Advisories » MGASA-2020-0328

Updated firejail packages fix security vulnerability

Publication date: 18 Aug 2020
Modification date: 18 Aug 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-17367 , CVE-2020-17368

Description

It was reported that firejail does not respect the end-of-options separator
("--"), allowing an attacker with control over the command line options of the
sandboxed application, to write data to a specified file (CVE-2020-17367).

It was reported that firejail when redirecting output via --output or
--output-stderr, concatenates all command line arguments into a single string
that is passed to a shell. An attacker who has control over the command line
arguments of the sandboxed application could take advantage of this flaw to run
arbitrary commands (CVE-2020-17368).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=27059
• https://www.debian.org/security/2020/dsa-4742
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17367
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17368

SRPMS

7/core

• firejail-0.9.56-2.2.mga7