Debian Bug report logs -
#850528
firejail: CVE-2017-5207: root shell via --bandwidth and --shell
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Reiner Herrmann <reiner@reiner-h.de>:
Bug#850528; Package src:firejail.
(Sat, 07 Jan 2017 13:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Reiner Herrmann <reiner@reiner-h.de>.
(Sat, 07 Jan 2017 13:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: firejail
Version: 0.9.44.2-1
Severity: grave
Tags: upstream security patch fixed-upstream
Justification: user security hole
Forwarded: https://github.com/netblue30/firejail/issues/1023
Hi
There is no CVE assigned for this one yet:
https://github.com/netblue30/firejail/issues/1023
https://github.com/netblue30/firejail/commit/5d43fdcd215203868d440ffc42036f5f5ffc89fc
CVE requested here:
http://www.openwall.com/lists/oss-security/2017/01/07/3
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Reiner Herrmann <reiner@reiner-h.de>:
Bug#850528; Package src:firejail.
(Sat, 07 Jan 2017 18:09:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Reiner Herrmann <reiner@reiner-h.de>.
(Sat, 07 Jan 2017 18:09:09 GMT) (full text, mbox, link).
Message #10 received at 850528@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 firejail: CVE-2017-5207: root shell via --bandwidth and --shell
Hi
On Sat, Jan 07, 2017 at 02:33:26PM +0100, Salvatore Bonaccorso wrote:
> Source: firejail
> Version: 0.9.44.2-1
> Severity: grave
> Tags: upstream security patch fixed-upstream
> Justification: user security hole
> Forwarded: https://github.com/netblue30/firejail/issues/1023
>
> Hi
>
> There is no CVE assigned for this one yet:
>
> https://github.com/netblue30/firejail/issues/1023
> https://github.com/netblue30/firejail/commit/5d43fdcd215203868d440ffc42036f5f5ffc89fc
>
> CVE requested here:
>
> http://www.openwall.com/lists/oss-security/2017/01/07/3
This one has been assigned CVE-2017-5207 now.
Regards,
Salvatore
Changed Bug title to 'firejail: CVE-2017-5207: root shell via --bandwidth and --shell' from 'firejail: root shell via --bandwidth and --shell'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 850528-submit@bugs.debian.org.
(Sat, 07 Jan 2017 18:09:09 GMT) (full text, mbox, link).
Reply sent
to Reiner Herrmann <reiner@reiner-h.de>:
You have taken responsibility.
(Sat, 07 Jan 2017 19:51:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 07 Jan 2017 19:51:09 GMT) (full text, mbox, link).
Message #17 received at 850528-close@bugs.debian.org (full text, mbox, reply):
Source: firejail
Source-Version: 0.9.44.4-1
We believe that the bug you reported is fixed in the latest version of
firejail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 850528@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reiner Herrmann <reiner@reiner-h.de> (supplier of updated firejail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 07 Jan 2017 20:24:40 +0100
Source: firejail
Binary: firejail
Architecture: source
Version: 0.9.44.4-1
Distribution: unstable
Urgency: high
Maintainer: Reiner Herrmann <reiner@reiner-h.de>
Changed-By: Reiner Herrmann <reiner@reiner-h.de>
Description:
firejail - sandbox to restrict the application environment
Closes: 850528 850558
Changes:
firejail (0.9.44.4-1) unstable; urgency=high
.
* New upstream release.
- Security fixes for: CVE-2017-5180, CVE-2017-5206, CVE-2017-5207
(Closes: #850528, #850558)
* Drop patches applied upstream.
Checksums-Sha1:
a87a960ef7c9d87e55dece847f90691ee120fa47 2375 firejail_0.9.44.4-1.dsc
710de2e9791142edcc6ab46b64d595e09ff4071d 213648 firejail_0.9.44.4.orig.tar.xz
9dfa38cf6708cf25834919a650784e9808684d28 473 firejail_0.9.44.4.orig.tar.xz.asc
24f52ba92871e14d0f93405c0ac8f5f6da1cc809 6028 firejail_0.9.44.4-1.debian.tar.xz
Checksums-Sha256:
f91186d24681e0d47f3ad6af121948cb5c62b61151fd2283aa99c530fb3fcd8d 2375 firejail_0.9.44.4-1.dsc
2d70a2cd554835db0e2eba201c0466e247fbaa2b60c86abd34b9170e0eebc10f 213648 firejail_0.9.44.4.orig.tar.xz
965d6ce0416680baf6d6028759ac8a90a13a672342172fbbacdde04528b9f7a7 473 firejail_0.9.44.4.orig.tar.xz.asc
bc9f7abd0ee38d1916175854422218edf385564efbbaee17fee00ab467114629 6028 firejail_0.9.44.4-1.debian.tar.xz
Files:
47e66ccff2cbbca333d58226a7855198 2375 utils optional firejail_0.9.44.4-1.dsc
d1b77101fd0e35a18242d7593486d984 213648 utils optional firejail_0.9.44.4.orig.tar.xz
4c223fec5bcddb0cc56cc5b16f111111 473 utils optional firejail_0.9.44.4.orig.tar.xz.asc
3098bae66a536e9c7ca3d331140f50b3 6028 utils optional firejail_0.9.44.4-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE2Pb6feok2Q1urHM7zPBJKNsO6qcFAlhxQJQACgkQzPBJKNsO
6qdJWxAA0jyQmPE8+QJe7DyE+QP7GmtvyCHA0KecwH3iaaQXzv8ZyhPiPNg1FOgX
nfbyScIBpvDZr9u4Xb3n3hEC79KzvhiZprhsJ9l2r9HZEtcKbikvv6gH1FPg15fa
GGTybS7QfXv0AAXRelz+fI6wKqVSrs0pjVfLLt8TKPgzn/2FGCzGFsJkryaGemUi
LkW00MNCB2lIKjav6rEMIjlAAL5IzP6a0oKQtsBOyy3RN1W6X21ApzVOpyxy8+4s
xxFtkLo6DdXrtsIAeVbgs3tcmPbeE9/uxlFFWeXyhv2E5qSu1UxUviyh01K7ELgn
8vlJ0CHDzr317EhlKx3DkGMPvUXbqn1JQhE5dX8PYXwofOe704XbBpN8nV6dxCx7
GUmVPFbo7GbqD+1YE6sujTFovv+cbk9X1+T4Q5xmekwrt2nT9si72F0oUQeKiplj
rgDOz0MCOoVPFoTMFs+cRqL7v01Z/QhNdz3LE/b2pBbOe0nHdnLjOqyEMkYQr7kY
MbNNztpnmnS8uzA0NatDljfKNPzk04/f57S91g49NP0yEZRhbomy29Og//6c76qJ
z1xrOqk0gLB9hZgHrAf0KuYWb7FFLe9TXtQFzxNK8tt8zfsTC37gGD0FauF8dj0x
oBubMaPy64ckOT5th4GEQ0kRyJey5L6mSgFuclUCzHQYq+KF2/4=
=g3BU
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 27 Feb 2017 07:26:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:43:14 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon