diff options
-rw-r--r-- | RELNOTES | 6 | ||||
-rw-r--r-- | etc/devhelp.profile | 2 | ||||
-rw-r--r-- | etc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/evince.profile | 1 | ||||
-rw-r--r-- | etc/firefox-esr.profile | 2 | ||||
-rw-r--r-- | etc/firefox.profile | 3 | ||||
-rw-r--r-- | etc/yelp.profile | 1 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/firejail/macros.c | 49 |
9 files changed, 56 insertions, 11 deletions
@@ -2,6 +2,12 @@ firejail (0.9.62.2) baseline; urgency=low | |||
2 | * work in progress | 2 | * work in progress |
3 | * patches from Debian (firejail 0.9.62-3, sid): | 3 | * patches from Debian (firejail 0.9.62-3, sid): |
4 | profile-fixes.patch, apparmor-include.patch | 4 | profile-fixes.patch, apparmor-include.patch |
5 | * patches form Debian (firejail 0.9.64-4, sid) | ||
6 | CVE-2020-17367 reported by Tim Starling | ||
7 | CVE-2020-17368 reported by Tim Starling | ||
8 | * patches form Debian (firejail 0.9.64-4, sid) | ||
9 | element-profile.patch, usrsharedoc.patch, | ||
10 | pathnames.patch, usr-share-firefox.patch | ||
5 | -- netblue30 <netblue30@yahoo.com> Fri, 7 Aug 2020 08:00:00 -0500 | 11 | -- netblue30 <netblue30@yahoo.com> Fri, 7 Aug 2020 08:00:00 -0500 |
6 | 12 | ||
7 | firejail (0.9.62) baseline; urgency=low | 13 | firejail (0.9.62) baseline; urgency=low |
diff --git a/etc/devhelp.profile b/etc/devhelp.profile index 5c1935835..cc9553e73 100644 --- a/etc/devhelp.profile +++ b/etc/devhelp.profile | |||
@@ -16,6 +16,8 @@ include disable-programs.inc | |||
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | whitelist /usr/share/devhelp | 18 | whitelist /usr/share/devhelp |
19 | whitelist /usr/share/doc | ||
20 | whitelist /usr/share/gtk-doc/html | ||
19 | include whitelist-common.inc | 21 | include whitelist-common.inc |
20 | include whitelist-usr-share-common.inc | 22 | include whitelist-usr-share-common.inc |
21 | 23 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index ce0c5de43..a489a8fbb 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -71,6 +71,8 @@ blacklist ${HOME}/.config/Code | |||
71 | blacklist ${HOME}/.config/Code - OSS | 71 | blacklist ${HOME}/.config/Code - OSS |
72 | blacklist ${HOME}/.config/Code Industry | 72 | blacklist ${HOME}/.config/Code Industry |
73 | blacklist ${HOME}/.config/Cryptocat | 73 | blacklist ${HOME}/.config/Cryptocat |
74 | blacklist ${HOME}/.config/Element | ||
75 | blacklist ${HOME}/.config/Element (Riot) | ||
74 | blacklist ${HOME}/.config/Enox | 76 | blacklist ${HOME}/.config/Enox |
75 | blacklist ${HOME}/.config/Franz | 77 | blacklist ${HOME}/.config/Franz |
76 | blacklist ${HOME}/.config/FreeCAD | 78 | blacklist ${HOME}/.config/FreeCAD |
diff --git a/etc/evince.profile b/etc/evince.profile index 0ace1dc3e..ba68e45b4 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -17,6 +17,7 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | whitelist /usr/share/doc | ||
20 | whitelist /usr/share/evince | 21 | whitelist /usr/share/evince |
21 | whitelist /usr/share/poppler | 22 | whitelist /usr/share/poppler |
22 | whitelist /usr/share/tracker | 23 | whitelist /usr/share/tracker |
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile index 6c1d77986..5e69fdb51 100644 --- a/etc/firefox-esr.profile +++ b/etc/firefox-esr.profile | |||
@@ -6,5 +6,7 @@ include firefox-esr.local | |||
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | whitelist /usr/share/firefox-esr | ||
10 | |||
9 | # Redirect | 11 | # Redirect |
10 | include firefox.profile | 12 | include firefox.profile |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 50f40a039..4a2cb260f 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -14,6 +14,9 @@ mkdir ${HOME}/.mozilla | |||
14 | whitelist ${HOME}/.cache/mozilla/firefox | 14 | whitelist ${HOME}/.cache/mozilla/firefox |
