Firejail security concerns

@philm

I ran into an issue where it looks like “firejail” binaries are not up to date. Presently I have “Firejail 0.9.64-2” from the community repository (build date 10-27-2020).

There were a number of firejail profile fixes which are in the newer builds:

firejail (0.9.64.4) baseline; urgency=low
* disabled overlayfs, pending multiple fixes
-- netblue30   Sun, 7 Feb 2021 09:00:00 -0500

AND

firejail (0.9.64.2) baseline; urgency=low
* allow --tmpfs inside $HOME for unprivileged users
* --disable-usertmpfs  compile time option
* allow AF_BLUETOOTH via --protocol=bluetooth
* Setup guide for new users: contrib/firejail-welcome.sh
* implement netns in profiles
* added nolocal6.net IPv6 network filter
* new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer
* new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer
* new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo
* new profiles: npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi
* new profiles: guvcview, pkglog, kdiff3, CoyIM
-- netblue30   Tue, 26 Jan 2021 09:00:00 -0500

Source:
https://firejail.wordpress.com/download-2/release-notes/

This profile fix for Celluloid is how I knew we were missing changes:

Previous Defect - Update celluloid.profile #3698

@philm
Looks like there were some security fixes in Firejail that is available to Arch users:

Subject: Re: [netblue30/firejail] celluloid.profile appears to be missing the configuration line "noblacklist /usr/lib/liblua*" (#3996)

As you saw in #3698 this is already fixed so there's not much else you can do right now but add the below to your celluloid.local override until you can upgrade:

# Allow lua (blacklisted by disable-interpreters.inc)
include allow-lua.inc

I don't know if Manjaro Linux is aware of the recently disclosed security vulnerability in older firejail versions, but 0.9.64 is affected. Needless to say it is important that you upgrade as soon as possible. If you cannot install the Arch Linux firejail package (which carries fixes), at least edit /etc/firejail/firejail.config and set overlayfs no.

Source:
https://github.com/netblue30/firejail/issues/3996

firejail 0.9.64.2 is currently available in the unstable branch.

Please see:

As well as:

1 Like

Hi Yochanan,

From looking at the below screenshot I notice the Manjaro Stable Repository seems to be using “Firejail 0.9.64.2” (the meaning of the dash is a bit confusing).

So from your feedback I have a follow up question:

  1. Does Manjaro unstable contain firejail (0.9.56.2-LTS).

    firejail (0.9.56.2-LTS) baseline; urgency=low
    * fix CVE-2019-12589
    * fix CVE-2019-12499
    * other bugfixes
    -- netblue30   Tue, 4 Jun 2019 08:00:00 -0500
    
  2. Any chance that will be changed to firejail (0.9.56.2.4) for the next Stable release?

  3. Any ideas what the planned release dates are for the next Manjaro stable?

*Note:

  • Since there are serious CVE in firejail, perhaps we should mention this in the present stable release notes so people have a choice to switch to unstable?

That’s the pkgrel. That’s usually bumped when a change needs to be made when there isn’t a new release. You can see the 0.9.64.1 > 0.9.64.2 change here:

Yes.

We don’t have planned release dates normally. The next x86 stable snap might be a little while as most of the team is focusing on ARM right now.

Indeed they do.