Fedora Account System
Red Hat Associate
Red Hat Customer
Hello. Kindly, see this issue that opened by me on official firejail repository: https://github.com/netblue30/firejail/issues/4027 As you can see, firejail version 0.9.62.4 is vulnerable to CVE-2021-26910, which is fixed in 0.9.64.4 This what was given by official developer of firejail. Fedora 32 is still viable & not EOL distro, but it not received new version till now ! I'm not sure if Fedora packager of firejail included upstream patch that fix this security hole within current version 0.9.62.4 of firejail for Fedora 32 or not ? Kindly, review this issue.
Is there a reason not updating to f33 and in a few weeks time to f34 ? We know about the mentioned CVE and it is fixed in f34, but we certainly won't update firejail in f32 due to possible incompatibility problems in a such late date before EOL on 2021-05-18. If it is needed, we can discuss about updating firejail to version 0.9.62.4 in f33, as version 0.9.64 is present there. We already had a bug issued according to this CVE (https://bugzilla.redhat.com/show_bug.cgi?id=1929625) and a workaround exists for this problem in f33.
I removed firejail from my system ! I will close this issue. Only one note: what I understood is that Fedora 32 will end of life at 2021-05-18 Now is 2021-03-02 This mean remaining about 2 months before end of life. I think it is very enough time for damaged to be happened ! Regarding question why not upgrading to 33 ? System upgrade is not simple thing. I'm already upgraded my system at yearly interval not at 6 monthly interval because I live in place - Iraq - where Internet speed & electricity both are bad & OS upgrade in such case & bad situation is more dangerous for users. Fedora has - as for other Linux distros - many users live in 3rd world countries & not all it's users live in USA, Europe, or Hong Kong ..... I will leave this issue opened, & decision is to you to close it or not. Thank you for your rapid response, so that I removed this evil from my system.
There are ABI incompatibilities between versions 0.9.62.4 and 0.9.64.4, which can cause real damage to other system components. I am sorry that I cannot help you with f32, but at least if you find a way to upgrade your fedora system to f33, we can rebase firejail from 0.9.64 to 0.9.64.4, as they are ABI compatible and there is enough time to solve any problems. Actually 2 months is not enough time for properly testing such a huge update. We normally do updates only to the last version (for example now: rawhide + f34). If we are 100% certain that it would not cause any problems in already released versions and we have users expecting some fixes/features. This CVE actually does not have enough high priority for f32. But as I already said, f33 is a possibility for us. Thanks for understanding.
I don't understand why there is a problem with ABI changes of binaries (for libraries it is clear). Anyway if 0.9.64.4 will not happen, it will not happen. What I don't get is why the "fix" is not backported. The upstream "fix" until now is to disable overlayfs, so a 0.9.62.4-2 resp. 0.9.64-3 with ``%configure --disable-overlayfs`` can be done (debian stable has effectively done the same). Or a soft backport by patching/appending firejail.config with something like this: # overlayfs is disable due to CVE-2021-26910. # You can enable it again if the risk is acceptable for you. overlayfs no
We currently do not have the capacity to deal with this problem more precisely, if you have a working solution, please create a pull-request against this repository https://src.fedoraproject.org/rpms/firejail and we will investigate it. Thank you.