Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Apr 2019 11:12:42 -0500
From: Jamie Strandboge <>
To: OSS Security List <>
Subject: CVE Request: golang-seccomp incorrectly handles multiple syscall

Hi, describes a bug where
golang-seccomp incorrectly generates BPFs which OR multiple arguments rather
than ANDing them. This bug was fixed here:

which is currently only in master and not the most current 0.9.0 release. Since
golang-seccomp is meant to be a golang package to facilitate reducing the
syscall surface for applications and this bug produces incorrect BPF to achieve
that when specifying more that 2 syscall arguments, this probably deserves a
CVE assignment so distributions will see the issue and incorporate the fix into
their stable releases. I've included upstream developers Matthew and Paul in CC
for comment.


Jamie Strandboge             |

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.