MGASA-2020-0328 - Updated firejail packages fix security vulnerability

Publication date: 18 Aug 2020
URL: https://advisories.mageia.org/MGASA-2020-0328.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-17367,
     CVE-2020-17368

It was reported that firejail does not respect the end-of-options separator
("--"), allowing an attacker with control over the command line options of the
sandboxed application, to write data to a specified file (CVE-2020-17367).

It was reported that firejail when redirecting output via --output or
--output-stderr, concatenates all command line arguments into a single string
that is passed to a shell. An attacker who has control over the command line
arguments of the sandboxed application could take advantage of this flaw to run
arbitrary commands (CVE-2020-17368).

References:
- https://bugs.mageia.org/show_bug.cgi?id=27059
- https://www.debian.org/security/2020/dsa-4742
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17367
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17368

SRPMS:
- 7/core/firejail-0.9.56-2.2.mga7

Mageia 2020-0328: firejail security update

It was reported that firejail does not respect the end-of-options separator ("--"), allowing an attacker with control over the command line options of the sandboxed application, to...

Summary

It was reported that firejail does not respect the end-of-options separator ("--"), allowing an attacker with control over the command line options of the sandboxed application, to write data to a specified file (CVE-2020-17367).
It was reported that firejail when redirecting output via --output or --output-stderr, concatenates all command line arguments into a single string that is passed to a shell. An attacker who has control over the command line arguments of the sandboxed application could take advantage of this flaw to run arbitrary commands (CVE-2020-17368).

References

- https://bugs.mageia.org/show_bug.cgi?id=27059

- https://www.debian.org/security/2020/dsa-4742

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17367

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17368

Resolution

MGASA-2020-0328 - Updated firejail packages fix security vulnerability

SRPMS

- 7/core/firejail-0.9.56-2.2.mga7

Severity
Publication date: 18 Aug 2020
URL: https://advisories.mageia.org/MGASA-2020-0328.html
Type: security
CVE: CVE-2020-17367, CVE-2020-17368

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo