From 2c734d6350ad321fccbefc5ef0382199ac331b37 Mon Sep 17 00:00:00 2001
From: Reiner Herrmann <reiner@reiner-h.de>
Date: Wed, 29 Jul 2020 20:16:16 +0200
Subject: firejail: don't interpret output arguments after end-of-options tag

Firejail was parsing --output and --output-stderr options even after
the end-of-options separator ("--"), which would allow someone who
has control over command line options of the sandboxed application,
to write data to a specified file.

Fixes: CVE-2020-17367

Reported-by: Tim Starling <tstarling@wikimedia.org>
---
 src/firejail/output.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src')

diff --git a/src/firejail/output.c b/src/firejail/output.c
index d4a7f464a..6e678afd3 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -30,6 +30,12 @@ void check_output(int argc, char **argv) {
 	int enable_stderr = 0;
 
 	for (i = 1; i < argc; i++) {
+		if (strncmp(argv[i], "--", 2) != 0) {
+			return;
+		}
+		if (strcmp(argv[i], "--") == 0) {
+			return;
+		}
 		if (strncmp(argv[i], "--output=", 9) == 0) {
 			outindex = i;
 			break;
-- 
cgit v1.2.3-54-g00ecf