Detections
Analytics

openSUSE Security Update : firejail (openSUSE-2021-271)

critical Nessus Plugin ID 146524

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for firejail fixes the following issues :

firejail 0.9.64.4 is shipped to openSUSE Leap 15.2

 - CVE-2021-26910: Fixed root privilege escalation due to race condition (boo#1181990)

Update to 0.9.64.4 :

 - disabled overlayfs, pending multiple fixes

 - fixed launch firefox for open url in telegram-desktop.profile

Update to 0.9.64.2 :

 - allow --tmpfs inside $HOME for unprivileged users

 - --disable-usertmpfs compile time option

 - allow AF_BLUETOOTH via --protocol=bluetooth

 - setup guide for new users: contrib/firejail-welcome.sh

 - implement netns in profiles

 - added nolocal6.net IPv6 network filter

 - new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi, new profiles: guvcview, pkglog, kdiff3, CoyIM.

Update to version 0.9.64 :

 - replaced --nowrap option with --wrap in firemon

 - The blocking action of seccomp filters has been changed from killing the process to returning EPERM to the caller. To get the previous behaviour, use
 --seccomp-error-action=kill or syscall:kill syntax when constructing filters, or override in /etc/firejail/firejail.config file.

 - Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
 xdg-dbus-proxy must be installed, if not D-Bus access will be allowed. With this version nodbus is deprecated, in favor of dbus-user none and dbus-system none and will be removed in a future version.

 - DHCP client support

 - firecfg only fix dektop-files if started with sudo

 - SELinux labeling support

 - custom 32-bit seccomp filter support

 - restrict $(RUNUSER) in several profiles

 - blacklist shells such as bash in several profiles

 - whitelist globbing

 - mkdir and mkfile support for /run/user directory

 - support ignore for include

 - --include on the command line

 - splitting up media players whitelists in whitelist-players.inc

 - new condition: HAS_NOSOUND

 - new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster

 - new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl

 - new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11

 - new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool

 - new profiles: desktopeditors, impressive, planmaker18, planmaker18free

 - new profiles: presentations18, presentations18free, textmaker18, teams

 - new profiles: textmaker18free, xournal, gnome-screenshot, ripperX

 - new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro

 - new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command

 - new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux

 - new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row

 - new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin

 - new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars

 - new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless

 - new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers

 - new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski

 - new profiles: swell-foop, fdns, five-or-more, steam-runtime

 - new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im

 - new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper

 - new profiles: gapplication, openarena_ded, element-desktop, cawbird

 - new profiles: freetube, strawberry, jitsi-meet-desktop

 - new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash

 - new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx

 - new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar

 - new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube

 - new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi

 - new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube

 - new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send

 - new profiles: qrencode, ytmdesktop, twitch

 - new profiles: xournalpp, chromium-freeworld, equalx

 - Make the AppArmor profile compatible with AppArmor 3.0 (add missing include <tunables/global>)

Update to 0.9.62.4

 - fix AppArmor broken in the previous release

 - miscellaneous fixes

Update to 0.9.62.2

 - fix CVE-2020-17367

 - fix CVE-2020-17368

Solution

Update the affected firejail packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1181990

Plugin Details

Severity: Critical

ID: 146524

File Name: openSUSE-2021-271.nasl

Version: 1.3

Type: local

Agent: unix

Published: 2/16/2021

Updated: 1/22/2024

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-17368

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:firejail, p-cpe:/a:novell:opensuse:firejail-debuginfo, p-cpe:/a:novell:opensuse:firejail-debugsource, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/10/2021

Vulnerability Publication Date: 8/11/2020

Reference Information

CVE: CVE-2020-17367, CVE-2020-17368, CVE-2021-26910