Ubuntu
firejail package

  1. Bug #1916767
  2. Comment #5

Comment 5 for bug 1916767

Revision history for this message
Reiner Herrmann (deki) wrote : Re: firejail version in Ubuntu 20.04 LTS is vulnarable to CVE-2021-26910

I can't currently post patches, something seems broken in Launchpad. So here is the full patch in a comment:

diff -Nru firejail-0.9.62/debian/changelog firejail-0.9.62/debian/changelog
--- firejail-0.9.62/debian/changelog 2020-01-20 18:53:34.000000000 +0000
+++ firejail-0.9.62/debian/changelog 2021-03-27 15:20:50.000000000 +0000
@@ -1,3 +1,12 @@
+firejail (0.9.62-3ubuntu0.1) focal-security; urgency=low
+
+ * SECURITY UPDATE: bypass of access restrictions (LP: #1916767)
+ - disable OverlayFS support which contains a TOCTOU race condition
+ between a stat operation and an OverlayFS mount.
+ - CVE-2021-26910
+
+ -- Reiner Herrmann <email address hidden> Sat, 27 Mar 2021 15:20:50 +0000
+
 firejail (0.9.62-3) unstable; urgency=medium

   * Import upstream profile fixes:
diff -Nru firejail-0.9.62/debian/control firejail-0.9.62/debian/control
--- firejail-0.9.62/debian/control 2020-01-01 19:14:43.000000000 +0000
+++ firejail-0.9.62/debian/control 2021-03-27 15:18:59.000000000 +0000
@@ -1,7 +1,8 @@
 Source: firejail
 Section: utils
 Priority: optional
-Maintainer: Reiner Herrmann <email address hidden>
+Maintainer: Ubuntu Developers <email address hidden>
+XSBC-Original-Maintainer: Reiner Herrmann <email address hidden>
 Build-Depends: debhelper-compat (= 12), dh-apparmor, libapparmor-dev, pkg-config
 Standards-Version: 4.4.1
 Rules-Requires-Root: no
diff -Nru firejail-0.9.62/debian/patches/CVE-2021-26910.patch firejail-0.9.62/debian/patches/CVE-2021-26910.patch
--- firejail-0.9.62/debian/patches/CVE-2021-26910.patch 1970-01-01 00:00:00.000000000 +0000
+++ firejail-0.9.62/debian/patches/CVE-2021-26910.patch 2021-03-27 15:20:50.000000000 +0000
@@ -0,0 +1,32 @@
+Author: netblue30 <email address hidden>
+Description: disable overlayfs, which is broken on current kernel releases
+ and has security vulnerabilities (CVE-2021-26910)
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767
+
+Index: firejail-0.9.62/configure.ac
+===================================================================
+--- firejail-0.9.62.orig/configure.ac
++++ firejail-0.9.62/configure.ac
+@@ -52,13 +52,16 @@ AC_SUBST([EXTRA_CFLAGS])
+ AC_SUBST([EXTRA_LDFLAGS])
+
+
++# overlayfs features temporarely disabled pending fixes
+ HAVE_OVERLAYFS=""
+-AC_ARG_ENABLE([overlayfs],
+- AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
+-AS_IF([test "x$enable_overlayfs" != "xno"], [
+- HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
+- AC_SUBST(HAVE_OVERLAYFS)
+-])
++AC_SUBST(HAVE_OVERLAYFS)
++#
++#AC_ARG_ENABLE([overlayfs],
++# AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
++#AS_IF([test "x$enable_overlayfs" != "xno"], [
++# HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
++# AC_SUBST(HAVE_OVERLAYFS)
++#])
+
+ HAVE_FIRETUNNEL=""
+ AC_ARG_ENABLE([firetunnel],
diff -Nru firejail-0.9.62/debian/patches/series firejail-0.9.62/debian/patches/series
--- firejail-0.9.62/debian/patches/series 2020-01-20 17:59:35.000000000 +0000
+++ firejail-0.9.62/debian/patches/series 2021-03-27 15:12:56.000000000 +0000
@@ -5,3 +5,4 @@
 m4_check_compile_flag.patch
 fix-tests.patch
 profile-fixes.patch
+CVE-2021-26910.patch