openSUSE Security Update : firejail (openSUSE-2021-271)

critical Nessus Plugin ID 146524

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for firejail fixes the following issues :

firejail 0.9.64.4 is shipped to openSUSE Leap 15.2

- CVE-2021-26910: Fixed root privilege escalation due to race condition (boo#1181990)

Update to 0.9.64.4 :

- disabled overlayfs, pending multiple fixes

- fixed launch firefox for open url in telegram-desktop.profile

Update to 0.9.64.2 :

- allow --tmpfs inside $HOME for unprivileged users

- --disable-usertmpfs compile time option

- allow AF_BLUETOOTH via --protocol=bluetooth

- setup guide for new users: contrib/firejail-welcome.sh

- implement netns in profiles

- added nolocal6.net IPv6 network filter

- new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi, new profiles: guvcview, pkglog, kdiff3, CoyIM.

Update to version 0.9.64 :

- replaced --nowrap option with --wrap in firemon

- The blocking action of seccomp filters has been changed from killing the process to returning EPERM to the caller. To get the previous behaviour, use
--seccomp-error-action=kill or syscall:kill syntax when constructing filters, or override in /etc/firejail/firejail.config file.

- Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
xdg-dbus-proxy must be installed, if not D-Bus access will be allowed. With this version nodbus is deprecated, in favor of dbus-user none and dbus-system none and will be removed in a future version.

- DHCP client support

- firecfg only fix dektop-files if started with sudo

- SELinux labeling support

- custom 32-bit seccomp filter support

- restrict $(RUNUSER) in several profiles

- blacklist shells such as bash in several profiles

- whitelist globbing

- mkdir and mkfile support for /run/user directory

- support ignore for include

- --include on the command line

- splitting up media players whitelists in whitelist-players.inc

- new condition: HAS_NOSOUND

- new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster

- new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl

- new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11

- new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool

- new profiles: desktopeditors, impressive, planmaker18, planmaker18free

- new profiles: presentations18, presentations18free, textmaker18, teams

- new profiles: textmaker18free, xournal, gnome-screenshot, ripperX

- new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro

- new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command

- new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux

- new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row

- new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin

- new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars

- new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless

- new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers

- new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski

- new profiles: swell-foop, fdns, five-or-more, steam-runtime

- new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im

- new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper

- new profiles: gapplication, openarena_ded, element-desktop, cawbird

- new profiles: freetube, strawberry, jitsi-meet-desktop

- new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash

- new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx

- new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar

- new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube

- new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi

- new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube

- new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send

- new profiles: qrencode, ytmdesktop, twitch

- new profiles: xournalpp, chromium-freeworld, equalx

- Make the AppArmor profile compatible with AppArmor 3.0 (add missing include <tunables/global>)

Update to 0.9.62.4

- fix AppArmor broken in the previous release

- miscellaneous fixes

Update to 0.9.62.2

- fix CVE-2020-17367

- fix CVE-2020-17368

Solution

Update the affected firejail packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1181990

Plugin Details

Severity: Critical

ID: 146524

File Name: openSUSE-2021-271.nasl

Version: 1.3

Type: local

Agent: unix

Published: 2/16/2021

Updated: 1/22/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-17368

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:firejail, p-cpe:/a:novell:opensuse:firejail-debuginfo, p-cpe:/a:novell:opensuse:firejail-debugsource, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/10/2021

Vulnerability Publication Date: 8/11/2020

Reference Information

CVE: CVE-2020-17367, CVE-2020-17368, CVE-2021-26910