oss-sec mailing list archives
Re: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments
From: Jamie Strandboge <jamie () canonical com>
Date: Wed, 24 Apr 2019 11:28:48 -0500
On Wed, 24 Apr 2019, Jamie Strandboge wrote:
Hi, https://github.com/seccomp/libseccomp-golang/issues/22 describes a bug where golang-seccomp incorrectly generates BPFs which OR multiple arguments rather than ANDing them. This bug was fixed here: https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e which is currently only in master and not the most current 0.9.0 release. Since golang-seccomp is meant to be a golang package to facilitate reducing the syscall surface for applications and this bug produces incorrect BPF to achieve that when specifying more that 2 syscall arguments, this probably deserves a CVE assignment so distributions will see the issue and incorporate the fix into their stable releases. I've included upstream developers Matthew and Paul in CC for comment.
Sorry, I was reminded that CVE requests go to https://cveform.mitre.org/. I did that just now. I can shuffle back and forth information between here and there as needed and will report back the CVE if/when it is assigned. -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description:
Current thread:
- CVE Request: golang-seccomp incorrectly handles multiple syscall arguments Jamie Strandboge (Apr 24)
- Re: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments Jamie Strandboge (Apr 24)
- Re: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments Jamie Strandboge (Apr 25)
- Re: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments Jamie Strandboge (Apr 24)