<p>A SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.</p>
</background>
<description>
<p>Firejail does not sufficiently validate the user's environment prior to using it as the root user when using the --join command line option.</p>
</description>
<impacttype="normal">
<p>An unprivileged user can exploit this vulnerability to achieve local root privileges.</p>
</impact>
<workaround>
<p>System administrators can mitigate this vulnerability via adding either "force-nonewprivs yes" or "join no" to the Firejail configuration file in /etc/firejail/firejail.config.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for sys-apps/firejail-lts. Users should unmerge it in favor of sys-apps/firejail:</p>