Date: Wed, 24 Apr 2019 11:28:48 -0500 From: Jamie Strandboge <jamie@...onical.com> To: OSS Security List <oss-security@...ts.openwall.com> Cc: security@...ntu.com, mheon@...hat.com, paul@...l-moore.com Subject: Re: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments On Wed, 24 Apr 2019, Jamie Strandboge wrote: > Hi, > > https://github.com/seccomp/libseccomp-golang/issues/22 describes a bug where > golang-seccomp incorrectly generates BPFs which OR multiple arguments rather > than ANDing them. This bug was fixed here: > > https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e > > which is currently only in master and not the most current 0.9.0 release. Since > golang-seccomp is meant to be a golang package to facilitate reducing the > syscall surface for applications and this bug produces incorrect BPF to achieve > that when specifying more that 2 syscall arguments, this probably deserves a > CVE assignment so distributions will see the issue and incorporate the fix into > their stable releases. I've included upstream developers Matthew and Paul in CC > for comment. > Sorry, I was reminded that CVE requests go to https://cveform.mitre.org/. I did that just now. I can shuffle back and forth information between here and there as needed and will report back the CVE if/when it is assigned. -- Jamie Strandboge | http://www.canonical.com Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.