Mailinglist Archive: opensuse-bugs (4250 mails)

< Previous Next >
[Bug 1018259] New: VUL-0: CVE-2017-5180: firejail: local root exploit
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Thu, 05 Jan 2017 08:20:10 +0000
  • Message-id: <>

Bug ID: 1018259
Summary: VUL-0: CVE-2017-5180: firejail: local root exploit
Classification: openSUSE
Version: unspecified
Hardware: Other
OS: Other
Status: NEW
Severity: Critical
Priority: P5 - None
Component: 3rd party software
Assignee: tiwai@xxxxxxxx
Reporter: astieger@xxxxxxxx
QA Contact: security-team@xxxxxxx
CC: krahmer@xxxxxxxx, tiwai@xxxxxxxx
Found By: Security Response Team
Blocker: ---

courtesy bug from the SUSE security team for a package not in the distribution:


* Firejail has too broad attack surface that allows users
* to specify a lot of options, where one of them eventually
* broke by accessing user-files while running with euid 0.

const char *const ldso = "/etc/";
snprintf(path, sizeof(path) - 1, "%s/.firenail/.Xauthority", home);
symlink(ldso, path)

Also note that Virtualization/firejail is at 0.9.44, while has the

Version, Sunday, December 4, 2016

security: overwrite /etc/resolv.conf found by Martin Carpenter
secuirty: TOCTOU exploit for –get and –put found by Daniel Hodson
security: invalid environment exploit found by Martin Carpenter
security: several security enhancements


You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
This Thread
  • No further messages