Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments

Related Vulnerabilities: CVE-2017-18367  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Jamie Strandboge &lt;jamie () canonical com&gt;

Date: Thu, 25 Apr 2019 08:23:14 -0500

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Wed, 24 Apr 2019, Jamie Strandboge wrote:

On Wed, 24 Apr 2019, Jamie Strandboge wrote:

Hi,

https://github.com/seccomp/libseccomp-golang/issues/22 describes a bug where
golang-seccomp incorrectly generates BPFs which OR multiple arguments rather
than ANDing them. This bug was fixed here:

https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e

which is currently only in master and not the most current 0.9.0 release. Since
golang-seccomp is meant to be a golang package to facilitate reducing the
syscall surface for applications and this bug produces incorrect BPF to achieve
that when specifying more that 2 syscall arguments, this probably deserves a
CVE assignment so distributions will see the issue and incorporate the fix into
their stable releases. I've included upstream developers Matthew and Paul in CC
for comment.

Sorry, I was reminded that CVE requests go to https://cveform.mitre.org/. I did
that just now. I can shuffle back and forth information between here and there
as needed and will report back the CVE if/when it is assigned.

This is CVE-2017-18367

-- 
Jamie Strandboge             | http://www.canonical.com
Attachment:
signature.asc
Description: 

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

CVE Request: golang-seccomp incorrectly handles multiple syscall arguments Jamie Strandboge (Apr 24)

Re: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments Jamie Strandboge (Apr 24)

Re: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments Jamie Strandboge (Apr 25)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started