diff options
author | Reiner Herrmann <reiner@reiner-h.de> | 2020-07-29 20:16:16 +0200 |
---|---|---|
committer | Reiner Herrmann <reiner@reiner-h.de> | 2020-08-06 17:19:49 +0200 |
commit | 2c734d6350ad321fccbefc5ef0382199ac331b37 (patch) | |
tree | 9329a3ad1f27ced221266c94ee6c8755611801a8 | |
parent | Support to ingore a include foobar.inc (diff) | |
download | firejail-2c734d6350ad321fccbefc5ef0382199ac331b37.tar.gz firejail-2c734d6350ad321fccbefc5ef0382199ac331b37.tar.zst firejail-2c734d6350ad321fccbefc5ef0382199ac331b37.zip |
firejail: don't interpret output arguments after end-of-options tag
Firejail was parsing --output and --output-stderr options even after
the end-of-options separator ("--"), which would allow someone who
has control over command line options of the sandboxed application,
to write data to a specified file.
Fixes: CVE-2020-17367
Reported-by: Tim Starling <tstarling@wikimedia.org>
-rw-r--r-- | src/firejail/output.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/firejail/output.c b/src/firejail/output.c index d4a7f464a..6e678afd3 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -30,6 +30,12 @@ void check_output(int argc, char **argv) { | |||
30 | int enable_stderr = 0; | 30 | int enable_stderr = 0; |
31 | 31 | ||
32 | for (i = 1; i < argc; i++) { | 32 | for (i = 1; i < argc; i++) { |
33 | if (strncmp(argv[i], "--", 2) != 0) { | ||
34 | return; | ||
35 | } | ||
36 | if (strcmp(argv[i], "--") == 0) { | ||
37 | return; | ||
38 | } | ||
33 | if (strncmp(argv[i], "--output=", 9) == 0) { | 39 | if (strncmp(argv[i], "--output=", 9) == 0) { |
34 | outindex = i; | 40 | outindex = i; |
35 | break; | 41 | break; |