Page MenuHomePhabricator

Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368)
Closed, ResolvedPublicSecurity


I discovered two vulnerabilities with the handling of firejail's --output parameter, which could potentially impact on MediaWiki's use of firejail:

  • firejail searches for --output anywhere in argv, it does not respect the end-of-options tag "--". So when MediaWiki forms a firejail command line by concatenating the firejail invocation with the main shell command, any "--output" option in the main shell command would be interpreted by firejail as an output parameter. This causes firejail to write the command's stdout (or stderr with --output-stderr) to the specified file.
  • When --output or --output-stderr are specified, firejail forms the command line arguments into a single string and re-executes the resulting command via bash -c. It does this without any quoting or escaping, it just separates the arguments with spaces. So effectively, properly quoted parameters in the original command are unquoted and interpreted for shell metacharacters.

Together, these vulnerabilities mean that if wfShellExec(), Shell::command() or any of their variants are executed by MediaWiki with unprefixed user input as one of the command parameters, the result is a shell execution vulnerability. The shell execution happens before firejail sets up its jail -- it is not constrained.

I reported this vulnerability to per the firejail security policy at .

Event Timeline

The PoC from IRC was: MediaWiki\Shell\Shell::command('echo', 'a', '--output=/tmp/fjout',';id')->execute()->getStdout();

Proposed patch that checks every arg passed to FirejailCommand to ensure it doesn't start with --output.

Proposed patch that checks every arg passed to FirejailCommand to ensure it doesn't start with --output.

I deployed it.

We can leave this open for now to track the upstream issue.

Since there was no response from netblue30, I sent an email to Reiner Herrmann, as suggested by @Legoktm.

Updated patch references the CVE IDs and includes a basic unit test.

Reedy assigned this task to Legoktm.
Reedy added a subscriber: Reedy.

Resolving for ease of tracking in parent.

Can be either reopened when the release is done (end of the week), or if we want to fork into another task for the continued work...

Though, we might want to keep this private (for now?) until upstream addresses the issue too?

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
Reedy changed the edit policy from "Custom Policy" to "All Users".
Legoktm renamed this task from Vulnerabilities in firejail due to --output to Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368).Sep 27 2020, 11:57 AM