Firejail: New release on Monday (Aug 10): CVE fixes

Created on 8 Aug 2020  路  10Comments  路  Source: netblue30/firejail

Details here: https://www.debian.org/security/2020/dsa-4742, thanks @reinerh

The release is on branch relase-0.9.62 ($ git clone -b release-0.9.62 https://github.com/netblue30/firejail)

I included most of the patches from Debian (firejail 0.9.64-4 in Debian sid): profile-fixes.patch, apparmor-include.patch, element-profile.patch, usrsharedoc.patch, pathnames.patch, usr-share-firefox.patch. I'll check they are already in on mainline.

If you want to put other fixes in go right ahead, we can delay the release 2 or 3 days. Profile fixes, new app profiles, security hardening, etc. - no big features please!

Also LTS release next week (ping @startx2017)

CVE fixes already on mainline: https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b, https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37

picture netblue30

Most helpful comment

0.9.62.2 is up and running!

@rusty-snake:I think you are the Fedora guy here, can you build a Fedora packages? I'll loaded on sourceforge and here in the release section. Thanks!

LTS coming up in the next few days.

picture netblue30 on 11 Aug 2020
👍2

All 10 comments

Until #3530 is fixed, we should not add disable-shell.inc to a profile since it breaks AppImages. We can (and maybe should) include the file itself in a release.

wruc must also not be used in 0.9.62.

I'll go trough git log 0.9.62..master etc to add more fixes.

Ok, I thing I got the most commits which fix profiles. I've not looked for C fixes, new profiles and hardenings though some commits in this list are this. Keep in mind that some commits in this list are reverted/superseded by later ones.

commits

~6993a8437775d4bea2ce730ff55393485ba989cc~
~cdc478fea8dbf99ad5f8dd7c72a685c7c26971ba~
~ac9bc5d7b077baa98586bea7681f776d24ab9a76~
~b200664a61e39e1045dfc1145496e595706d0a8e~
~b7487015a9e9db7285fb4e41898f3b4616ffd70b~
~518c5155c88cd4b8b4851d38252e23f7deb3e5b6~
~35927cb101278560cd145b4fb364770fac91a4ed~
~c33703804ce57600f94c98e2b382341402e1ebc8~
~8e0881698d67f4cead0efa088b8a494974ec492b~
3f94dd1d4769f413d5390198b2bba14e821f03bb
dd692ac6a981904dc61dde46b1ec0f10322f3084
702b0f705a29d37d532251e0a82e050a445e5bd8
~c3a6402a037f4da242ab159027e17aa3c3a145aa~
~08061fb590acda23d9f8fff4eebdd1366caf65fa~
~48ccadaeecfd74f0aeb26f4164d75e173f96db83~
~f61cffdb2216d593ccc657d8048f625c588804e1~
a5434508dbd3b8c62a49e20e32c47787a924c6a5
~2da2b6e79de46a81b9f8dac73b38b33687fe1822~
~93c1480ff9bea29005df5ea92522067e0513ab1b~
b5a90863d8827d6fde4dc20ca11ba1d04f8987ad
~457634af785606adea7f5a0bf20bfd4c12aebdce~
~22cb248eb3d56681b654d2b50059cb68de1f1778~
~72f58733ad6ae26a889e53ae1404d890b15062d8~
1c6d171fd659693725f254a1e3d83ea76ad5544d
d0db73fbdde8c79d831b328e66190f54929f3a9e
70ac4bfb64730f6d9b8e95f44f5d84a557707247
~da44ecb219afe9a0cf7428c971d08512d164f1f5~
~25a1d24651a2ca88ebe87b4fdbf14b2c233b3a8b~
~cbcf7fafe3b2b116f887907c1d7882904564f026~
~a8f22b24480bc9db5b8796ac7c331d0560f4ef26~
~05a1030918178688ccda07f232b3db5cfe6e867e~
~ddc6981ca715dd56b16dfa890fca44a50568e74d~
~585fd4fc91c3ee689d72b6c4d5f1b42f7aded5ab~
~9b5702faeab6621ebf220bed189ede25f716d863~
~bf53cec5888cf953b25a6be1d1b82bb008644ad7~
~31772d81f534d1537736dbec02098a80544182d9~
~27eb40b849b841005b501508678727105ea9a64d~
~aada597ea8380cf68b1bb1f1865f33c95cea4a0f~
~bc337e2330730e8ed8f2673398b11f41b50ee04f~
4b93f0d6f2f9808788ba31191eda45adf1038694
7302908ea85fd9d7aab334b4eec8b5307b51834f
~53169c093d39f09ff7ee1cbaf24d14d8e64259e8~
37ac96c28ea502118d2bcdab88ed61a2567ef390
81997259ef3d28193e806d1e413c562927fd7631
77351a4b4e0fa2b9fc5746c02e2dda01e53f65db
04f78ea9612f0fa47f417efea12002cffe98bd30
0171ecaa2f219a90f574e463a2b905569086dff3
~32c3669115a7168e5a7fa13347bd6f8daf838be0~
1b0ea8342574e4ca157269d21d388fc3a6413524
~bb34fa1c97667d976c91b66f3f32ea0b6a0aa578~
~ebe7dca1c0d0422ac38f4689ae13a2f8af847b20~
a6f921313c767462ae941d4bbcb6c117fdc14eff
~89f30f1f2980924409c44194244802465a1daa63~
afb7e0363bd630f12773876d486afed4ad485ad7
~0bb3a50f21b6d2e71b2b0e2ff62e6f7f1bf853f6~
7a6522a4b9506f3c28a6407d8e7a654faf2790e8
22f74522156f67f26d6be5c8943e905a75a7f1ee
971f3f6b811f81a41df8bcddc58c834ae7f18808
4ba52849ee802ea1e9039a834294d1813710e96c
b9b3417fc52906ea5e7e741a789463c148fdafce
d9182bfdf6bc72a5ceabe63e711d41d08b81e2ad
fbaff8dbeca1a7a884451ecb623c8293f968a2e5
cb918b683b30ec54476bf4db93eee66525e981a3
62ca356af09736d2cc96bb5b26e79bb14223d255
66459e312179ca0b5adcfc8277b5fe266e944b87
4bfec4f64ad02ed079e3b900b356774b28f92ba0
12d7e0d71c86be8314c32ccd8dc5e8f6e32e1e69
bde02c0c5fffec7f5be0547f7e919f3d2b8f5ea4
fcd63d6c41899234ce039d57027de2b638011689
117fc7939b2c4b8115a5130630ffd7fee4026835
d7bca1137c91b654df4300f4ad20f45c8d191598
91cefc6a469652af4c110a8fa3f258d775969fc8
6d1e24df0d1d88d1a95e70b7420cabbdfb85ee39
ff43b7818af65bb4deb41233936e82b2a0bac4e3
a404b6e0cbfd7a2838793b9260ee18feea5ae294
609be4fda2dda5557de864eba814c42fe2f40dca
cd184e9919bb67fb88ee6208c395682f5f0ba764
fda62527d9641a5f0adb9dc53b564cebb0f72ee4
1ed97156a7a99ecdaf47f7007362a690149e6cff
12c361b32f0aa2263b00645f0bd392dc1dabd010
340699fbd40169553ff5e97874024cefe9e4d5b4
db2bdaadd298ff1971ebbc51684bbf559884c881
56b60dfd0ec5227318f21409093eca965baf136a
721a984a5bf842571cc24bb59cb61e4e9b20f822
ecdc8119ac61e8343fc1ae4ba1ae15a6e0c529fe
3e6402ac469bea7f98b1ea56d6854de17af92045
d83ed63be9cc60ede7f47486238954b85b213eb3
4ca4e4217a1809f19f73b490f7b9629d39fa704c
03dba48fcd57756efc28eea94c4eb2ba4a837ac6
2c5f7bfc0a0955740fefa91d4c359b2eef6d6d7e
0c2e2df64fe513ed248bafae9e883a1988d2fbb4
c96efe7d0af04414ab3c9cd1256afd6ee678ff95
7ca2c2055eecfcdb3b0a02631486635533c29384
284b9762c6857e93f33702aefb168933c6d72e60
b1d54b042fba798fd54037c403bc188c6ffd9240
41f71ebb5bf78abdfd56ffd57abc6cef952b69aa
bd04804306028e82fd190a29c9e926e57acbcd94
d6f8169dde6f28568b817e28ae41095f67c348f5
3ab7e4bb77f158ab879f2de99ad17cc617359640
a81a8b4539ca52d5b02c37ec95c7fe864b656641
4442aac3f24b9ae8b25b6be29354fcb4f4af04ce
93be5901928bb48f0bea31f8b0b5955ffb5cb235
779937d250d6d549e41465db3735f9688749e644
b68c243c4500061e2d5598fdb907c16438973605
077f1bb23cfeb089c76083b8db07af18333e1178
3559f453e950249f6b99c15ef01f57154a67d4b3
255697b15aff5c6b57cb77b2dbedf6cffb366efe
65c8a6bf66c937ec54690a8339e196a325dc388c
3737f792a4e0e0d9efd09244a26a8d7dddcad5ea
ec0a097a07a6d80b2f7aa336c63bf292e946e26d
a8d45017323fe96f034d714657633b4de7d20b4f
f5920f2becb672184402925da761e69de4de6bab
516d08114f73133f8f3d8330b361f79843a06254
63be20459576afa90e547c9912aed4f8db70104b
0a21dc1600bd11f770543ffa835913e4ed70a90b
062e21d65096640be11f63c69e950f0b97c7498e
010b6722bc56f005d154c3415e5818c10b3e7212
fc8bd014ec442532e00497f128df24e45219094c
1267eb2e3be2c75a69e290b6d03c529e75454c6a
676b613eceac11b04014b3e0757405557a35b03e
55e5cc5e698ef910f55d0ddaf08f86184af26734
84aaf827d302af221eb70e951c28352d4ebbb117
c23fb14420fe964720243d9f27d00d26f7f13780
ca6eec7dcf388c3d0bf52f54c56f7c957b8b777b
c6e77685d4744321d7e0f39b1332c383991bade6
d6a6fb905218485fe6f086d29a5ade54802e993c
71ca655b1d79a111b2d58f430fefa3f4a4a54f71
a004db36e8c2fcbc3fc179e97175ea62bfb563ad
61ccd6234d32ae92a3e296eddd11b89e5d095e89
8c69eab213556169ad5ea303e46fb0a80499b004
92f02e91b4b88d73dcef8d2ddc58b0d6c2ce7e87
6980c99ae4b4e0ee32690c37550111bba4cfe568
57ff39eb7eba2930d52ff07c42ca37920837237e
10a67cba6bcff1c419804be55ad4d9c71a26f061
28cc889d942e6ab281d16b5fa25dd06839c38de0
76127399a5811a0b5ae3fffbd999bf22fba032e1
3d61f52d4d9b0a54ae13981332df921dcc5409f8
d1dd36355aa7cd62b374aefa47822ebf5bb0ecac
378d0e613a915cc0d6d1138565abde2d253af69a
821dd6c91a8a24493abde1523779c74c97562ce2
0a10ecff5148de5e579b50c20582a9e7c4821edc
ff3fe37e143072e19398b45210c814112c9b4507
a35d3c4d6b0de3574e666af8951019ade3874435
cb6799523085ddc7caf57b235514e6865a4caeaa
feabde38036376de44e0f408aeb8f1cb70459c9a
3fdbdd2d85ee6a62be24e60a66d64a633a0a3a21
1a47e5b9a5782516a536e38ba559b3492e9a23cb
f369a7bb386dcb0b360b7408ed6a8b902ca570a4
b6ef77ddaff439a23df82af0df69f16ae6abe264
816ce5ae03d63d0a44ab0a45aae4043f303a0840
467f69eb9b7c33a45ff3fc0804533e0450b5c118
4b56fd61f240f71f428ae97487387e344735ab70
924b556529068678788d0a0b935b67a7518dcac1
d16e8297773d1383534cfaf8011fecec78a6c3db
38dbc05377b1d0d51619c33e70b3ba0338ef2c84
24e08f13afa292ecd08e98384c956f47ca8cf5e5
3c71607db471e85dabb4d8a3974d28bf73e29346
1628821fe9ec93e8f944097d4fa9b1290ea910b1
4436b2d2e89f2c83cc966c49e47fb4ceb7df1cd0
f5fabe7637755b338e35a1b34709eeec572c2f92
470effe5b31eab9eae9457476e56ccba6c215878
3bab1ae24cfbf4a5f8cc5ab0aef71c19729f0172
ce462b6b1fbfe497df7f045844b2bb5a74e5c777
0d875d2d53898ceea5c367066b7a8a34766a0393
31dc1218aaa598dbb0a75495712a956155fc8f2b
a9aabada2f61dcdc9ee9272c69f24991776767a6
9738b20511a08e1e2f8155a5bce585c52a0e45f6
5c5462d01314bd95624724a5e9e3613a9fe10f47
0d7219702639a39d9c0c20227c8d1f1c1800b710
4f1b660c2611682374115514eebbd54eae9c84f7
69ff53d4565dbfcd608dfede978976da8155cfb7
ccff014de54ac7eec13dad8cc098a9b8d883e3e4

rusty-snake picture rusty-snake on 8 Aug 2020

Go for it, but make sure when you test you are on that branch, not on main.

netblue30 picture netblue30 on 8 Aug 2020

0.9.62.2 is up and running!

@rusty-snake:I think you are the Fedora guy here, can you build a Fedora packages? I'll loaded on sourceforge and here in the release section. Thanks!

LTS coming up in the next few days.

netblue30 picture netblue30 on 11 Aug 2020
👍2

@netblue30

0.9.62.2? Not 0.9.64? I'm confused.

FOSSONLY picture FOSSONLY on 11 Aug 2020

It's a small bugfix update on top of .62.
.64 will be the next release based on current master branch.

reinerh picture reinerh on 11 Aug 2020
👍1

We don't have output.c in LTS. No new release!

startx2017 picture startx2017 on 12 Aug 2020

Once #3530 is fixed, we should release a 0.9.64 soon IMO. 0.9.62 is from December 2019, now we have August 2020. That is a long time, especially for profiles.

@netblue30 I tried with ./configure && make rpms but it failed. I then build on using mock with this firejail.spec: firejail-0.9.62.2-1.fc32.x86_64.rpm. It definitely do not work on OpenSUSE Leap. IDK if this is helpful. However I have unfortunately no time in the next week to do more on this.

rusty-snake picture rusty-snake on 12 Aug 2020

Thanks, it is good enough, I'll load it on the sites. And yes, will go for a full release as you suggested.

netblue30 picture netblue30 on 13 Aug 2020

New release (0.9.62.4) at the end of the week, apparmor broken: https://github.com/netblue30/firejail/issues/3585

netblue30 picture netblue30 on 13 Aug 2020

All set, 0.9.62.4 is out.

netblue30 picture netblue30 on 18 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

semente picture semente  路  4Comments
dandelionred picture dandelionred  路  3Comments
ghost picture ghost  路  3Comments
bryce-lynch picture bryce-lynch  路  4Comments
SkewedZeppelin picture SkewedZeppelin  路  3Comments