{"id":"CVE-2017-5940","details":"Firejail before 0.9.44.6 and 0.9.38.x LTS before 0.9.38.10 LTS does not comprehensively address dotfile cases during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-5180.","modified":"2026-04-11T04:59:43.069658Z","published":"2017-02-09T18:59:00.160Z","references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201702-03"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/96221"},{"type":"ADVISORY","url":"https://firejail.wordpress.com/download-2/release-notes/"},{"type":"FIX","url":"https://github.com/netblue30/firejail/commit/38d418505e9ee2d326557e5639e8da49c298858f"},{"type":"FIX","url":"https://github.com/netblue30/firejail/commit/903fd8a0789ca3cc3c21d84cd0282481515592ef"},{"type":"FIX","url":"https://github.com/netblue30/firejail/commit/b8a4ff9775318ca5e679183884a6a63f3da8f863"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2017/01/31/16"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/netblue30/firejail","events":[{"introduced":"8fd8fe3035f6ee353430032d0079420d4bfeaf2f"},{"last_affected":"fda31623ea993a95fb19288f7ee554e8a5fb2477"},{"introduced":"e5f50c1dd0ef13c49f20579ae2047c255a4d6451"},{"last_affected":"7cf5be4b224429c4b08db55232c438e1b5098042"},{"fixed":"38d418505e9ee2d326557e5639e8da49c298858f"},{"fixed":"903fd8a0789ca3cc3c21d84cd0282481515592ef"},{"fixed":"b8a4ff9775318ca5e679183884a6a63f3da8f863"}],"database_specific":{"versions":[{"introduced":"0.9.38"},{"last_affected":"0.9.38.10"},{"introduced":"0.9.40"},{"last_affected":"0.9.44.6"}]}}],"versions":["0.9.38","0.9.38.10","0.9.38.2","0.9.38.4","0.9.38.8","0.9.40","0.9.42","0.9.42-rc1","0.9.42-rc2","0.9.44","0.9.44-rc1","0.9.44.2","0.9.44.4","0.9.44.6","disable-globalcfg"],"database_specific":{"vanir_signatures":[{"target":{"function":"store_xauthority","file":"src/firejail/fs_home.c"},"digest":{"length":887,"function_hash":"63759268999330041835454085732144367715"},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/b8a4ff9775318ca5e679183884a6a63f3da8f863","signature_version":"v1","signature_type":"Function","id":"CVE-2017-5940-03f3d8c6"},{"target":{"file":"src/firejail/util.c"},"digest":{"threshold":0.9,"line_hashes":["200348894722452025565699631862882460793","23115583235002702589020013510782768693","282941080128231754027002287020561738274"]},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/903fd8a0789ca3cc3c21d84cd0282481515592ef","signature_version":"v1","signature_type":"Line","id":"CVE-2017-5940-0f169f83"},{"target":{"file":"src/firejail/firejail.h"},"digest":{"threshold":0.9,"line_hashes":["36415115985910394298954698405508004082","339022242118558768890163066648080594300","74707124400456764585605612984234592890","324891731069053004206547116287640384472"]},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/b8a4ff9775318ca5e679183884a6a63f3da8f863","signature_version":"v1","signature_type":"Line","id":"CVE-2017-5940-208dc32d"},{"target":{"file":"src/firejail/fs_home.c"},"digest":{"threshold":0.9,"line_hashes":["256829374061654604936404914194516467429","27180702170325965788981262354742715399","166627008620292703616873100701282827698","200406466658996020928987909305954452694","148820331962680648503365325898971644945","4029491266623663117535413868193675444","333031275340393584340557988578893224457","176995247828354746875998987483628486045","31952681623754956022483776097748957910","323878215090886059023068353878873227011","178741523962824097345563217913352144530","131614749347161213139733463760012226684","148751409865436238677899064453889983415","281672409925639033598922585442639986030","220170956162515456776015471768641574257","51027542676934810478838622752204215948","262994147284829028594631749541890382999","84259735535512227009082384007448378086","305719926913748495676862295565960843860","334798839820807472756548697838983302513","223230875853466421300010678891066438501","257969067192441031428301530562256267295","150191657371462301629391412487170706804","90086587402057198567593806609588639162","56760244704083798916977370830605217317","180652399020172794002653262847836332602","256829374061654604936404914194516467429","109943640804087957179309410314234925812","40559014834332546631252239791292294464","296833318027047322824745973391557807420","62007142106617934897912308154037318606","100308140552048954431860744112146246732","287595706611385419066218906611656018542","301486772289948713037064335731263777962","278586138968795172555708970315859266225","319398299067406165297516578844027295686","329393456058833551229786919864785264681","330789020207704759132576372616762363780","241229430966673263807189497803233801850","281672409925639033598922585442639986030","220170956162515456776015471768641574257","51027542676934810478838622752204215948","262994147284829028594631749541890382999","84259735535512227009082384007448378086","305719926913748495676862295565960843860","334798839820807472756548697838983302513","223230875853466421300