<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Jamie Strandboge <jamie () canonical com>
Date: Thu, 25 Apr 2019 08:23:14 -0500
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Wed, 24 Apr 2019, Jamie Strandboge wrote:
On Wed, 24 Apr 2019, Jamie Strandboge wrote:
Hi,
https://github.com/seccomp/libseccomp-golang/issues/22 describes a bug where
golang-seccomp incorrectly generates BPFs which OR multiple arguments rather
than ANDing them. This bug was fixed here:
https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e
which is currently only in master and not the most current 0.9.0 release. Since
golang-seccomp is meant to be a golang package to facilitate reducing the
syscall surface for applications and this bug produces incorrect BPF to achieve
that when specifying more that 2 syscall arguments, this probably deserves a
CVE assignment so distributions will see the issue and incorporate the fix into
their stable releases. I've included upstream developers Matthew and Paul in CC
for comment.
Sorry, I was reminded that CVE requests go to https://cveform.mitre.org/. I did
that just now. I can shuffle back and forth information between here and there
as needed and will report back the CVE if/when it is assigned.
This is CVE-2017-18367
--
Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description:
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE Request: golang-seccomp incorrectly handles multiple syscall arguments Jamie Strandboge (Apr 24)
Re: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments Jamie Strandboge (Apr 24)
Re: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments Jamie Strandboge (Apr 25)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->