oss-sec mailing list archives

Re: Re: Firejail local root exploit

From: Thomas Deutschmann <whissi () gentoo org>
Date: Tue, 31 Jan 2017 19:21:58 +0100

On 2017-01-29 14:14, Ion Ionescu wrote:

The first fix for CVE-2017-5180 in Firejail version 0.9.44.4 and
0.9.38.8 (LTS) was incomplete. Changing .Xauthority to .bashrc in the
exploit code, the problem is still there - credit Sebastian Krahmer. 
New releases are out: 0.9.44.8 and 0.9.38.10 (LTS). Please assign a
new CVE.


Associated commits which already appeared in v0.9.44.6:

https://github.com/netblue30/firejail/commit/38d418505e9ee2d326557e5639e8da49c298858f
https://github.com/netblue30/firejail/commit/b8a4ff9775318ca5e679183884a6a63f3da8f863

Backport for v0.9.38.10:

https://github.com/netblue30/firejail/commit/903fd8a0789ca3cc3c21d84cd0282481515592ef


-- 
Regards,
Thomas Deutschmann / Gentoo Security Team
C4DD 695F A713 8F24 2AA1  5638 5849 7EE5 1D5D 74A5

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Re: Re: Firejail local root exploit, (continued)
- - - Re: Re: Firejail local root exploit Brad Spengler (Jan 08)
    - Re: Re: Firejail local root exploit Martin Carpenter (Jan 08)
    - Re: Re: Firejail local root exploit Lizzie Dixon (Jan 06)
    - Re: Firejail local root exploit cve-assign (Jan 07)
    - Re: Re: Firejail local root exploit Martin Carpenter (Jan 07)
    - Re: Firejail local root exploit cve-assign (Jan 07)
  - Re: Re: Firejail local root exploit Marcus Meissner (Jan 06)
    - Re: Firejail local root exploit cve-assign (Jan 06)
- Re: Firejail local root exploit KellerFuchs (Jan 05)
- Re: Firejail local root exploit Ion Ionescu (Jan 29)
  - Re: Re: Firejail local root exploit Thomas Deutschmann (Jan 31)
- Re: Re: Firejail local root exploit Thomas Deutschmann (Feb 09)