15 | whitelist ${HOME}/.mozilla | 15 | whitelist ${HOME}/.mozilla |
16 | 16 | ||
17 | whitelist /usr/share/doc | ||
18 | whitelist /usr/share/firefox | ||
19 | whitelist /usr/share/gtk-doc/html | ||
17 | whitelist /usr/share/mozilla | 20 | whitelist /usr/share/mozilla |
18 | whitelist /usr/share/webext | 21 | whitelist /usr/share/webext |
19 | include whitelist-usr-share-common.inc | 22 | include whitelist-usr-share-common.inc |
diff --git a/etc/yelp.profile b/etc/yelp.profile index 41138cd17..acd483209 100644 --- a/etc/yelp.profile +++ b/etc/yelp.profile | |||
@@ -18,6 +18,7 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | mkdir ${HOME}/.config/yelp | 19 | mkdir ${HOME}/.config/yelp |
20 | whitelist ${HOME}/.config/yelp | 20 | whitelist ${HOME}/.config/yelp |
21 | whitelist /usr/share/doc | ||
21 | whitelist /usr/share/help | 22 | whitelist /usr/share/help |
22 | whitelist /usr/share/yelp | 23 | whitelist /usr/share/yelp |
23 | whitelist /usr/share/yelp-xsl | 24 | whitelist /usr/share/yelp-xsl |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 5cd6a602c..97148c6b6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -165,6 +165,7 @@ easystroke | |||
165 | ebook-viewer | 165 | ebook-viewer |
166 | electron-mail | 166 | electron-mail |
167 | electrum | 167 | electrum |
168 | element-desktop | ||
168 | elinks | 169 | elinks |
169 | empathy | 170 | empathy |
170 | enchant | 171 | enchant |
diff --git a/src/firejail/macros.c b/src/firejail/macros.c index 9ed6b9715..ef64178b5 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c | |||
@@ -258,6 +258,28 @@ char *expand_macros(const char *path) { | |||
258 | return rv; | 258 | return rv; |
259 | } | 259 | } |
260 | 260 | ||
261 | // replace control characters with a '?' | ||
262 | static char *fix_control_chars(const char *fname) { | ||
263 | assert(fname); | ||
264 | |||
265 | size_t len = strlen(fname); | ||
266 | char *rv = malloc(len + 1); | ||
267 | if (!rv) | ||
268 | errExit("malloc"); | ||
269 | |||
270 | size_t i = 0; | ||
271 | while (fname[i] != '\0') { | ||
272 | if (iscntrl((unsigned char) fname[i])) | ||
273 | rv[i] = '?'; | ||
274 | else | ||
275 | rv[i] = fname[i]; | ||
276 | i++; | ||
277 | } | ||
278 | rv[i] = '\0'; | ||
279 | |||
280 | return rv; | ||
281 | } | ||
282 | |||
261 | void invalid_filename(const char *fname, int globbing) { | 283 | void invalid_filename(const char *fname, int globbing) { |
262 | // EUID_ASSERT(); | 284 | // EUID_ASSERT(); |
263 | assert(fname); | 285 | assert(fname); |
@@ -275,19 +297,24 @@ void invalid_filename(const char *fname, int globbing) { | |||
275 | return; | 297 | return; |
276 | } | 298 | } |
277 | 299 | ||
278 | int len = strlen(ptr); | 300 | size_t i = 0; |
279 | 301 | while (ptr[i] != '\0') { | |
280 | if (globbing) { | 302 | if (iscntrl((unsigned char) ptr[i])) { |
281 | // file globbing ('*?[]') is allowed | 303 | fprintf(stderr, "Error: \"%s\" is an invalid filename: no control characters allowed\n", |
282 | if (strcspn(ptr, "\\&!\"'<>%^(){};,") != (size_t)len) { | 304 | fix_control_chars(fname)); |
283 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", ptr); | ||
284 | exit(1); | 305 | exit(1); |
285 | } | 306 | } |
307 | i++; | ||
286 | } | 308 | } |
287 | else { | 309 | |
288 | if (strcspn(ptr, "\\&!?\"'<>%^(){};,*[]") != (size_t)len) { | 310 | char *reject; |
289 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", ptr); | 311 | if (globbing) |
290 | exit(1); | 312 | reject = "\\&!\"'<>%^{};,"; // file globbing ('*?[]') is allowed |
291 | } | 313 | else |
314 | reject = "\\&!?\"'<>%^{};,*[]"; | ||
315 | char *c = strpbrk(ptr, reject); | ||
316 | if (c) { | ||
317 | fprintf(stderr, "Error: \"%s\" is an invalid filename: rejected character: \"%c\"\n", fname, *c); | ||
318 | exit(1); | ||
292 | } | 319 | } |
293 | } | 320 | } |