Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2017-5180

Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option.

Related bugs and status

CVE-2017-5180 (Candidate) is related to these bugs:

Bug #1655136: Multiple CVEs in xenial

		In	Importance	Status
1655136	Multiple CVEs in xenial	firejail (Ubuntu)	High	Fix Released
1655136	Multiple CVEs in xenial	firejail (Ubuntu Xenial)	High	Fix Released
1655136	Multiple CVEs in xenial	firejail (Ubuntu Zesty)	High	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: http://openwall.com/li...
MISC: https://firejail.wordp...
BID: 95298
GENTOO: GLSA-201701-62