diff options
| author |  Reiner Herrmann <reiner@reiner-h.de> | 2020-07-29 20:16:16 +0200 |
|---|---|---|
| committer | Reiner Herrmann <reiner@reiner-h.de> | 2020-08-06 17:19:49 +0200 |
| commit | 2c734d6350ad321fccbefc5ef0382199ac331b37 (patch) | |
| tree | 9329a3ad1f27ced221266c94ee6c8755611801a8 | |
| parent | Support to ingore a include foobar.inc (diff) | |
| download | firejail-2c734d6350ad321fccbefc5ef0382199ac331b37.tar.gz firejail-2c734d6350ad321fccbefc5ef0382199ac331b37.tar.zst firejail-2c734d6350ad321fccbefc5ef0382199ac331b37.zip | |
firejail: don't interpret output arguments after end-of-options tag
Firejail was parsing --output and --output-stderr options even after
the end-of-options separator ("--"), which would allow someone who
has control over command line options of the sandboxed application,
to write data to a specified file.
Fixes: CVE-2020-17367
Reported-by: Tim Starling <tstarling@wikimedia.org>
| -rw-r--r-- | src/firejail/output.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/firejail/output.c b/src/firejail/output.c index d4a7f464a..6e678afd3 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
| @@ -30,6 +30,12 @@ void check_output(int argc, char **argv) { | |||
| 30 | int enable_stderr = 0; | 30 | int enable_stderr = 0; |
| 31 | 31 | ||
| 32 | for (i = 1; i < argc; i++) { | 32 | for (i = 1; i < argc; i++) { |
| 33 | if (strncmp(argv[i], "--", 2) != 0) { | ||
| 34 | return; | ||
| 35 | } | ||
| 36 | if (strcmp(argv[i], "--") == 0) { | ||
| 37 | return; | ||
| 38 | } | ||
| 33 | if (strncmp(argv[i], "--output=", 9) == 0) { | 39 | if (strncmp(argv[i], "--output=", 9) == 0) { |
| 34 | outindex = i; | 40 | outindex = i; |
| 35 | break; | 41 | break; |