1d363e7
[4] https://github.com/netblue30/firejail/commit/1884ea22a90d225950d81c804f1771b42ae55f54
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions firejail/0.9.64.4-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 08 Jun 2022 15:03:03 GMT) (full text, mbox, link).
Reply sent
to Reiner Herrmann <reiner@reiner-h.de>:
You have taken responsibility.
(Wed, 08 Jun 2022 16:51:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 08 Jun 2022 16:51:09 GMT) (full text, mbox, link).
Message #12 received at 1012510-close@bugs.debian.org (full text, mbox, reply):
Source: firejail
Source-Version: 0.9.68-4
Done: Reiner Herrmann <reiner@reiner-h.de>
We believe that the bug you reported is fixed in the latest version of
firejail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1012510@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reiner Herrmann <reiner@reiner-h.de> (supplier of updated firejail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 08 Jun 2022 18:30:16 +0200
Source: firejail
Architecture: source
Version: 0.9.68-4
Distribution: unstable
Urgency: high
Maintainer: Reiner Herrmann <reiner@reiner-h.de>
Changed-By: Reiner Herrmann <reiner@reiner-h.de>
Closes: 1012510
Changes:
firejail (0.9.68-4) unstable; urgency=high
.
* Fix local root exploit reachable via --join logic. (CVE-2022-31214)
(Closes: #1012510)
Checksums-Sha1:
6d6d8c5fbac8d54229c11e9319dcf747faf37753 2479 firejail_0.9.68-4.dsc
5b893ef3d4f22ae95354477c82bb14a2b12951d4 27784 firejail_0.9.68-4.debian.tar.xz
3410deba6eee72ac89b9dbb48169b12dec593458 6604 firejail_0.9.68-4_source.buildinfo
Checksums-Sha256:
fd95dadcbe29d880037f238dda070283b8748acd77b9701218686f7555df0019 2479 firejail_0.9.68-4.dsc
6ec8a433ea7a68061a639ef322e4721743c6110c0a09fd918e62f5c2030fe988 27784 firejail_0.9.68-4.debian.tar.xz
40b5b3d8f0f38175c64bdf7f4c8e2ca156b46c37bb7ccada96a927dcf307912f 6604 firejail_0.9.68-4_source.buildinfo
Files:
c883eb9d914f0dc200d3950853b13524 2479 utils optional firejail_0.9.68-4.dsc
6efe51c50d0f1745d8507729181e90e9 27784 utils optional firejail_0.9.68-4.debian.tar.xz
09e2e8d44639cf8d0370b5e7d4debcc1 6604 utils optional firejail_0.9.68-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE2Pb6feok2Q1urHM7zPBJKNsO6qcFAmKg0CwACgkQzPBJKNsO
6qcAwg/+IVQyc0qtkXY3/9AOsq1fR+T17/1piHbhQv0DMdos0J+YchKnZ8jXVRLB
M3plbaN6Y9Jg3XaWOjj2B6ACsZsTjjmSivf2eSEwXByAdXHEYfJeYniFpFz3ibJZ
cEBxEsQTc4PU/lvfikbrWZIGCxPLLedjdfdbHsiXbZYyO+JP9c1LHn+mQ21UqKeO
Y//8g3z+AzsLiQuPetBKALYWJMfOY6KQjZBZh5Qf3Dip25L8qDXiQx0vsccMqnP6
5RXOqpeewRfMo2NjCRVhQyAjcAH6pmjN6F9qI9pF8y2h+B0yT0Z9ruVaiO+MGlKL
kpJ2iD0SIZLEWRKwQnfaH0NoXLeC65fDjssSuuWP9CN5w2JxraX2odRDQit9BINf
vQ/hA6ly5WedhtGmWe7uszgf/D+ykBB5zjZ2HSqAICMKUVXVJ/KCJuS3ET0zJ0fd
vRM54ZeqvBf7qnLh4jJBkgqcxSkwWgCQddFt7qbpNF2v0oJJUuhIc5Cxy7tga+W/
0omh5e9s2kVs7KuiJ8rLrhA06uabBNuiHBrwBQQNgvwXf7Jer6oEMMBpL5fBe6BO
A+wzxc3oGe0c1LFRnaJQPmvew5pw50j/YmdNAIpwk2kuFp3Gb8BRO9eNReRmOWGW
pUUD8W9vsMHQnlr50H/jn8kB36Vhll7VaYKcK6/Z8RCK8VQeDHs=
=hqMa
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jun 9 13:13:32 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon