CVE-2022-31214

NameCVE-2022-31214
DescriptionA Privilege Context Switching issue was discovered in join.c in Firejail 0.9.68. By crafting a bogus Firejail container that is accepted by the Firejail setuid-root program as a join target, a local attacker can enter an environment in which the Linux user namespace is still the initial user namespace, the NO_NEW_PRIVS prctl is not activated, and the entered mount namespace is under the attacker's control. In this way, the filesystem layout can be adjusted to gain root privileges through execution of available setuid-root binaries such as su or sudo.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-3061-1, DSA-5167-1
Debian Bugs1012510

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
firejail (PTS)buster0.9.58.2-2+deb10u2vulnerable
buster (security)0.9.58.2-2+deb10u3fixed
bullseye0.9.64.4-2vulnerable
bullseye (security)0.9.64.4-2+deb11u1fixed
bookworm, sid0.9.70-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
firejailsourcestretch0.9.58.2-2+deb9u1DLA-3061-1
firejailsourcebuster0.9.58.2-2+deb10u3DSA-5167-1
firejailsourcebullseye0.9.64.4-2+deb11u1DSA-5167-1
firejailsource(unstable)0.9.68-41012510

Notes

https://www.openwall.com/lists/oss-security/2022/06/08/10
https://github.com/netblue30/firejail/commit/27cde3d7d1e4e16d4190932347c7151dc2a84c50 (0.9.70)
https://github.com/netblue30/firejail/commit/04ff0edf74395ddcbbcec955279c74ed9a6c0f86 (0.9.70)
https://github.com/netblue30/firejail/commit/dab835e7a0eb287822016f5ae4e87f46e1d363e7 (0.9.70)
https://github.com/netblue30/firejail/commit/1884ea22a90d225950d81c804f1771b42ae55f54 (0.9.70)
https://github.com/netblue30/firejail/files/8913178/CVE-2022-31214.zip (0.9.58.2 - 0.9.68 backports)

Search for package or bug name: Reporting problems