010678891066438501","257969067192441031428301530562256267295","150191657371462301629391412487170706804","90086587402057198567593806609588639162","56760244704083798916977370830605217317","180652399020172794002653262847836332602","220799260142683486300779933379000365800","256829374061654604936404914194516467429","131337329056778556775074277787950175799","208097509351314860162520732488685644969","72457858900583992271998911981459069926","142323346798858820595635193636464389499","336251365218281686106078866877506257579","6311868583034905124815741175809563466","253645690953557772575270684906320452354","155474370262380561409800733312361565054","32544279900027999804916444538212694232","112511743476488820035359387795977184089","287189317640742038733105388424809812131","337458438883477067860493377943148360109","180652399020172794002653262847836332602","320214796250986538674416233467325246513","147458053663270288431428880432070118466","97389440799207017453520207701117314748","183454293492362099397583917239044677133","286492067586708042598471908869658607445","153978549520786988149258823111789819881","70388574052295462130295877795926794009","208208040149755054712152106300322823506","89468597740636326263007723102185367601","305834204090989643411369363678840337305","29108687033895494393954106725064039799","178198084822820472614219921693370889248","39540525102529949430021615727495131348","308410031634083302995297241076661763424","10633049031923031452624354852868107135","274014056493345939647458654118134718159","272325583135129565114974536905288622661","251794837086417196623047498187948438600","236954693681530703195469507459090079456","174871716294501406840462129363217665622","108973889285281274079906730030369256975","825238737925113998805707867055072638","283494702502948481266628951722807675617","289146762422549900972759469033310552042","219940957790040336043292387090934320643","314449520989206131583410450667115406112","180802190412841655630677000028977197097","157914239557059387419953382110406353446","8897134024681983692284228434042366149","199975062347420515648431670254777297537","148250220692353512728239789092143349404","295754681346825820772667050101044340810","217390479379839497694220532896641574139","64905717489179018885214120723214795151","284328955687580216786959706016764179894","108231498073783656392610031210222162700","51736169236277716730521930315081594194","110121030450614498189050845205493898440","36665405487675332913544516346696526604","29025129535323454891764587694976352867","9876808118407145289238391111415939807","34933674909177756793683440945932518919","4218500856811330766304275913166169400","171788321599558217380121755684452810479","232208296104579151266580716537362708667","29108687033895494393954106725064039799","300895533487912330428193109609207376899","286585385588967605904462664635694263422","75723772249867032682510431278463163695","316679675276635398460260801137191928074","274014056493345939647458654118134718159","272325583135129565114974536905288622661","251794837086417196623047498187948438600","236954693681530703195469507459090079456","174871716294501406840462129363217665622","108973889285281274079906730030369256975","227910044636294658537340435979774231067","91024637173037616178986800970334637902","260551449232495020210298503053856014017","94957752366140013305259685573495966094","314449520989206131583410450667115406112","180802190412841655630677000028977197097","157914239557059387419953382110406353446","8897134024681983692284228434042366149","199975062347420515648431670254777297537","194815143776730275280142625500215501243","27240707337406092989940507656706198039","54243017476403968243070367035792402751","47349482650230990445455951961349449196","284328955687580216786959706016764179894","327801842488145756173027795039114419297","236154739343127622778586745344695360627","261992910301470831215653855275101492991","190281838377293410852468471625568328884","300422783927930615705922731741746266654","274014056493345939647458654118134718159","272325583135129565114974536905288622661","251794837086417196623047498187948438600","236954693681530703195469507459090079456","174871716294501406840462129363217665622","108973889285281274079906730030369256975","825238737925113998805707867055072638","283494702502948481266628951722807675617","289146762422549900972759469033310552042","219940957790040336043292387090934320643","314449520989206131583410450667115406112","180802190412841655630677000028977197097","157914239557059387419953382110406353446","7826540777617993708130159063675381842","10506086965465761207189953506475903011","23121514355491425597039363573806759602","255275333764343699987501183143931437590","285712263946374197050263414569087043662","204501092099411757342366068443907487387","298588143750672399921715765271575148089","96288361213064013983164883008717166423","220871423211604076277374545617329939197","261992910301470831215653855275101492991