From 2f6cd3f85497b10d495d213a125cabcea371d682 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 7 Aug 2020 21:16:12 -0400 Subject: patches form Debian (firejail 0.9.64-4, sid): element-profile.patch, usrsharedoc.patch, pathnames.patch, usr-share-firefox.patch --- RELNOTES | 6 ++++++ etc/devhelp.profile | 2 ++ etc/disable-programs.inc | 2 ++ etc/evince.profile | 1 + etc/firefox-esr.profile | 2 ++ etc/firefox.profile | 3 +++ etc/yelp.profile | 1 + src/firecfg/firecfg.config | 1 + src/firejail/macros.c | 49 +++++++++++++++++++++++++++++++++++----------- 9 files changed, 56 insertions(+), 11 deletions(-) diff --git a/RELNOTES b/RELNOTES index 6cf627aa0..97e3214f0 100644 --- a/RELNOTES +++ b/RELNOTES @@ -2,6 +2,12 @@ firejail (0.9.62.2) baseline; urgency=low * work in progress * patches from Debian (firejail 0.9.62-3, sid): profile-fixes.patch, apparmor-include.patch + * patches form Debian (firejail 0.9.64-4, sid) + CVE-2020-17367 reported by Tim Starling + CVE-2020-17368 reported by Tim Starling + * patches form Debian (firejail 0.9.64-4, sid) + element-profile.patch, usrsharedoc.patch, + pathnames.patch, usr-share-firefox.patch -- netblue30 Fri, 7 Aug 2020 08:00:00 -0500 firejail (0.9.62) baseline; urgency=low diff --git a/etc/devhelp.profile b/etc/devhelp.profile index 5c1935835..cc9553e73 100644 --- a/etc/devhelp.profile +++ b/etc/devhelp.profile @@ -16,6 +16,8 @@ include disable-programs.inc include disable-xdg.inc whitelist /usr/share/devhelp +whitelist /usr/share/doc +whitelist /usr/share/gtk-doc/html include whitelist-common.inc include whitelist-usr-share-common.inc diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index ce0c5de43..a489a8fbb 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -71,6 +71,8 @@ blacklist ${HOME}/.config/Code blacklist ${HOME}/.config/Code - OSS blacklist ${HOME}/.config/Code Industry blacklist ${HOME}/.config/Cryptocat +blacklist ${HOME}/.config/Element +blacklist ${HOME}/.config/Element (Riot) blacklist ${HOME}/.config/Enox blacklist ${HOME}/.config/Franz blacklist ${HOME}/.config/FreeCAD diff --git a/etc/evince.profile b/etc/evince.profile index 0ace1dc3e..ba68e45b4 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -17,6 +17,7 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/doc whitelist /usr/share/evince whitelist /usr/share/poppler whitelist /usr/share/tracker diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile index 6c1d77986..5e69fdb51 100644 --- a/etc/firefox-esr.profile +++ b/etc/firefox-esr.profile @@ -6,5 +6,7 @@ include firefox-esr.local # added by included profile #include globals.local +whitelist /usr/share/firefox-esr + # Redirect include firefox.profile diff --git a/etc/firefox.profile b/etc/firefox.profile index 50f40a039..4a2cb260f 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -14,6 +14,9 @@ mkdir ${HOME}/.mozilla whitelist ${HOME}/.cache/mozilla/firefox whitelist ${HOME}/.mozilla +whitelist /usr/share/doc +whitelist /usr/share/firefox +whitelist /usr/share/gtk-doc/html whitelist /usr/share/mozilla whitelist /usr/share/webext include whitelist-usr-share-common.inc diff --git a/etc/yelp.profile b/etc/yelp.profile index 41138cd17..acd483209 100644 --- a/etc/yelp.profile +++ b/etc/yelp.profile @@ -18,6 +18,7 @@ include disable-xdg.inc mkdir ${HOME}/.config/yelp whitelist ${HOME}/.config/yelp +whitelist /usr/share/doc whitelist /usr/share/help whitelist /usr/share/yelp whitelist /usr/share/yelp-xsl diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 5cd6a602c..97148c6b6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -165,6 +165,7 @@ easystroke ebook-viewer electron-mail electrum +element-desktop elinks empathy enchant diff --git a/src/firejail/macros.c b/src/firejail/macros.c index 9ed6b9715..ef64178b5 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c @@ -258,6 +258,28 @@ char *expand_macros(const char *path) { return rv; } +// replace control characters with a '?' +static char *fix_control_chars(const char *fname) { + assert(fname); + + size_t len = strlen(fname); + char *rv = malloc(len + 1); + if (!rv) + errExit("malloc"); + + size_t i = 0; + while (fname[i] != '\0') { + if (iscntrl((unsigned char) fname[i])) + rv[i] = '?'; + else + rv[i] = fname[i]; + i++; + } + rv[i] = '\0'; + + return rv; +} + void invalid_filename(const char *fname, int globbing) { // EUID_ASSERT(); assert(fname); @@ -275,19 +297,24 @@ void invalid_filename(const char *fname, int globbing) { return; } - int len = strlen(ptr); - - if (globbing) { - // file globbing ('*?[]') is allowed - if (strcspn(ptr, "\\&!\"'<>%^(){};,") != (size_t)len) { - fprintf(stderr, "Error: \"%s\" is an invalid filename\n", ptr); + size_t i = 0; + while (ptr[i] != '\0') { + if (iscntrl((unsigned char) ptr[i])) { + fprintf(stderr, "Error: \"%s\" is an invalid filename: no control characters allowed\n", + fix_control_chars(fname)); exit(1); } + i++; } - else { - if (strcspn(ptr, "\\&!?\"'<>%^(){};,*[]") != (size_t)len) { - fprintf(stderr, "Error: \"%s\" is an invalid filename\n", ptr); - exit(1); - } + + char *reject; + if (globbing) + reject = "\\&!\"'<>%^{};,"; // file globbing ('*?[]') is allowed + else + reject = "\\&!?\"'<>%^{};,*[]"; + char *c = strpbrk(ptr, reject); + if (c) { + fprintf(stderr, "Error: \"%s\" is an invalid filename: rejected character: \"%c\"\n", fname, *c); + exit(1); } } -- cgit v1.2.3-54-g00ecf