Codebase list firejail / fa8eba9
Drop patches for CVE-2017-5180 (applied upstream) Reiner Herrmann 7 years ago
3 changed file(s) with 0 addition(s) and 394 deletion(s). Raw diff Collapse all Expand all
+0
-72
debian/patches/cve-2017-5180.patch less more
0 Author: netblue30 <netblue30@yahoo.com>
1 Description: Fix for CVE-2017-5180
2 Bug: https://github.com/netblue30/firejail/issues/1020
3 Bug-Debian: https://bugs.debian.org/850160
4 Origin: upstream, https://github.com/netblue30/firejail/commit/eaa105b0d0fcfaec7494333b5c83599513e0765b
5
6 diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
7 index 75cc3e7..7c28870 100644
8 --- a/src/firejail/fs_home.c
9 +++ b/src/firejail/fs_home.c
10 @@ -171,6 +171,13 @@ static void copy_xauthority(void) {
11 char *dest;
12 if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
13 errExit("asprintf");
14 +
15 + // if destination is a symbolic link, exit the sandbox!!!
16 + if (is_link(dest)) {
17 + fprintf(stderr, "Error: %s is a symbolic link\n", dest);
18 + exit(1);
19 + }
20 +
21 // copy, set permissions and ownership
22 int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
23 if (rv)
24 @@ -189,6 +196,13 @@ static void copy_asoundrc(void) {
25 char *dest;
26 if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
27 errExit("asprintf");
28 +
29 + // if destination is a symbolic link, exit the sandbox!!!
30 + if (is_link(dest)) {
31 + fprintf(stderr, "Error: %s is a symbolic link\n", dest);
32 + exit(1);
33 + }
34 +
35 // copy, set permissions and ownership
36 int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
37 if (rv)
38 diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
39 index 90997f9..5c003f2 100644
40 --- a/src/firejail/pulseaudio.c
41 +++ b/src/firejail/pulseaudio.c
42 @@ -138,7 +138,15 @@ void pulseaudio_init(void) {
43 (void) rv;
44 }
45 }
46 + else {
47 + // make sure the directory is owned by the user
48 + if (s.st_uid != getuid()) {
49 + fprintf(stderr, "Error: user .config directory is not owned by the current user\n");
50 + exit(1);
51 + }
52 + }
53 free(dir1);
54 +
55 if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
56 errExit("asprintf");
57 if (stat(dir1, &s) == -1) {
58 @@ -150,6 +158,13 @@ void pulseaudio_init(void) {
59 (void) rv;
60 }
61 }
62 + else {
63 + // make sure the directory is owned by the user
64 + if (s.st_uid != getuid()) {
65 + fprintf(stderr, "Error: user .config/pulse directory is not owned by the current user\n");
66 + exit(1);
67 + }
68 + }
69 free(dir1);
70
71
+0
-320
debian/patches/cve-2017-5180_followup.patch less more
0 Author: netblue30 <netblue30@yahoo.com>
1 Description: Followup fix for CVE-2017-5180
2 Bug: https://github.com/netblue30/firejail/issues/1020
3 Bug-Debian: https://bugs.debian.org/850160
4 Origin: upstream, https://github.com/netblue30/firejail/commit/d37421f8b1cc0f8c6f40523169f02447eaba9405
5
6 diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
7 index dafa591..2897ffe 100644
8 --- a/src/firejail/firejail.h
9 +++ b/src/firejail/firejail.h
10 @@ -463,6 +463,7 @@ void invalid_filename(const char *fname);
11 uid_t get_group_id(const char *group);
12 int remove_directory(const char *path);
13 void flush_stdin(void);
14 +int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
15
16 // fs_var.c
17 void fs_var_log(void); // mounting /var/log
18 diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
19 index 7c28870..91f77fb 100644
20 --- a/src/firejail/fs_home.c
21 +++ b/src/firejail/fs_home.c
22 @@ -108,6 +108,14 @@ static int store_xauthority(void) {
23
24 char *src;
25 char *dest = RUN_XAUTHORITY_FILE;
26 + // create an empty file
27 + FILE *fp = fopen(dest, "w");
28 + if (fp) {
29 + fprintf(fp, "\n");
