It was reported that firejail does not respect the end-of-options separator
("--"), allowing an attacker with control over the command line options of the
sandboxed application, to write data to a specified file (CVE-2020-17367).
It was reported that firejail when redirecting output via --output or
--output-stderr, concatenates all command line arguments into a single string
that is passed to a shell. An attacker who has control over the command line
arguments of the sandboxed application could take advantage of this flaw to run
arbitrary commands (CVE-2020-17368).
- https://bugs.mageia.org/show_bug.cgi?id=27059
- https://lists.debian.org/debian-security-announce/2020/msg00149.html
- https://www.cve.org/CVERecord?id=CVE-2020-17367
- https://www.cve.org/CVERecord?id=CVE-2020-17368
- 7/core/firejail-0.9.56-2.2.mga7
Get the latest Linux and open source security news straight to your inbox.