Source: firejail Version: 0.9.52-1 Severity: critical Tags: security upstream pending fixed-upstream Forwarded: https://github.com/netblue30/firejail/issues/2718 X-Debbugs-CC: t...@security.debian.org
A bug in firejail allows bypassing seccomp protection when an existing jail is joined with another one [2]. Upstream description [0]: > Seccomp filters are copied into /run/firejail/mnt, and are writable > within the jail. A malicious process can modify files from inside the > jail. Processes that are later joined to the jail will not have seccomp > filters applied. A fix is available [1] and also released in the new upstream version 0.9.60. I will upload a backported fix to 0.9.58.2-1 to unstable soon. The earliest acknowledged version that is affected is 0.9.52 (upstream provides a patch for this version in [0]), but likely earlier versions are affected as well. According to [2], a CVE number has been requested. [0] https://github.com/netblue30/firejail/commit/30f6000e72bd8d9eee6a0d2e700d69ed9be3aa29 [1] https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 [2] https://github.com/netblue30/firejail/issues/2718
signature.asc
Description: PGP signature