","190281838377293410852468471625568328884","300422783927930615705922731741746266654","274014056493345939647458654118134718159","272325583135129565114974536905288622661","251794837086417196623047498187948438600","236954693681530703195469507459090079456","174871716294501406840462129363217665622","108973889285281274079906730030369256975","227910044636294658537340435979774231067","91024637173037616178986800970334637902","260551449232495020210298503053856014017","94957752366140013305259685573495966094","314449520989206131583410450667115406112","180802190412841655630677000028977197097","157914239557059387419953382110406353446","7826540777617993708130159063675381842","10506086965465761207189953506475903011","23121514355491425597039363573806759602","255275333764343699987501183143931437590","285712263946374197050263414569087043662","204501092099411757342366068443907487387","142886488472217292679505672014507489563"]},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/903fd8a0789ca3cc3c21d84cd0282481515592ef","signature_version":"v1","signature_type":"Line","id":"CVE-2017-5940-2de1407a"},{"target":{"function":"store_asoundrc","file":"src/firejail/fs_home.c"},"digest":{"length":1160,"function_hash":"8394698320340542306292269739688283648"},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/b8a4ff9775318ca5e679183884a6a63f3da8f863","signature_version":"v1","signature_type":"Function","id":"CVE-2017-5940-3bdc7e20"},{"target":{"function":"skel","file":"src/firejail/fs_home.c"},"digest":{"length":1688,"function_hash":"85687127945534411201368470010453532626"},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/b8a4ff9775318ca5e679183884a6a63f3da8f863","signature_version":"v1","signature_type":"Function","id":"CVE-2017-5940-43750e9b"},{"target":{"file":"src/firejail/firejail.h"},"digest":{"threshold":0.9,"line_hashes":["249130190482200412247788402530700775334","186601727546623225759675813486056516721","121597797141208945718605085594005287889","11933615387033352292954776480092115128"]},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/903fd8a0789ca3cc3c21d84cd0282481515592ef","signature_version":"v1","signature_type":"Line","id":"CVE-2017-5940-5b081a0b"},{"target":{"function":"copy_asoundrc","file":"src/firejail/fs_home.c"},"digest":{"length":777,"function_hash":"136406472931425714219193111203877051647"},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/903fd8a0789ca3cc3c21d84cd0282481515592ef","signature_version":"v1","signature_type":"Function","id":"CVE-2017-5940-5f5a8069"},{"target":{"function":"store_asoundrc","file":"src/firejail/fs_home.c"},"digest":{"length":993,"function_hash":"99974292938072042916980494955625717388"},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/903fd8a0789ca3cc3c21d84cd0282481515592ef","signature_version":"v1","signature_type":"Function","id":"CVE-2017-5940-805d5a54"},{"target":{"function":"copy_xauthority","file":"src/firejail/fs_home.c"},"digest":{"length":783,"function_hash":"250440044774892348803337602214698976490"},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/903fd8a0789ca3cc3c21d84cd0282481515592ef","signature_version":"v1","signature_type":"Function","id":"CVE-2017-5940-8ee8b2cf"},{"target":{"file":"src/firejail/util.c"},"digest":{"threshold":0.9,"line_hashes":["172454027806618555836987812650502487986","339723740635972621271675803487927320220","286807084036784634258736771625820965434","180119259454095415713502053372626763647","200348894722452025565699631862882460793","23115583235002702589020013510782768693","282941080128231754027002287020561738274"]},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/b8a4ff9775318ca5e679183884a6a63f3da8f863","signature_version":"v1","signature_type":"Line","id":"CVE-2017-5940-9244f902"},{"target":{"function":"copy_asoundrc","file":"src/firejail/fs_home.c"},"digest":{"length":675,"function_hash":"137434069000427222976051654430457763971"},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/b8a4ff9775318ca5e679183884a6a63f3da8f863","signature_version":"v1","signature_type":"Function","id":"CVE-2017-5940-b52fab16"},{"target":{"file":"src/firejail/fs_home.c"},"digest":{"threshold":0.9,"line_hashes":["133736946705761311462941945552276840090","337144918590721056049676774131274471691","88629814020185162577856376745897127138","249014774019430060413723362239627911890","148751409865436238677899064453889983415","281672409925639033598922585442639986030","220170956162515456776015471768641574257","51027542676934810478838622752204215948","178239192405530872828032119812514806495","276529764847511609979531363883074994197","327370159638155573448654552856134986636","116732861275396988399416322175794966983","302843583754002795616278794758653294615","56760244704083798916977370830605217317","180652399020172794002653262847836332602","252026565832871995719428255941733560667","311593066148438244293458228062019668820","121808685259824752243381179096908481860","130403343738449058191