From b7cf89ecf2c74ece1ee5c1bc55b10936fe7e045a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 8 Feb 2021 08:59:48 -0500 Subject: security advisory --- README.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'README.md') diff --git a/README.md b/README.md index 973c4dcbd..635d1b28b 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,32 @@ Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/ We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com +````` +Security Adivsory - Feb 8, 2021 + +Summary: A vulnerability resulting in root privilege escalation was discovered in Firejail's OverlayFS code, + +Versions affected: Firejail software versions starting with 0.9.30. Long Term Support (LTS) Firejail branch is not affected by this bug. + +Workaround: Disable overlayfs feature at runtime. In a text editor open /etc/firejail/firejail.config file, and set "overlayfs" entry to "no". + + $ grep overlayfs /etc/firejail/firejail.config + # Enable or disable overlayfs features, default enabled. + overlayfs no + +Fix: The bug is fixed in Firejail version 0.9.64.4 + +GitHub commit: (file configure.ac) +https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b + +Credit: Security researcher Roman Fiedler analyzed the code and discovered the vulnerability. +Functional PoC exploit code was provided to Firejail development team. +A description of the problem is here on Roman's blog: + +https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt +https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/ +````` + ## Installing Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others. -- cgit v1.2.3-70-g09d2