Date: Wed, 24 Apr 2019 11:12:42 -0500 From: Jamie Strandboge <jamie@...onical.com> To: OSS Security List <oss-security@...ts.openwall.com> Cc: security@...ntu.com, mheon@...hat.com, paul@...l-moore.com Subject: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments Hi, https://github.com/seccomp/libseccomp-golang/issues/22 describes a bug where golang-seccomp incorrectly generates BPFs which OR multiple arguments rather than ANDing them. This bug was fixed here: https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e which is currently only in master and not the most current 0.9.0 release. Since golang-seccomp is meant to be a golang package to facilitate reducing the syscall surface for applications and this bug produces incorrect BPF to achieve that when specifying more that 2 syscall arguments, this probably deserves a CVE assignment so distributions will see the issue and incorporate the fix into their stable releases. I've included upstream developers Matthew and Paul in CC for comment. Thanks -- Jamie Strandboge | http://www.canonical.com Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.