|
Message-ID: <20190425132314.GD13360@iolanthe>
Date: Thu, 25 Apr 2019 08:23:14 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: OSS Security List <oss-security@...ts.openwall.com>
Cc: security@...ntu.com, mheon@...hat.com, paul@...l-moore.com
Subject: Re: CVE Request: golang-seccomp incorrectly handles multiple syscall
arguments
On Wed, 24 Apr 2019, Jamie Strandboge wrote:
> On Wed, 24 Apr 2019, Jamie Strandboge wrote:
>
> > Hi,
> >
> > https://github.com/seccomp/libseccomp-golang/issues/22 describes a bug where
> > golang-seccomp incorrectly generates BPFs which OR multiple arguments rather
> > than ANDing them. This bug was fixed here:
> >
> > https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e
> >
> > which is currently only in master and not the most current 0.9.0 release. Since
> > golang-seccomp is meant to be a golang package to facilitate reducing the
> > syscall surface for applications and this bug produces incorrect BPF to achieve
> > that when specifying more that 2 syscall arguments, this probably deserves a
> > CVE assignment so distributions will see the issue and incorporate the fix into
> > their stable releases. I've included upstream developers Matthew and Paul in CC
> > for comment.
> >
> Sorry, I was reminded that CVE requests go to https://cveform.mitre.org/. I did
> that just now. I can shuffle back and forth information between here and there
> as needed and will report back the CVE if/when it is assigned.
This is CVE-2017-18367
--
Jamie Strandboge | http://www.canonical.com
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.