关键信息 CVE Identifier: CVE-2019-5736 Vulnerability Context: - Firejail vulnerability related to a common implementation issue when using privileged namespaces. - Runc, docker, k8s, lxc, and flatpak have all had patches issued for similar issues. Key Points: - Firejail is not vulnerable under normal circumstances due to the kernel not allowing modifications to running binaries. - Firejail's situation is more similar to LXC than runc, with the added advantage of not having an equivalent to the binary. - Using signals other than SIGTERM or SIGINT (e.g., ) might potentially invalidate the assumption of protection. Mitigation: - Using the option is expected to protect against this vulnerability. - If sandboxes are running as root and need to be killed, the signal should be sent to the second Firejail process. Fix: - The vulnerability is addressed in Firejail by fixing the option handling. - Profiles with protect against this even if the parent process is killed before the child. - CVE-2019-12499 was assigned to track the issue. Additional Information: - Thread includes discussion on option behavior and its implications on sandbox process termination. - Links to related security advisories and discussions are provided. Status: - Issue closed as completed on Jun 9, 2019. - LTS version also released, and CVE status page updated accordingly.