commit: af870a94a84b4073fb0db94d2bd2ef852a64cb1d Author: Amadeusz Żołnowski <aidecoe <AT> gentoo <DOT> org> AuthorDate: Thu Dec 15 21:26:54 2016 +0000 Commit: Amadeusz Piotr Żołnowski <aidecoe <AT> gentoo <DOT> org> CommitDate: Thu Dec 15 21:27:10 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=af870a94
sys-apps/firejail: Backport security fix to 0.9.38.4 Gentoo-Bug: 601994 Package-Manager: portage-2.3.3 ...l-0.9.38.4-0001-etc-resolv.conf-overwrite.patch | 59 ++++++++++++++++++++++ ...0.9.38.4.ebuild => firejail-0.9.38.4-r1.ebuild} | 1 + 2 files changed, 60 insertions(+) diff --git a/sys-apps/firejail/files/firejail-0.9.38.4-0001-etc-resolv.conf-overwrite.patch b/sys-apps/firejail/files/firejail-0.9.38.4-0001-etc-resolv.conf-overwrite.patch new file mode 100644 index 00000000..5905b83 --- /dev/null +++ b/sys-apps/firejail/files/firejail-0.9.38.4-0001-etc-resolv.conf-overwrite.patch @@ -0,0 +1,59 @@ +From 4f4e59c7529888339fe2337dc893984eb7833d01 Mon Sep 17 00:00:00 2001 +From: netblue30 <[email protected]> +Date: Wed, 2 Nov 2016 09:17:19 -0400 +Subject: [PATCH] /etc/resolv.conf overwrite + +--- + RELNOTES | 7 ++++++- + configure.ac | 2 +- + src/firejail/main.c | 8 ++++++++ + 3 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/RELNOTES b/RELNOTES +index 4b5b662..0957292 100644 +--- a/RELNOTES ++++ b/RELNOTES +@@ -1,4 +1,9 @@ +-firejail (0.9.38.3) baseline; urgency=low ++firejail (0.9.38.5) baseline; urgency=low ++ * this is a development release ++ * security: overwrite /etc/resolv.conf found by Martin Carpenter ++ -- netblue30 <[email protected]> Mon, 2 Nov 2016 10:00:00 -0500 ++ ++firejail (0.9.38.4) baseline; urgency=low + * CVE-2016-7545 submitted by Aleksey Manevich + * bugfixes + -- netblue30 <[email protected]> Mon, 10 Oct 2016 10:00:00 -0500 +diff --git a/configure.ac b/configure.ac +index 718cfd3..edd528d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1,5 +1,5 @@ + AC_PREREQ([2.68]) +-AC_INIT(firejail, 0.9.38.4, [email protected], , http://firejail.wordpress.com) ++AC_INIT(firejail, 0.9.38.5, [email protected], , http://firejail.wordpress.com) + AC_CONFIG_SRCDIR([src/firejail/main.c]) + #AC_CONFIG_HEADERS([config.h]) + +diff --git a/src/firejail/main.c b/src/firejail/main.c +index 9e2aec4..9c1b73e 100644 +--- a/src/firejail/main.c ++++ b/src/firejail/main.c +@@ -903,6 +903,14 @@ int main(int argc, char **argv) { + return 1; + } + ++ // don't allow "--chroot=/" ++ char *rpath = realpath(cfg.chrootdir, NULL); ++ if (rpath == NULL || strcmp(rpath, "/") == 0) { ++ fprintf(stderr, "Error: invalid chroot directory\n"); ++ exit(1); ++ } ++ free(rpath); ++ + // check chroot directory structure + if (fs_check_chroot_dir(cfg.chrootdir)) { + fprintf(stderr, "Error: invalid chroot\n"); +-- +2.11.0 + diff --git a/sys-apps/firejail/firejail-0.9.38.4.ebuild b/sys-apps/firejail/firejail-0.9.38.4-r1.ebuild similarity index 89% rename from sys-apps/firejail/firejail-0.9.38.4.ebuild rename to sys-apps/firejail/firejail-0.9.38.4-r1.ebuild index d35fd1c..1b95976 100644 --- a/sys-apps/firejail/firejail-0.9.38.4.ebuild +++ b/sys-apps/firejail/firejail-0.9.38.4-r1.ebuild @@ -17,6 +17,7 @@ IUSE="+seccomp" src_prepare() { epatch "${FILESDIR}"/${P}-sysmacros.patch + epatch "${FILESDIR}"/${P}-0001-etc-resolv.conf-overwrite.patch find -name Makefile.in -exec sed -i -r \ -e '/CFLAGS/s: (-O2|-ggdb) : :g' \ -e '1iCC=@CC@' {} + || die
