Alerts This Week
Warning Icon 1 1,146
Alerts This Week
Warning Icon 1 1,146

Mageia: 2020-0328 Moderate: Firejail Command Injection Threat

mageia
Calendar Grey August 18, 2020
Dist Mageia Esm H88
The recent Firejail patch MGASA-2020-0328 tackles a significant flaw. The update outlines the security risks and the steps taken to mitigate them.
It was reported that firejail does not respect the end-of-options separator ("--"), allowing an attacker with control over the command line options of the sandboxed application, to...

Summary

It was reported that firejail does not respect the end-of-options separator ("--"), allowing an attacker with control over the command line options of the sandboxed application, to write data to a specified file (CVE-2020-17367).
It was reported that firejail when redirecting output via --output or --output-stderr, concatenates all command line arguments into a single string that is passed to a shell. An attacker who has control over the command line arguments of the sandboxed application could take advantage of this flaw to run arbitrary commands (CVE-2020-17368).

References

- https://bugs.mageia.org/show_bug.cgi?id=27059

- https://lists.debian.org/debian-security-announce/2020/msg00149.html

- https://www.cve.org/CVERecord?id=CVE-2020-17367

- https://www.cve.org/CVERecord?id=CVE-2020-17368

Resolution

SRPMS

- 7/core/firejail-0.9.56-2.2.mga7

Publication date: 18 Aug 2020
URL: https://advisories.mageia.org/MGASA-2020-0328.html
Type: security
CVE: CVE-2020-17367, CVE-2020-17368

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here