Date: Wed, 24 Apr 2019 11:28:48 -0500 From: Jamie Strandboge <jamie@...onical.com> To: OSS Security List <oss-security@...ts.openwall.com> Cc: security@...ntu.com, mheon@...hat.com, paul@...l-moore.com Subject: Re: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments On Wed, 24 Apr 2019, Jamie Strandboge wrote: > Hi, > > https://github.com/seccomp/libseccomp-golang/issues/22 describes a bug where > golang-seccomp incorrectly generates BPFs which OR multiple arguments rather > than ANDing them. This bug was fixed here: > > https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e > > which is currently only in master and not the most current 0.9.0 release. Since > golang-seccomp is meant to be a golang package to facilitate reducing the > syscall surface for applications and this bug produces incorrect BPF to achieve > that when specifying more that 2 syscall arguments, this probably deserves a > CVE assignment so distributions will see the issue and incorporate the fix into > their stable releases. I've included upstream developers Matthew and Paul in CC > for comment. > Sorry, I was reminded that CVE requests go to https://cveform.mitre.org/. I did that just now. I can shuffle back and forth information between here and there as needed and will report back the CVE if/when it is assigned. -- Jamie Strandboge | http://www.canonical.com Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.