SB2017020929 - Gentoo update for Firejail
Published: February 9, 2017 Updated: February 9, 2017
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Missing Authorization (CVE-ID: CVE-2017-5180)
The vulnerability allows a local authenticated user to execute arbitrary code.
Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option.
2) Improper Privilege Management (CVE-ID: CVE-2017-5940)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to firejail does not comprehensively address dotfile cases during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option.
Remediation
Install update from vendor's website.