| Summary: | libseccomp should be upgraded to 2.4.0 (CVE-2019-9893) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, fri, herman.viaene, marja11, pterjan, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | libseccomp-2.3.3-2.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-03-17 16:09:40 CET
David Walser
2019-03-17 16:09:47 CET
Whiteboard:
(none) =>
MGA6TOO Assigning to our registered libseccomp maintainer. Component:
RPM Packages =>
Security
David Walser
2019-03-21 13:16:55 CET
Summary:
libseccomp should be upgraded to 2.4.0 =>
libseccomp should be upgraded to 2.4.0 (CVE-2019-9893)
David Walser
2019-03-28 21:21:20 CET
Status comment:
(none) =>
Fixed upstream in 2.4.0
David Walser
2019-06-23 19:19:35 CEST
Whiteboard:
MGA6TOO =>
MGA7TOO, MGA6TOO Ubuntu has issued an advisory for this on May 30: https://usn.ubuntu.com/4001-1/ Severity:
normal =>
major RedHat has issued an advisory for this on November 5: https://access.redhat.com/errata/RHSA-2019:3624 openSUSE has issued an advisory for this on October 7: https://lists.opensuse.org/opensuse-updates/2019-10/msg00049.html libseccomp-2.4.2-1.mga8 uploaded for Cauldron by Pascal. CC:
(none) =>
pterjan We'll go with the same 2.4.2 in mga7 too as it also adds support for newer features in the kernels that we are shipping So I submitted a libseccomp-2.4.2-1.mga7 to testing CC:
(none) =>
tmb Advisory: ======================== Updated libseccomp packages fix security vulnerability: Jann Horn discovered that libseccomp did not correctly generate 64-bit syscall argument comparisons with arithmetic operators (LT, GT, LE, GE). An attacker could use this to bypass intended access restrictions for argument-filtered system calls (CVE-2019-9893). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9893 https://usn.ubuntu.com/4001-1/ ======================== Updated packages in core/updates_testing: ======================== libseccomp2-2.4.2-1.mga7 libseccomp-devel-2.4.2-1.mga7 from libseccomp2-2.4.2-1.mga7.src.rpm Status comment:
Fixed upstream in 2.4.0 =>
(none) Not knowing how to test this, on my workstation i simply updated lib64seccomp2 to -2.4.2-1.mga7, rebooted, and everything i normally do still seem to work. CC:
(none) =>
fri
Thomas Backlund
2020-03-06 17:36:40 CET
Keywords:
(none) =>
advisory MGA7-64 Plasma on Lenovo B50 No installation issues. # urpmq --whatrequires lib64seccomp2 gives long list, picked zathure as a simple example. Installed it and its pdf plugin and strace'd it, opening a pdf file. The trace showed: openat(AT_FDCWD, "/lib64/libseccomp.so.2", O_RDONLY|O_CLOEXEC) = 3 So OK for me. CC:
(none) =>
herman.viaene Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0136.html Status:
NEW =>
RESOLVED |