firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
firejail (Ubuntu) |
Fix Released
|
Medium
|
Steve Beattie |
Bug Description
https:/
and
https:/
"Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation."
According to the apt changelog, the current version (0.9.62-3) was published in january 2020 and thus cannot include the fix. Also there is no mention of the relevant CVE in the apt changelog.
Either firejail should be upgraded, or a fix backported to the version in 20.04.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: firejail 0.9.62-3
ProcVersionSign
Uname: Linux 5.8.0-43-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: ubuntu:GNOME
Date: Wed Feb 24 16:17:42 2021
InstallationDate: Installed on 2021-01-18 (37 days ago)
InstallationMedia: Ubuntu 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731)
SourcePackage: firejail
UpgradeStatus: No upgrade log present (probably fresh install)
CVE References
Changed in firejail (Ubuntu): | |
importance: | Undecided → Medium |
summary: |
- firejail version in Ubuntu 20.04 LTS is vulnarable to CVE-2021-26910 + firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910 |
I'm changing this to public security bug, as the CVE is already published.