| Summary: | firejail security vulnerability CVE-2020-17367 , CVE-2020-17368 | ||
|---|---|---|---|
| Product: | [ROSA-based products] ROSA Fresh | Reporter: | Zombie Ryushu <zombie.ryushu> |
| Component: | Packages from Main | Assignee: | ROSA Linux Bugs <bugs> |
| Status: | CONFIRMED --- | QA Contact: | ROSA Linux Bugs <bugs> |
| Severity: | normal | ||
| Priority: | Normal | CC: | alzim, andrey.bondrov, denis.silakov, mc2374 |
| Version: | KDE4 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://advisories.mageia.org/MGASA-2020-0328.html | ||
| Whiteboard: | |||
| Platform: | 2016.1 | ROSA Vulnerability identifier: | CVE-2020-17367 , CVE-2020-17368 |
| RPM Package: | firejail-0.9.56-2.2.mga7 | ISO-related: | |
| Bad POT generating: | Upstream: | ||
It was reported that firejail does not respect the end-of-options separator ("--"), allowing an attacker with control over the command line options of the sandboxed application, to write data to a specified file (CVE-2020-17367). It was reported that firejail when redirecting output via --output or --output-stderr, concatenates all command line arguments into a single string that is passed to a shell. An attacker who has control over the command line arguments of the sandboxed application could take advantage of this flaw to run arbitrary commands (CVE-2020-17368).