Bug#1015151: firejail: (Regression) Segfault when using --net=$namespace

Sat, 16 Jul 2022 12:51:14 -0700 

Package: firejail
Version: 0.9.64.4-2+deb11u1
Severity: important
X-Debbugs-Cc: debbug.firej...@sideload.33mail.com, t...@security.debian.org

This upgrade introduced a segmentation fault:

  firejail:amd64 0.9.64.4-2 → 0.9.64.4-2+deb11u1

This is a sample command where it fails:

  $ firejail --net=vnet0 --dns="$(ip address show dev vnet0 | awk 
'/inet\>/{gsub(/[/].*/,""); print $2 }')"\
             lynx -dump "$arbitrary_URL"

The network namespace “vnet0” is a Tor middlebox.  This command
previously had no problem, but now it crashes with the following
output:

===8<------------------------------
  firejail: util.c:910: create_empty_dir_as_root: Assertion `(s.st_mode & 
07777) == (mode)' failed.
  Error: proc 23396 cannot sync with peer: unexpected EOF
  Peer 23406 unexpectedly killed (Segmentation fault)
===8<------------------------------

I have set the severity to /important/ because this defect makes it
impossible to restrict apps to the Tor network. There is no
workaround. Perhaps torsocks will work in cases where the app is
expected to access the network via common system calls, but in cases
where apps bypass systems calls we have a breach.  E.g. java apps tend
to not function with torsocks.

-- System Information:
Debian Release: 11.4
  APT prefers stable-updates
  APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 
'testing'), (990, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-16-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firejail depends on:
ii  libapparmor1  2.13.6-10
ii  libc6         2.31-13+deb11u3
ii  libselinux1   3.1-3

Versions of packages firejail recommends:
ii  firejail-profiles  0.9.64.4-2+deb11u1
ii  iproute2           5.10.0-4
ii  iptables           1.8.7-1
ii  xauth              1:1.1-1
ii  xdg-dbus-proxy     0.1.2-2
ii  xpra               3.0.13+dfsg1-1
ii  xvfb               2:1.20.11-1+deb11u1

firejail suggests no packages.

-- Configuration Files:
/etc/firejail/firejail.config changed [not included]

-- no debconf information

Reply via email to