Re: CVE Request: golang-seccomp incorrectly handles multiple syscall arguments

[Jamie Strandboge <jamie () canonical com>]

On Wed, 24 Apr 2019, Jamie Strandboge wrote:

> On Wed, 24 Apr 2019, Jamie Strandboge wrote:
>
> > Hi,
> >
> > https://github.com/seccomp/libseccomp-golang/issues/22 describes a bug where
> > golang-seccomp incorrectly generates BPFs which OR multiple arguments rather
> > than ANDing them. This bug was fixed here:
> >
> > https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e
> >
> > which is currently only in master and not the most current 0.9.0 release. Since
> > golang-seccomp is meant to be a golang package to facilitate reducing the
> > syscall surface for applications and this bug produces incorrect BPF to achieve
> > that when specifying more that 2 syscall arguments, this probably deserves a
> > CVE assignment so distributions will see the issue and incorporate the fix into
> > their stable releases. I've included upstream developers Matthew and Paul in CC
> > for comment.
> Sorry, I was reminded that CVE requests go to https://cveform.mitre.org/. I did
> that just now. I can shuffle back and forth information between here and there
> as needed and will report back the CVE if/when it is assigned.

This is CVE-2017-18367

-- 
Jamie Strandboge             | http://www.canonical.com

Attachment: signature.asc
Description: