test/environment/dns.exp | 20 0 + 20 - 0 !
test/sysutils/sysutils.sh | 3 1 + 2 - 0 !
test/utils/trace.exp | 43 0 + 43 - 0 !
test/utils/utils.sh | 3 1 + 2 - 0 !
4 files changed, 2 insertions(+), 67 deletions(-)

 disable tests that attempt to access the internet

etc/firejail.config | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 change global default settings
 - restrict networking feature; new network namespace can be used to
   circumvent packet filter of default namespace (see #916920).
 - disable cgroup by default; can be used to move processes into
   less restricted cgroups.
Bug-Debian: https://bugs.debian.org/916920

Makefile.in | 2 0 + 2 - 0 !
etc/firejail-default | 2 1 + 1 - 0 !
src/man/firejail.txt | 2 1 + 1 - 0 !
3 files changed, 2 insertions(+), 4 deletions(-)

 don't install local apparmor override file
 It will be created by dh_apparmor instead with a name matching the
 profile name (firejail-default).
Bug: https://github.com/netblue30/firejail/issues/2388

src/firejail/firejail.h | 16 8 + 8 - 0 !
src/firejail/fs_lib.c | 1 1 + 0 - 0 !
src/firejail/preproc.c | 2 2 + 0 - 0 !
src/firejail/sandbox.c | 8 5 + 3 - 0 !
4 files changed, 16 insertions(+), 11 deletions(-)

 [patch] mount runtime seccomp files read-only (#2602)
Bug: https://github.com/netblue30/firejail/issues/2718
Bug-Debian: https://bugs.debian.org/929732

src/firejail/shutdown.c | 11 5 + 6 - 0 !
1 file changed, 5 insertions(+), 6 deletions(-)

 [patch] shutdown option: give sandbox time to terminate
Bug: https://github.com/netblue30/firejail/issues/2401
Bug-Debian: https://bugs.debian.org/929733

src/firejail/output.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [patch 1/2] firejail: don't interpret output arguments after
 end-of-options tag

Firejail was parsing --output and --output-stderr options even after
the end-of-options separator ("--"), which would allow someone who
has control over command line options of the sandboxed application,
to write data to a specified file.

Fixes: CVE-2020-17367

Reported-by: Tim Starling <tstarling@wikimedia.org>

src/firejail/output.c | 86 57 + 29 - 0 !
1 file changed, 57 insertions(+), 29 deletions(-)

 [patch 2/2] firejail: don't pass command line through shell when
 redirecting output

When redirecting output via --output or --output-stderr, firejail was
concatenating all command line arguments into a single string
that was passed to a shell. As the arguments were no longer escaped,
the shell was able to interpret them.
Someone who has control over the command line arguments of the
sandboxed application could use this to run arbitrary other commands.

Instead of passing it through a shell for piping the output to ftee,
the pipeline is now manually created and the processes are executed
directly.

Fixes: CVE-2020-17368

Reported-by: Tim Starling <tstarling@wikimedia.org>

configure | 20 8 + 12 - 0 !
configure.ac | 15 9 + 6 - 0 !
2 files changed, 17 insertions(+), 18 deletions(-)

 disabled overlayfs, 0.9.64.4 testing

src/firejail/caps.c | 49 11 + 38 - 0 !
src/firejail/cgroup.c | 25 0 + 25 - 0 !
src/firejail/cpu.c | 51 7 + 44 - 0 !
src/firejail/firejail.h | 38 28 + 10 - 0 !
src/firejail/fs.c | 1 1 + 0 - 0 !
src/firejail/fs_logger.c | 33 8 + 25 - 0 !
src/firejail/join.c | 452 258 + 194 - 0 !
src/firejail/ls.c | 52 8 + 44 - 0 !
src/firejail/main.c | 7 7 + 0 - 0 !
src/firejail/network_main.c | 61 15 + 46 - 0 !
src/firejail/preproc.c | 6 6 + 0 - 0 !
src/firejail/process.c | 244 244 + 0 - 0 !
src/firejail/protocol.c | 33 8 + 25 - 0 !
src/firejail/run_files.c | 52 52 + 0 - 0 !
src/firejail/sandbox.c | 48 22 + 26 - 0 !
src/firejail/seccomp.c | 64 23 + 41 - 0 !
src/firejail/shutdown.c | 58 10 + 48 - 0 !
src/firejail/util.c | 229 22 + 207 - 0 !
src/include/common.h | 3 2 + 1 - 0 !
src/lib/common.c | 77 69 + 8 - 0 !
20 files changed, 801 insertions(+), 782 deletions(-)

 [patch 1/3] fixing cve-2022-31214

test/utils/shutdown.exp | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 2/3] shutdown testing

src/firejail/fs_etc.c | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 [patch 3/3] cve-2022-31214: fixing the fix