30 + SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
31 + fclose(fp);
32 + }
33 +
34 if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1)
35 errExit("asprintf");
36
37 @@ -117,12 +125,25 @@ static int store_xauthority(void) {
38 fprintf(stderr, "Warning: invalid .Xauthority file\n");
39 return 0;
40 }
41 -
42 - int rv = copy_file(src, dest, -1, -1, 0600);
43 - if (rv) {
44 - fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
45 - return 0;
46 +
47 + pid_t child = fork();
48 + if (child < 0)
49 + errExit("fork");
50 + if (child == 0) {
51 + // drop privileges
52 + drop_privs(0);
53 +
54 + // copy, set permissions and ownership
55 + int rv = copy_file(src, dest, getuid(), getgid(), 0600);
56 + if (rv)
57 + fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
58 + else {
59 + fs_logger2("clone", dest);
60 + }
61 + _exit(0);
62 }
63 + // wait for the child to finish
64 + waitpid(child, NULL, 0);
65 return 1; // file copied
66 }
67
68 @@ -135,6 +156,14 @@ static int store_asoundrc(void) {
69
70 char *src;
71 char *dest = RUN_ASOUNDRC_FILE;
72 + // create an empty file
73 + FILE *fp = fopen(dest, "w");
74 + if (fp) {
75 + fprintf(fp, "\n");
76 + SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
77 + fclose(fp);
78 + }
79 +
80 if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1)
81 errExit("asprintf");
82
83 @@ -142,6 +171,7 @@ static int store_asoundrc(void) {
84 if (stat(src, &s) == 0) {
85 if (is_link(src)) {
86 // make sure the real path of the file is inside the home directory
87 + /* coverity[toctou] */
88 char* rp = realpath(src, NULL);
89 if (!rp) {
90 fprintf(stderr, "Error: Cannot access %s\n", src);
91 @@ -154,11 +184,24 @@ static int store_asoundrc(void) {
92 free(rp);
93 }
94
95 - int rv = copy_file(src, dest, -1, -1, -0644);
96 - if (rv) {
97 - fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
98 - return 0;
99 + pid_t child = fork();
100 + if (child < 0)
101 + errExit("fork");
102 + if (child == 0) {
103 + // drop privileges
104 + drop_privs(0);
105 +
106 + // copy, set permissions and ownership
107 + int rv = copy_file(src, dest, getuid(), getgid(), 0644);
108 + if (rv)
109 + fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
110 + else {
111 + fs_logger2("clone", dest);
112 + }
113 + _exit(0);
114 }
115 + // wait for the child to finish
116 + waitpid(child, NULL, 0);
117 return 1; // file copied
118 }
119
120 @@ -171,20 +214,31 @@ static void copy_xauthority(void) {
121 char *dest;
122 if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
123 errExit("asprintf");
124 -
125 +
126 // if destination is a symbolic link, exit the sandbox!!!
127 if (is_link(dest)) {
128 fprintf(stderr, "Error: %s is a symbolic link\n", dest);
129 exit(1);
130 }
131 -
132 - // copy, set permissions and ownership
133 - int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
134 - if (rv)
135 - fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
136 - else {
137 - fs_logger2("clone", dest);
138 +
139 + pid_t child = fork();
140 + if (child < 0)
141 + errExit("fork");
142 + if (child == 0) {
143 + // drop privileges
144 + drop_privs(0);
145 +
146 + // copy, set permissions and ownership
147 + int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
148 + if (rv)
149 + fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
150 + else {
151 + fs_logger2("clone", dest);
152 + }
153 + _exit(0);
154 }
155 + // wait for the child to finish
156 + waitpid(child, NULL, 0);
157
158 // delete the temporary file
159 unlink(src);
160 @@ -196,25 +250,37 @@ static void copy_asoundrc(void) {
161 char *dest;
162 if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
163 errExit("asprintf");
164 -
165 +
166 // if destination is a symbolic link, exit the sandbox!!!
167 if (is_link(dest)) {
168 fprintf(stderr, "Error: %s is a symbolic link\n", dest);
169 exit(1);
170 }
171 -
172 - // copy, set permissions and ownership
173 - int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
174 - if (rv)
175 - fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
176 - else {
177 - fs_logger2("clone", dest);
178 +
179 + pid_t child = fork();
180 + if (child < 0)
181 + errExit("fork");
182 + if (child == 0) {
183 + // drop privileges
184 + drop_privs(0);
185 +
186 + // copy, set permissions and ownership
187 + int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
188 + if (rv)
189 + fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
190 + else {
191 + fs_logger2("clone", dest);
192 + }
193 + _exit(0);
194 }
195 + // wait for the child to finish
196 + waitpid(child, NULL, 0);
197
198 // delete the temporary file
199 unlink(src);
200 }
201
202 +
203 // private mode (--private=homedir):
204 // mount homedir on top of /home/user,
205 // tmpfs on top of /root in nonroot mode,
206 diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
207 index 5c003f2..d6cee40 100644
208 --- a/src/firejail/pulseaudio.c
209 +++ b/src/firejail/pulseaudio.c
210 @@ -1,4 +1,4 @@
211 -/*
212 + /*
213 * Copyright (C) 2014-2016 Firejail Authors
214 *
215 * This file is part of firejail project
216 @@ -22,6 +22,7 @@
217 #include <sys/stat.h>
218 #include <sys/mount.h>
219 #include <dirent.h>
220 +#include <sys/wait.h>
221
222 static void disable_file(const char *path, const char *file) {
223 assert(file);
224 @@ -125,18 +126,28 @@ void pulseaudio_init(void) {
225 SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
226 fclose(fp);
227
228 +
229 // create ~/.config/pulse directory if not present
230 char *dir1;
231 if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1)
232 errExit("asprintf");
233 if (stat(dir1, &s) == -1) {
234 - int rv = mkdir(dir1, 0755);
235 - if (rv == 0) {
236 - rv = chown(dir1, getuid(), getgid());
237 - (void) rv;
238 - rv = chmod(dir1, 0755);
239 - (void) rv;
240 + pid_t child = fork();
241 + if (child < 0)
242 + errExit("fork");
243 + if (child == 0) {
244 + // drop privileges
245 + drop_privs(0);
246 +
247 + int rv = mkdir(dir1, 0755);
248 + if (rv == 0) {
249 + if (set_perms(dir1, getuid(), getgid(), 0755))
250 + {;} // do nothing
251 + }
252 + _exit(0);
253 }
254 + // wait for the child to finish
255 + waitpid(child, NULL, 0);
256 }
257 else {
258 // make sure the directory is owned by the user
259 @@ -146,17 +157,26 @@ void pulseaudio_init(void) {
260 }
261 }
262 free(dir1);
263 -
264 +
265 if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
266 errExit("asprintf");
267 if (stat(dir1, &s) == -1) {
268 - int rv = mkdir(dir1, 0700);
269 - if (rv == 0) {
270 - rv = chown(dir1, getuid(), getgid());
271 - (void) rv;
272 - rv = chmod(dir1, 0700);
273 - (void) rv;
274 + pid_t child = fork();
275 + if (child < 0)
276 + errExit("fork");
277 + if (child == 0) {
278 + // drop privileges
279 + drop_privs(0);
280 +
281 + int rv = mkdir(dir1, 0700);
282 + if (rv == 0) {
283 + if (set_perms(dir1, getuid(), getgid(), 0700))
284 + {;} // do nothing
285 + }
286 + _exit(0);
287 }
288 + // wait for the child to finish
289 + waitpid(child, NULL, 0);
290 }
291 else {
292 // make sure the directory is owned by the user
293 @@ -167,7 +187,6 @@ void pulseaudio_init(void) {
294 }
295 free(dir1);
296
297 -
298 // if we have ~/.config/pulse mount the new directory, else set environment variable
299 char *homeusercfg;
300 if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
301 diff --git a/src/firejail/util.c b/src/firejail/util.c
302 index f38b02f..f86d6c3 100644
303 --- a/src/firejail/util.c
304 +++ b/src/firejail/util.c
305 @@ -689,4 +689,14 @@ void flush_stdin(void) {
306 }
307 }
308 }
309 +// return 1 if error
310 +int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
311 + assert(fname);
312 + if (chmod(fname, mode) == -1)
313 + return 1;
314 + if (chown(fname, uid, gid) == -1)
315 + return 1;
316 + return 0;
317 +}
318 +
319
+0
-2
debian/patches/series less more
0 cve-2017-5180.patch
1 cve-2017-5180_followup.patch