Name | CVE-2020-17367 |
Description | Firejail through 0.9.62 does not honor the -- end-of-options indicator after the --output option, which may lead to command injection. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-2336-1, DSA-4742-1, DSA-4767-1 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
firejail (PTS) | bullseye (security), bullseye | 0.9.64.4-2+deb11u1 | fixed |
bookworm, sid | 0.9.72-2 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
firejail | source | stretch | 0.9.44.8-2+deb9u1 | DLA-2336-1 | ||
firejail | source | buster | 0.9.58.2-2+deb10u1 | DSA-4742-1 | ||
firejail | source | (unstable) | 0.9.62-4 | |||
mediawiki | source | buster | 1:1.31.10-1~deb10u1 | DSA-4767-1 |
https://phabricator.wikimedia.org/T258763
https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37
https://phabricator.wikimedia.org/T257062
https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory