Ubuntu
firejail package

firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910

Bug #1916767 reported by Arvid Norlander
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
firejail (Ubuntu)
Fix Released
Medium
Steve Beattie

Bug Description

https://nvd.nist.gov/vuln/detail/CVE-2021-26910
and
https://www.debian.org/security/2021/dsa-4849

"Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation."

According to the apt changelog, the current version (0.9.62-3) was published in january 2020 and thus cannot include the fix. Also there is no mention of the relevant CVE in the apt changelog.

Either firejail should be upgraded, or a fix backported to the version in 20.04.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: firejail 0.9.62-3
ProcVersionSignature: Ubuntu 5.8.0-43.49~20.04.1-generic 5.8.18
Uname: Linux 5.8.0-43-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.11-0ubuntu27.16
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: ubuntu:GNOME
Date: Wed Feb 24 16:17:42 2021
InstallationDate: Installed on 2021-01-18 (37 days ago)
InstallationMedia: Ubuntu 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731)
SourcePackage: firejail
UpgradeStatus: No upgrade log present (probably fresh install)

CVE References

Revision history for this message
Arvid Norlander (vorpalblade) wrote :
Revision history for this message
Arvid Norlander (vorpalblade) wrote :

I'm changing this to public security bug, as the CVE is already published.

information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
Revision history for this message
Reiner Herrmann (deki) wrote : Re: firejail version in Ubuntu 20.04 LTS is vulnarable to CVE-2021-26910

Attached is a debdiff that backports the upstream fix for this issue, which disables the vulnerable overlayfs support (which was anyway broken on recent kernel versions).

It compiles in an Ubuntu Focal chroot. I also verified that after installation in the same chroot the overlayfs suppor is disabled (firejail --version -> "overlayfs support is disabled").

Revision history for this message
Reiner Herrmann (deki) wrote :

I can't currently post patches, something seems broken in Launchpad. So here is the full patch in a comment:

diff -Nru firejail-0.9.62/debian/changelog firejail-0.9.62/debian/changelog
--- firejail-0.9.62/debian/changelog 2020-01-20 18:53:34.000000000 +0000
+++ firejail-0.9.62/debian/changelog 2021-03-27 15:20:50.000000000 +0000
@@ -1,3 +1,12 @@
+firejail (0.9.62-3ubuntu0.1) focal-security; urgency=low
+
+ * SECURITY UPDATE: bypass of access restrictions (LP: #1916767)
+ - disable OverlayFS support which contains a TOCTOU race condition
+ between a stat operation and an OverlayFS mount.
+ - CVE-2021-26910
+
+ -- Reiner Herrmann <email address hidden> Sat, 27 Mar 2021 15:20:50 +0000
+
 firejail (0.9.62-3) unstable; urgency=medium

   * Import upstream profile fixes:
diff -Nru firejail-0.9.62/debian/control firejail-0.9.62/debian/control
--- firejail-0.9.62/debian/control 2020-01-01 19:14:43.000000000 +0000
+++ firejail-0.9.62/debian/control 2021-03-27 15:18:59.000000000 +0000
@@ -1,7 +1,8 @@
 Source: firejail
 Section: utils
 Priority: optional
-Maintainer: Reiner Herrmann <email address hidden>
+Maintainer: Ubuntu Developers <email address hidden>
+XSBC-Original-Maintainer: Reiner Herrmann <email address hidden>
 Build-Depends: debhelper-compat (= 12), dh-apparmor, libapparmor-dev, pkg-config
 Standards-Version: 4.4.1
 Rules-Requires-Root: no
diff -Nru firejail-0.9.62/debian/patches/CVE-2021-26910.patch firejail-0.9.62/debian/patches/CVE-2021-26910.patch
--- firejail-0.9.62/debian/patches/CVE-2021-26910.patch 1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.62/debian/patches/CVE-2021-26910.patch 2021-03-27 15:20:50.000000000 +0000
@@ -0,0 +1,32 @@
+Author: netblue30 <email address hidden>
+Description: disable overlayfs, which is broken on current kernel releases
+ and has security vulnerabilities (CVE-2021-26910)
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767
+
+Index: firejail-0.9.62/configure.ac
+===================================================================
+--- firejail-0.9.62.orig/configure.ac
++++ firejail-0.9.62/configure.ac
+@@ -52,13 +52,16 @@ AC_SUBST([EXTRA_CFLAGS])
+ AC_SUBST([EXTRA_LDFLAGS])
+
+
++# overlayfs features temporarely disabled pending fixes
+ HAVE_OVERLAYFS=""
+-AC_ARG_ENABLE([overlayfs],
+- AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
+-AS_IF([test "x$enable_overlayfs" != "xno"], [
+- HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
+- AC_SUBST(HAVE_OVERLAYFS)
+-])
++AC_SUBST(HAVE_OVERLAYFS)
++#
++#AC_ARG_ENABLE([overlayfs],
++# AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
++#AS_IF([test "x$enable_overlayfs" != "xno"], [
++# HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
++# AC_SUBST(HAVE_OVERLAYFS)
++#])
+
+ HAVE_FIRETUNNEL=""
+ AC_ARG_ENABLE([firetunnel],
diff -Nru firejail-0.9.62/debian/patches/series firejail-0.9.62/debian/patches/series
--- firejail-0.9.62/debian/patches/series 2020-01-20 17:59:35.000000000 +0000
+++ firejail-0.9.62/debian/patches/series 2021-03-27 15:12:56.000000000 +0000
@@ -5,3 +5,4 @@
 m4_check_compile_flag.patch
 fix-tests.patch
 profile-fixes.patch
+CVE-2021-26910.patch

tags: added: patch patch-accepted-debian patch-accepted-upstream
Changed in firejail (Ubuntu):
status: New → Confirmed
Revision history for this message
Reiner Herrmann (deki) wrote :

The launchpad also seems to have been mangled (converted tabs to spaces).
Please get the debdiff from here: https://paste.ubuntu.com/p/t6wF6253Yq/

Revision history for this message
TJ (tj) wrote :
Mathew Hodson (mhodson)
Changed in firejail (Ubuntu):
importance: Undecided → Medium
summary: - firejail version in Ubuntu 20.04 LTS is vulnarable to CVE-2021-26910
+ firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi, thanks for preparing this and apologies that it got overlooked. I've uploaded it to the security-proposed ppa https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ where it has passed autopkgtests. Any additional testing before it gets released to focal-security would be appreciated!

Just to confirm my understanding is correct, disabling the overlayfs confinement is disabling it as an option, and is not essential to firejail's effectiveness, correct?

Changed in firejail (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Reiner Herrmann (deki) wrote :

Hi Steve,
thanks for taking care of this issue!
The patch disables overlayfs support completely (at build time), which is (was) one of many confinement features of firejail. But this is not really a problem, as the feature was already otherwise broken with newer kernel versions (~4.19):
https://github.com/netblue30/firejail/issues/2799
https://bugs.debian.org/971578
All other confinement features stay effective.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firejail - 0.9.62-3ubuntu0.1

---------------
firejail (0.9.62-3ubuntu0.1) focal-security; urgency=low

  * SECURITY UPDATE: bypass of access restrictions (LP: #1916767)
    - disable OverlayFS support which contains a TOCTOU race condition
      between a stat operation and an OverlayFS mount.
    - CVE-2021-26910

 -- Reiner Herrmann <email address hidden> Sat, 27 Mar 2021 15:20:50 +0000

Changed in firejail (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.