Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190424162848.GC13360@iolanthe>
Date: Wed, 24 Apr 2019 11:28:48 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: OSS Security List <oss-security@...ts.openwall.com>
Cc: security@...ntu.com, mheon@...hat.com, paul@...l-moore.com
Subject: Re: CVE Request: golang-seccomp incorrectly handles multiple syscall
 arguments

On Wed, 24 Apr 2019, Jamie Strandboge wrote:

> Hi,
> 
> https://github.com/seccomp/libseccomp-golang/issues/22 describes a bug where
> golang-seccomp incorrectly generates BPFs which OR multiple arguments rather
> than ANDing them. This bug was fixed here:
> 
> https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e
> 
> which is currently only in master and not the most current 0.9.0 release. Since
> golang-seccomp is meant to be a golang package to facilitate reducing the
> syscall surface for applications and this bug produces incorrect BPF to achieve
> that when specifying more that 2 syscall arguments, this probably deserves a
> CVE assignment so distributions will see the issue and incorporate the fix into
> their stable releases. I've included upstream developers Matthew and Paul in CC
> for comment.
> 
Sorry, I was reminded that CVE requests go to https://cveform.mitre.org/. I did
that just now. I can shuffle back and forth information between here and there
as needed and will report back the CVE if/when it is assigned.

-- 
Jamie Strandboge             | http://www.canonical.com

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.