Source: libseccomp Version: 2.3.3-4 Severity: important Tags: security upstream Forwarded: https://github.com/seccomp/libseccomp/issues/139 Control: found -1 2.3.1-2.1+deb9u1 Control: found -1 2.3.1-2.1 Control: affecs -1 tor,systemd
Hi See: https://www.openwall.com/lists/oss-security/2019/03/15/1 > Jann Horn (CC'd) identified a problem in current versions of > libseccomp where the library did not correctly generate 64-bit syscall > argument comparisons using the arithmetic operators (LT, GT, LE, GE). > Jann has done a search using codesearch.debian.net and it would appear > that only systemd and Tor are using libseccomp in such a way as to > trigger the bad code. In the case of systemd this appears to affect > the socket address family and scheduling class filters. In the case > of Tor it appears that the bad filters could impact the memory > addresses passed to mprotect(2). > > The libseccomp v2.4.0 release fixes this problem, and should be a > direct drop-in replacement for previous v2.x releases. Due the > complexity, and associated risk, of backporting the fix to the v2.3.x > release stream, I've made the difficult decision not to backport the > fix. Further, I'm not aware of any workarounds for this issue. > Adminstrators and distros are strongly encouraged to upgrade to > libseccomp v2.4.0 as soon as possible. > > The related GitHub issue, complete with a brief discussion of the > problem and a list of the assocated patches can be found at the link > below: > > * https://github.com/seccomp/libseccomp/issues/139 > > The libseccomp v2.4.0 release can be found at the link below: > > * https://github.com/seccomp/libseccomp/releases/tag/v2.4.0 Regards, Salvatore
