patches form Debian (firejail 0.9.64-4, sid): element-profile.patch, usrsharedoc.patch, pathnames.patch, usr-share-firefox.patch

9 files changed, 56 insertions, 11 deletions

diff --git a/RELNOTES b/RELNOTES
index 6cf627aa0..97e3214f0 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,6 +2,12 @@ firejail (0.9.62.2) baseline; urgency=low
   * work in progress
   * patches from Debian (firejail 0.9.62-3, sid):
          profile-fixes.patch, apparmor-include.patch
+  * patches form Debian (firejail 0.9.64-4, sid)
+         CVE-2020-17367 reported by Tim Starling
+         CVE-2020-17368 reported by Tim Starling
+  * patches form Debian (firejail 0.9.64-4, sid)
+         element-profile.patch,  usrsharedoc.patch,
+         pathnames.patch, usr-share-firefox.patch
  -- netblue30 <netblue30@yahoo.com>  Fri, 7 Aug 2020 08:00:00 -0500
 
 firejail (0.9.62) baseline; urgency=low
diff --git a/etc/devhelp.profile b/etc/devhelp.profile
index 5c1935835..cc9553e73 100644
--- a/etc/devhelp.profile
+++ b/etc/devhelp.profile
@@ -16,6 +16,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 whitelist /usr/share/devhelp
+whitelist /usr/share/doc
+whitelist /usr/share/gtk-doc/html
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index ce0c5de43..a489a8fbb 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -71,6 +71,8 @@ blacklist ${HOME}/.config/Code
 blacklist ${HOME}/.config/Code - OSS
 blacklist ${HOME}/.config/Code Industry
 blacklist ${HOME}/.config/Cryptocat
+blacklist ${HOME}/.config/Element
+blacklist ${HOME}/.config/Element (Riot)
 blacklist ${HOME}/.config/Enox
 blacklist ${HOME}/.config/Franz
 blacklist ${HOME}/.config/FreeCAD
diff --git a/etc/evince.profile b/etc/evince.profile
index 0ace1dc3e..ba68e45b4 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -17,6 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+whitelist /usr/share/doc
 whitelist /usr/share/evince
 whitelist /usr/share/poppler
 whitelist /usr/share/tracker
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile
index 6c1d77986..5e69fdb51 100644
--- a/etc/firefox-esr.profile
+++ b/etc/firefox-esr.profile
@@ -6,5 +6,7 @@ include firefox-esr.local
 # added by included profile
 #include globals.local
 
+whitelist /usr/share/firefox-esr
+
 # Redirect
 include firefox.profile
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 50f40a039..4a2cb260f 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -14,6 +14,9 @@ mkdir ${HOME}/.mozilla
 whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla
 
+whitelist /usr/share/doc
+whitelist /usr/share/firefox
+whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/mozilla
 whitelist /usr/share/webext
 include whitelist-usr-share-common.inc
diff --git a/etc/yelp.profile b/etc/yelp.profile
index 41138cd17..acd483209 100644
--- a/etc/yelp.profile
+++ b/etc/yelp.profile
@@ -18,6 +18,7 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/yelp
 whitelist ${HOME}/.config/yelp
+whitelist /usr/share/doc
 whitelist /usr/share/help
 whitelist /usr/share/yelp
 whitelist /usr/share/yelp-xsl
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 5cd6a602c..97148c6b6 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -165,6 +165,7 @@ easystroke
 ebook-viewer
 electron-mail
 electrum
+element-desktop
 elinks
 empathy
 enchant
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
index 9ed6b9715..ef64178b5 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
@@ -258,6 +258,28 @@ char *expand_macros(const char *path) {
         return rv;
 }
 
+// replace control characters with a '?'
+static char *fix_control_chars(const char *fname) {
+        assert(fname);
+
+        size_t len = strlen(fname);
+        char *rv = malloc(len + 1);
+        if (!rv)
+                errExit("malloc");
+
+        size_t i = 0;
+        while (fname[i] != '\0') {
+                if (iscntrl((unsigned char) fname[i]))
+                        rv[i] = '?';
+                else
+                        rv[i] = fname[i];
+                i++;
+        }
+        rv[i] = '\0';
+
+        return rv;
+}
+
 void invalid_filename(const char *fname, int globbing) {
 //      EUID_ASSERT();
         assert(fname);
@@ -275,19 +297,24 @@ void invalid_filename(const char *fname, int globbing) {
                         return;
         }
 
-        int len = strlen(ptr);
-
-        if (globbing) {
-                // file globbing ('*?[]') is allowed
-                if (strcspn(ptr, "\\&!\"'<>%^(){};,") != (size_t)len) {
-                        fprintf(stderr, "Error: \"%s\" is an invalid filename\n", ptr);
+        size_t i = 0;
+        while (ptr[i] != '\0') {
+                if (iscntrl((unsigned char) ptr[i])) {
+                        fprintf(stderr, "Error: \"%s\" is an invalid filename: no control characters allowed\n",
+                                fix_control_chars(fname));
                         exit(1);
                 }
+                i++;
         }
-        else {
-                if (strcspn(ptr, "\\&!?\"'<>%^(){};,*[]") != (size_t)len) {
-                        fprintf(stderr, "Error: \"%s\" is an invalid filename\n", ptr);
-                        exit(1);
-                }
+        
+        char *reject;
+        if (globbing)
+                reject = "\\&!\"'<>%^{};,"; // file globbing ('*?[]') is allowed
+        else
+                reject = "\\&!?\"'<>%^{};,*[]";
+        char *c = strpbrk(ptr, reject);
+        if (c) {
+                fprintf(stderr, "Error: \"%s\" is an invalid filename: rejected character: \"%c\"\n", fname, *c);
+                exit(1);
         }
 }