Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 680442 (CVE-2019-9893)

Summary: <sys-libs/libseccomp-2.4.0: incorrect generation of syscall argument filters
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: base-system
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2019/03/15/1
Whiteboard: A2 [glsa+ cve]
Package list:
sys-libs/libseccomp-2.4.0
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2019-03-15 10:38:42 UTC
From ${URL} :

Jann Horn (CC'd) identified a problem in current versions of
libseccomp where the library did not correctly generate 64-bit syscall
argument comparisons using the arithmetic operators (LT, GT, LE, GE).
Jann has done a search using codesearch.debian.net and it would appear
that only systemd and Tor are using libseccomp in such a way as to
trigger the bad code.  In the case of systemd this appears to affect
the socket address family and scheduling class filters.  In the case
of Tor it appears that the bad filters could impact the memory
addresses passed to mprotect(2).

The libseccomp v2.4.0 release fixes this problem, and should be a
direct drop-in replacement for previous v2.x releases.  Due the
complexity, and associated risk, of backporting the fix to the v2.3.x
release stream, I've made the difficult decision not to backport the
fix.  Further, I'm not aware of any workarounds for this issue.
Adminstrators and distros are strongly encouraged to upgrade to
libseccomp v2.4.0 as soon as possible.

The related GitHub issue, complete with a brief discussion of the
problem and a list of the assocated patches can be found at the link
below:

* https://github.com/seccomp/libseccomp/issues/139

The libseccomp v2.4.0 release can be found at the link below:

* https://github.com/seccomp/libseccomp/releases/tag/v2.4.0


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Mart Raudsepp gentoo-dev 2019-03-15 10:53:35 UTC
That version also finally adds hppa support, that had been available in git for a while now.
Comment 2 Larry the Git Cow gentoo-dev 2019-03-15 11:46:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b406f50c74400237d176cf74f7bc8052963ad999

commit b406f50c74400237d176cf74f7bc8052963ad999
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-03-15 11:45:15 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-03-15 11:45:56 +0000

    sys-libs/libseccomp: Security bump to version 2.4.0
    
    Bug: https://bugs.gentoo.org/680442
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-libs/libseccomp/Manifest                |  1 +
 sys-libs/libseccomp/libseccomp-2.4.0.ebuild | 41 +++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+)
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2019-03-15 11:48:54 UTC
@arches: There's one failing test. But as it's the same test that also fails in our current stable version (2.3.3) I didn't investigate any further. Please stabilize anyway as this is no regression.
Comment 4 Larry the Git Cow gentoo-dev 2019-03-18 08:17:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55ed6bd1fc8574678420e0e57ac975a83bc817a4

commit 55ed6bd1fc8574678420e0e57ac975a83bc817a4
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-03-18 08:16:53 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-03-18 08:17:09 +0000

    sys-libs/libseccomp: Version 2.4.0 stable for amd64 and x86.
    
    Bug: https://bugs.gentoo.org/680442
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-libs/libseccomp/libseccomp-2.4.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 Markus Meier gentoo-dev 2019-03-20 17:03:49 UTC
arm stable
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2019-03-24 13:22:36 UTC
New GLSA Request filed.
Comment 7 Matt Turner gentoo-dev 2019-03-29 03:53:27 UTC
You have to create a package list! FFS.
Comment 8 Matt Turner gentoo-dev 2019-03-29 05:18:31 UTC
ppc/ppc64 stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-02 09:45:28 UTC
s390 stable
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-08 03:38:54 UTC
arm64 stable
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-15 08:52:17 UTC
Cleanup done
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2019-04-17 18:32:53 UTC
This issue was resolved and addressed in
 GLSA 201904-18 at https://security.gentoo.org/glsa/201904-18
by GLSA coordinator Aaron Bauman (b-man).