399927441815089810","241229430966673263807189497803233801850","281672409925639033598922585442639986030","220170956162515456776015471768641574257","51027542676934810478838622752204215948","178239192405530872828032119812514806495","276529764847511609979531363883074994197","327370159638155573448654552856134986636","116732861275396988399416322175794966983","302843583754002795616278794758653294615","56760244704083798916977370830605217317","180652399020172794002653262847836332602","272289094254913209441164243865118867317","103778924842878807918427399236669311991","245411956782178490232042549692386127136","61693165948118417914716220925158576148","337458438883477067860493377943148360109","180652399020172794002653262847836332602","156521159601465372969048206977419041768","5761017000373582748168399521929412725","272325583135129565114974536905288622661","251794837086417196623047498187948438600","236954693681530703195469507459090079456","293269710774393618094856229529583304032","50513883307478599292053409050263548616","55914325855199989696424017868124393124","138203217898696378825532199063837185401","289146762422549900972759469033310552042","219940957790040336043292387090934320643","314449520989206131583410450667115406112","180802190412841655630677000028977197097","157914239557059387419953382110406353446","295407663426878719860498095636689965998","191223652047990209514638225197975490601","33874297859080568072139062661119008523","284495753429187570908174552684169088071","25442997546745271963158013826871196764","272325583135129565114974536905288622661","251794837086417196623047498187948438600","236954693681530703195469507459090079456","303809841074764854088469954912475570197","260115948945124056919495028549178553608","113584623026267138288928999812642343609","297374941882252939269475699194008916043","260551449232495020210298503053856014017","94957752366140013305259685573495966094","314449520989206131583410450667115406112","180802190412841655630677000028977197097","157914239557059387419953382110406353446","295407663426878719860498095636689965998","191223652047990209514638225197975490601","33874297859080568072139062661119008523","300422783927930615705922731741746266654","274014056493345939647458654118134718159","272325583135129565114974536905288622661","251794837086417196623047498187948438600","236954693681530703195469507459090079456","326847830041466915533979850703989902297","18439367514807552064218444399963989580","149431985285681910463823370406286733033","253923345347943831495982283518582722008","289146762422549900972759469033310552042","219940957790040336043292387090934320643","314449520989206131583410450667115406112","180802190412841655630677000028977197097","157914239557059387419953382110406353446","34236910581812515199399573825251297335","257811682606090650557736684268811488513","122525651887712605728690663805235499012","300422783927930615705922731741746266654","274014056493345939647458654118134718159","272325583135129565114974536905288622661","251794837086417196623047498187948438600","236954693681530703195469507459090079456","326847830041466915533979850703989902297","18439367514807552064218444399963989580","189313714006234091313065344979726351809","73172605071725666416274343030089567221","260551449232495020210298503053856014017","94957752366140013305259685573495966094","314449520989206131583410450667115406112","180802190412841655630677000028977197097","157914239557059387419953382110406353446","34236910581812515199399573825251297335","257811682606090650557736684268811488513","169650061134500928515050486086598434089"]},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/b8a4ff9775318ca5e679183884a6a63f3da8f863","signature_version":"v1","signature_type":"Line","id":"CVE-2017-5940-b59afb8b"},{"target":{"function":"store_xauthority","file":"src/firejail/fs_home.c"},"digest":{"length":1001,"function_hash":"137626129239180345015475860575403570024"},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/903fd8a0789ca3cc3c21d84cd0282481515592ef","signature_version":"v1","signature_type":"Function","id":"CVE-2017-5940-d2eb93ba"},{"target":{"function":"skel","file":"src/firejail/fs_home.c"},"digest":{"length":2214,"function_hash":"58458513071904434057973494356077185801"},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/903fd8a0789ca3cc3c21d84cd0282481515592ef","signature_version":"v1","signature_type":"Function","id":"CVE-2017-5940-d32790e9"},{"target":{"function":"copy_xauthority","file":"src/firejail/fs_home.c"},"digest":{"length":681,"function_hash":"56229870580428982007061037259621692497"},"deprecated":false,"source":"https://github.com/netblue30/firejail/commit/b8a4ff9775318ca5e679183884a6a63f3da8f863","signature_version":"v1","signature_type":"Function","id":"CVE-2017-5940-d5ef28bf"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5940.json","vanir_signatures_modified":"2026-04-11T04:59:43Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}