Package: firejail / 0.9.58.2-2+deb10u3
Metadata
Package | Version | Patches format |
---|---|---|
firejail | 0.9.58.2-2+deb10u3 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
disable internet tests.patch | (download) |
test/environment/dns.exp |
20 0 + 20 - 0 ! |
disable tests that attempt to access the internet |
config hardening.patch | (download) |
etc/firejail.config |
4 2 + 2 - 0 ! |
change global default settings - restrict networking feature; new network namespace can be used to circumvent packet filter of default namespace (see #916920). - disable cgroup by default; can be used to move processes into less restricted cgroups. Bug-Debian: https://bugs.debian.org/916920 |
apparmor include.patch | (download) |
Makefile.in |
2 0 + 2 - 0 ! |
don't install local apparmor override file It will be created by dh_apparmor instead with a name matching the profile name (firejail-default). Bug: https://github.com/netblue30/firejail/issues/2388 |
seccomp join.patch | (download) |
src/firejail/firejail.h |
16 8 + 8 - 0 ! |
[patch] mount runtime seccomp files read-only (#2602) Bug: https://github.com/netblue30/firejail/issues/2718 Bug-Debian: https://bugs.debian.org/929732 |
truncation.patch | (download) |
src/firejail/shutdown.c |
11 5 + 6 - 0 ! |
[patch] shutdown option: give sandbox time to terminate Bug: https://github.com/netblue30/firejail/issues/2401 Bug-Debian: https://bugs.debian.org/929733 |
CVE 2020 17367.patch | (download) |
src/firejail/output.c |
6 6 + 0 - 0 ! |
[patch 1/2] firejail: don't interpret output arguments after end-of-options tag Firejail was parsing --output and --output-stderr options even after the end-of-options separator ("--"), which would allow someone who has control over command line options of the sandboxed application, to write data to a specified file. Fixes: CVE-2020-17367 Reported-by: Tim Starling <tstarling@wikimedia.org> |
CVE 2020 17368.patch | (download) |
src/firejail/output.c |
86 57 + 29 - 0 ! |
[patch 2/2] firejail: don't pass command line through shell when redirecting output When redirecting output via --output or --output-stderr, firejail was concatenating all command line arguments into a single string that was passed to a shell. As the arguments were no longer escaped, the shell was able to interpret them. Someone who has control over the command line arguments of the sandboxed application could use this to run arbitrary other commands. Instead of passing it through a shell for piping the output to ftee, the pipeline is now manually created and the processes are executed directly. Fixes: CVE-2020-17368 Reported-by: Tim Starling <tstarling@wikimedia.org> |
disabled overlayfs.patch | (download) |
configure |
20 8 + 12 - 0 ! |
disabled overlayfs, 0.9.64.4 testing |
CVE 2022 31214 1.patch | (download) |
src/firejail/caps.c |
49 11 + 38 - 0 ! |
[patch 1/3] fixing cve-2022-31214 |
CVE 2022 31214 2.patch | (download) |
test/utils/shutdown.exp |
2 1 + 1 - 0 ! |
[patch 2/3] shutdown testing |
CVE 2022 31214 3.patch | (download) |
src/firejail/fs_etc.c |
6 5 + 1 - 0 ! |
[patch 3/3] cve-2022-31214: fixing the fix |