SUSE 5179 Published by

A firejail security update has been released for openSUSE Leap 15.2.



openSUSE-SU-2021:0271-1: important: Security update for firejail


openSUSE Security Update: Security update for firejail
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:0271-1
Rating: important
References: #1181990
Cross-References: CVE-2020-17367 CVE-2020-17368 CVE-2021-26910

CVSS scores:
CVE-2020-17367 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2020-17368 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for firejail fixes the following issues:

firejail 0.9.64.4 is shipped to openSUSE Leap 15.2

- CVE-2021-26910: Fixed root privilege escalation due to race condition
(boo#1181990)

Update to 0.9.64.4:

* disabled overlayfs, pending multiple fixes
* fixed launch firefox for open url in telegram-desktop.profile

Update to 0.9.64.2:

* allow --tmpfs inside $HOME for unprivileged users
* --disable-usertmpfs compile time option
* allow AF_BLUETOOTH via --protocol=bluetooth
* setup guide for new users: contrib/firejail-welcome.sh
* implement netns in profiles
* added nolocal6.net IPv6 network filter
* new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer,
gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer,
straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, npm, marker,
yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi, new profiles: guvcview,
pkglog, kdiff3, CoyIM.

Update to version 0.9.64:

* replaced --nowrap option with --wrap in firemon
* The blocking action of seccomp filters has been changed from killing the
process to returning EPERM to the caller. To get the previous behaviour,
use --seccomp-error-action=kill or syscall:kill syntax when constructing
filters, or override in /etc/firejail/firejail.config file.
* Fine-grained D-Bus sandboxing with xdg-dbus-proxy. xdg-dbus-proxy must
be installed, if not D-Bus access will be allowed. With this version
nodbus is deprecated, in favor of dbus-user none and dbus-system none
and will be removed in a future version.
* DHCP client support
* firecfg only fix dektop-files if started with sudo
* SELinux labeling support
* custom 32-bit seccomp filter support
* restrict ${RUNUSER} in several profiles
* blacklist shells such as bash in several profiles
* whitelist globbing
* mkdir and mkfile support for /run/user directory
* support ignore for include
* --include on the command line
* splitting up media players whitelists in whitelist-players.inc
* new condition: HAS_NOSOUND
* new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
* new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
* new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
* new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl,
mutool
* new profiles: desktopeditors, impressive, planmaker18, planmaker18free
* new profiles: presentations18, presentations18free, textmaker18, teams
* new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
* new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro
* new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command
* new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux
* new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row
* new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin
* new profiles: gnome-tetravex, blobwars,
gravity-beams-and-evaporating-stars
* new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
* new profiles: mirrormagic, mrrescue, scorched3d-wrapper,
scorchwentbonkers
* new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
* new profiles: swell-foop, fdns, five-or-more, steam-runtime
* new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im
* new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher,
xonotic-sdl-wrapper
* new profiles: gapplication, openarena_ded, element-desktop, cawbird
* new profiles: freetube, strawberry, jitsi-meet-desktop
* new profiles: homebank, mattermost-desktop, newsflash,
com.gitlab.newsflash
* new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer,
lyx
* new profiles: minitube, nuclear, mtpaint, minecraft-launcher,
gnome-calendar
* new profiles: vmware, git-cola, otter-browser, kazam, menulibre,
musictube
* new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi
* new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube
* new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send
* new profiles: qrencode, ytmdesktop, twitch
* new profiles: xournalpp, chromium-freeworld, equalx

- Make the AppArmor profile compatible with AppArmor 3.0 (add missing
include )

Update to 0.9.62.4

* fix AppArmor broken in the previous release
* miscellaneous fixes

Update to 0.9.62.2

* fix CVE-2020-17367
* fix CVE-2020-17368

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-271=1


Package List:

- openSUSE Leap 15.2 (x86_64):

firejail-0.9.64.4-lp152.3.6.1
firejail-debuginfo-0.9.64.4-lp152.3.6.1
firejail-debugsource-0.9.64.4-lp152.3.6.1

References:

  https://www.suse.com/security/cve/CVE-2020-17367.html
  https://www.suse.com/security/cve/CVE-2020-17368.html
  https://www.suse.com/security/cve/CVE-2021-26910.html
  https://bugzilla.suse.com/1181990