Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

firejail: CVE-2017-5206

Related Vulnerabilities: CVE-2017-5206   CVE-2017-5180   CVE-2017-5207  

Source

Debian Bug report logs - #850558
firejail: CVE-2017-5206

version graph

Package: src:firejail; Maintainer for src:firejail is Reiner Herrmann <reiner@reiner-h.de>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 7 Jan 2017 18:18:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version firejail/0.9.44.2-1

Fixed in version firejail/0.9.44.4-1

Done: Reiner Herrmann <reiner@reiner-h.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Reiner Herrmann <reiner@reiner-h.de>:
Bug#850558; Package src:firejail. (Sat, 07 Jan 2017 18:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Reiner Herrmann <reiner@reiner-h.de>. (Sat, 07 Jan 2017 18:18:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: firejail: CVE-2017-5206
Date: Sat, 07 Jan 2017 19:15:49 +0100
Source: firejail
Version: 0.9.44.2-1
Severity: grave
Tags: security upstream patch fixed-upstream
Justification: user security hole

Hi,

the following vulnerability was published for firejail.

CVE-2017-5206[0]:
| allows ptrace with --allow-debuggers, which allows a
| sandboxed program to escape the seccomp profile by rewriting
| permitted system calls into unpermitted ones pre-Linux-4.8.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5206
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5206
[1] https://github.com/netblue30/firejail/commit/6b8dba29d73257311564ee7f27b9b14758cc693e

Regards,
Salvatore

Reply sent to Reiner Herrmann <reiner@reiner-h.de>:
You have taken responsibility. (Sat, 07 Jan 2017 19:51:11 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 07 Jan 2017 19:51:11 GMT) (full text, mbox, link).

Message #10 received at 850558-close@bugs.debian.org (full text, mbox, reply):

From: Reiner Herrmann <reiner@reiner-h.de>
To: 850558-close@bugs.debian.org
Subject: Bug#850558: fixed in firejail 0.9.44.4-1
Date: Sat, 07 Jan 2017 19:48:28 +0000
Source: firejail
Source-Version: 0.9.44.4-1

We believe that the bug you reported is fixed in the latest version of
firejail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 850558@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reiner Herrmann <reiner@reiner-h.de> (supplier of updated firejail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 07 Jan 2017 20:24:40 +0100
Source: firejail
Binary: firejail
Architecture: source
Version: 0.9.44.4-1
Distribution: unstable
Urgency: high
Maintainer: Reiner Herrmann <reiner@reiner-h.de>
Changed-By: Reiner Herrmann <reiner@reiner-h.de>
Description:
 firejail   - sandbox to restrict the application environment
Closes: 850528 850558
Changes:
 firejail (0.9.44.4-1) unstable; urgency=high
 .
   * New upstream release.
     - Security fixes for: CVE-2017-5180, CVE-2017-5206, CVE-2017-5207
       (Closes: #850528, #850558)
   * Drop patches applied upstream.
Checksums-Sha1:
 a87a960ef7c9d87e55dece847f90691ee120fa47 2375 firejail_0.9.44.4-1.dsc
 710de2e9791142edcc6ab46b64d595e09ff4071d 213648 firejail_0.9.44.4.orig.tar.xz
 9dfa38cf6708cf25834919a650784e9808684d28 473 firejail_0.9.44.4.orig.tar.xz.asc
 24f52ba92871e14d0f93405c0ac8f5f6da1cc809 6028 firejail_0.9.44.4-1.debian.tar.xz
Checksums-Sha256:
 f91186d24681e0d47f3ad6af121948cb5c62b61151fd2283aa99c530fb3fcd8d 2375 firejail_0.9.44.4-1.dsc
 2d70a2cd554835db0e2eba201c0466e247fbaa2b60c86abd34b9170e0eebc10f 213648 firejail_0.9.44.4.orig.tar.xz
 965d6ce0416680baf6d6028759ac8a90a13a672342172fbbacdde04528b9f7a7 473 firejail_0.9.44.4.orig.tar.xz.asc
 bc9f7abd0ee38d1916175854422218edf385564efbbaee17fee00ab467114629 6028 firejail_0.9.44.4-1.debian.tar.xz
Files:
 47e66ccff2cbbca333d58226a7855198 2375 utils optional firejail_0.9.44.4-1.dsc
 d1b77101fd0e35a18242d7593486d984 213648 utils optional firejail_0.9.44.4.orig.tar.xz
 4c223fec5bcddb0cc56cc5b16f111111 473 utils optional firejail_0.9.44.4.orig.tar.xz.asc
 3098bae66a536e9c7ca3d331140f50b3 6028 utils optional firejail_0.9.44.4-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE2Pb6feok2Q1urHM7zPBJKNsO6qcFAlhxQJQACgkQzPBJKNsO
6qdJWxAA0jyQmPE8+QJe7DyE+QP7GmtvyCHA0KecwH3iaaQXzv8ZyhPiPNg1FOgX
nfbyScIBpvDZr9u4Xb3n3hEC79KzvhiZprhsJ9l2r9HZEtcKbikvv6gH1FPg15fa
GGTybS7QfXv0AAXRelz+fI6wKqVSrs0pjVfLLt8TKPgzn/2FGCzGFsJkryaGemUi
LkW00MNCB2lIKjav6rEMIjlAAL5IzP6a0oKQtsBOyy3RN1W6X21ApzVOpyxy8+4s
xxFtkLo6DdXrtsIAeVbgs3tcmPbeE9/uxlFFWeXyhv2E5qSu1UxUviyh01K7ELgn
8vlJ0CHDzr317EhlKx3DkGMPvUXbqn1JQhE5dX8PYXwofOe704XbBpN8nV6dxCx7
GUmVPFbo7GbqD+1YE6sujTFovv+cbk9X1+T4Q5xmekwrt2nT9si72F0oUQeKiplj
rgDOz0MCOoVPFoTMFs+cRqL7v01Z/QhNdz3LE/b2pBbOe0nHdnLjOqyEMkYQr7kY
MbNNztpnmnS8uzA0NatDljfKNPzk04/f57S91g49NP0yEZRhbomy29Og//6c76qJ
z1xrOqk0gLB9hZgHrAf0KuYWb7FFLe9TXtQFzxNK8tt8zfsTC37gGD0FauF8dj0x
oBubMaPy64ckOT5th4GEQ0kRyJey5L6mSgFuclUCzHQYq+KF2/4=
=g3BU
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 27 Feb 2017 07:30:19 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:09:58 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started