Bugzilla – Bug 1128828
VUL-0: CVE-2019-9893: libseccomp: incorrect generation of syscall filters in libseccomp
Last modified: 2021-12-22 14:35:37 UTC
via oss-sec From: Paul Moore <paul@paul-moore.com> Subject: [oss-security] libseccomp: incorrect generation of syscall argument filters Date: Thu, 14 Mar 2019 19:48:22 -0400 Jann Horn (CC'd) identified a problem in current versions of libseccomp where the library did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE). Jann has done a search using codesearch.debian.net and it would appear that only systemd and Tor are using libseccomp in such a way as to trigger the bad code. In the case of systemd this appears to affect the socket address family and scheduling class filters. In the case of Tor it appears that the bad filters could impact the memory addresses passed to mprotect(2). The libseccomp v2.4.0 release fixes this problem, and should be a direct drop-in replacement for previous v2.x releases. Due the complexity, and associated risk, of backporting the fix to the v2.3.x release stream, I've made the difficult decision not to backport the fix. Further, I'm not aware of any workarounds for this issue. Adminstrators and distros are strongly encouraged to upgrade to libseccomp v2.4.0 as soon as possible. The related GitHub issue, complete with a brief discussion of the problem and a list of the assocated patches can be found at the link below: * https://github.com/seccomp/libseccomp/issues/139 The libseccomp v2.4.0 release can be found at the link below: * https://github.com/seccomp/libseccomp/releases/tag/v2.4.0 -- paul moore www.paul-moore.com
This is an autogenerated message for OBS integration: This bug (1128828) was mentioned in https://build.opensuse.org/request/show/685759 Factory / libseccomp
currently planning also to rev sle12 to 2.4.1. the packages build actually against 2.4.1 just fine
SUSE-SU-2019:2517-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1082318,1128828,1142614 CVE References: CVE-2019-9893 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): libseccomp-2.4.1-3.3.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): libseccomp-2.4.1-3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): libseccomp-2.4.1-3.3.1 SUSE Linux Enterprise Module for Basesystem 15 (src): libseccomp-2.4.1-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2283-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1082318,1128828,1142614 CVE References: CVE-2019-9893 Sources used: openSUSE Leap 15.1 (src): libseccomp-2.4.1-lp151.3.3.1
openSUSE-SU-2019:2280-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1082318,1128828,1142614 CVE References: CVE-2019-9893 Sources used: openSUSE Leap 15.0 (src): libseccomp-2.4.1-lp150.2.3.1
SUSE-SU-2019:2941-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1082318,1128828,1142614 CVE References: CVE-2019-9893 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): libseccomp-2.4.1-11.3.2 SUSE OpenStack Cloud 8 (src): libseccomp-2.4.1-11.3.2 SUSE OpenStack Cloud 7 (src): libseccomp-2.4.1-11.3.2 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libseccomp-2.4.1-11.3.2 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): libseccomp-2.4.1-11.3.2 SUSE Linux Enterprise Server for SAP 12-SP3 (src): libseccomp-2.4.1-11.3.2 SUSE Linux Enterprise Server for SAP 12-SP2 (src): libseccomp-2.4.1-11.3.2 SUSE Linux Enterprise Server 12-SP5 (src): libseccomp-2.4.1-11.3.2 SUSE Linux Enterprise Server 12-SP4 (src): libseccomp-2.4.1-11.3.2 SUSE Linux Enterprise Server 12-SP3-LTSS (src): libseccomp-2.4.1-11.3.2 SUSE Linux Enterprise Server 12-SP3-BCL (src): libseccomp-2.4.1-11.3.2 SUSE Linux Enterprise Server 12-SP2-LTSS (src): libseccomp-2.4.1-11.3.2 SUSE Linux Enterprise Server 12-SP2-BCL (src): libseccomp-2.4.1-11.3.2 SUSE Linux Enterprise Desktop 12-SP4 (src): libseccomp-2.4.1-11.3.2 SUSE Enterprise Storage 5 (src): libseccomp-2.4.1-11.3.2 SUSE CaaS Platform 3.0 (src): libseccomp-2.4.1-11.3.2 HPE Helion Openstack 8 (src): libseccomp-2.4.1-11.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
i think its done now.