Ubuntu
firejail package

Urgent Security Vulnerability [upgrade-software-version]

Bug #1949194 reported by Lonnie Lee Best
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firejail (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Firejail needs to be upgraded as soon as possible:
https://github.com/netblue30/firejail#security-vulnerabilities

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: firejail 0.9.62-3
ProcVersionSignature: Ubuntu 5.4.0-89.100-generic 5.4.143
Uname: Linux 5.4.0-89-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.11-0ubuntu27.21
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: KDE
Date: Fri Oct 29 07:21:09 2021
InstallationDate: Installed on 2020-04-26 (551 days ago)
InstallationMedia: Kubuntu 20.04 LTS "Focal Fossa" - Release amd64 (20200423)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: firejail
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.firejail.firejail.config: [modified]
mtime.conffile..etc.firejail.firejail.config: 2021-10-29T07:20:36.256854

Revision history for this message
Lonnie Lee Best (launchpad-startport) wrote :
Revision history for this message
Reiner Herrmann (deki) wrote :

Duplicate of #1916767

Changed in firejail (Ubuntu):
status: New → Invalid
Revision history for this message
Lonnie Lee Best (launchpad-startport) wrote :

Invalid? Did you follow the link that reveals that version 0.9.62 (the latest available in the repository) has a security vulnerability that wasn't fixed until version 0.9.64.4?

Revision history for this message
Lonnie Lee Best (launchpad-startport) wrote :

Well, I guess you would know. As I recall, you're the guy who discovered this. I see you wrote a patch in 1916767; Is that live now? Do I still need to set "overlayfs no"?

Revision history for this message
Reiner Herrmann (deki) wrote :

The "fix" released in 0.9.64.4 was to disable overlayfs support in firejail.
The same is being done by the patch in 1916767 for 0.9.62.
(with "invalid" I mean that there is already a duplicate bug. launchpad does not have a status "duplicate".)
The fix is unfortunately not live yet, it's waiting for someone from the security team to sponsor the upload.

Revision history for this message
Lonnie Lee Best (launchpad-startport) wrote :

Thanks for discovering this and patching it. Given that this is a security related bug, I consider its importance High (not medium). But, perhaps others see it different.

Revision history for this message
Lonnie Lee Best (launchpad-startport) wrote :

Instead of patching that old version, why can't they just upgrade the package that's in the repository instead? Debian 11 stable has a reputation for running older packages for stability's sake, yet even they are running Firejail 0.9.64.4 !

Recently, I've run into other another issue that would benefit from this upgrade as well:
https://askubuntu.com/questions/1373963/firefox-94-broke-my-hot-keys

Revision history for this message
Lonnie Lee Best (launchpad-startport) wrote :

See Roland Kaufmann's comment here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1739919

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.