Discussion:
Bug#850160: firejail: Firejail local root exploit
Add Reply
Moritz Muehlenhoff
2017-01-04 14:10:01 UTC
Reply
Permalink
Raw Message
Package: firejail
Severity: grave
Tags: security
Justification: user security hole

Please see http://www.openwall.com/lists/oss-security/2017/01/04/1

Cheers,
Moritz
Debian Bug Tracking System
2017-01-04 23:30:02 UTC
Reply
Permalink
Raw Message
Your message dated Wed, 04 Jan 2017 23:18:32 +0000
with message-id <E1cOupE-000A46-***@fasolo.debian.org>
and subject line Bug#850160: fixed in firejail 0.9.44.2-2
has caused the Debian Bug report #850160,
regarding firejail: Firejail local root exploit
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
850160: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850160
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2017-01-05 10:20:01 UTC
Reply
Permalink
Raw Message
reopen -1
Bug #850160 {Done: Reiner Herrmann <***@reiner-h.de>} [firejail] firejail: CVE-2017-5180: local root exploit
'reopen' may be inappropriate when a bug has been closed with a version;
all fixed versions will be cleared, and you may need to re-add them.
Bug reopened
No longer marked as fixed in versions firejail/0.9.44.2-2.
--
850160: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850160
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2017-01-06 13:10:01 UTC
Reply
Permalink
Raw Message
Your message dated Fri, 06 Jan 2017 13:03:25 +0000
with message-id <E1cPUB3-0004A9-***@fasolo.debian.org>
and subject line Bug#850160: fixed in firejail 0.9.44.2-3
has caused the Debian Bug report #850160,
regarding firejail: CVE-2017-5180: local root exploit
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
850160: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850160
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Salvatore Bonaccorso
2017-01-06 13:10:02 UTC
Reply
Permalink
Raw Message
Hi Reiner,
Hi Moritz,
there have been new CVE assignments for firejail. Most of them are fixed in
https://github.com/netblue30/firejail/commits/0.9.44-bugfixes
https://security-tracker.debian.org/tracker/CVE-2016-10122
https://github.com/netblue30/firejail/commit/e847207df28e181a8f590ade825b5f06d4fadf17
https://github.com/netblue30/firejail/commit/18f6e9dc9b304f7aca291c3edce5122562b1e36c
https://security-tracker.debian.org/tracker/CVE-2016-10118
https://github.com/netblue30/firejail/commit/8b5b444c766b8d0592346decc6ed4a6d345e4f67
Can you please mark them as fixed in 0.9.44.2 in the security tracker?
I have updated the status for those two CVEs.

Regards,
Salvatore

Loading...