Bug 24523 - libseccomp should be upgraded to 2.4.0 (CVE-2019-9893)
Summary: libseccomp should be upgraded to 2.4.0 (CVE-2019-9893)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-03-17 16:09 CET by David Walser
Modified: 2020-03-10 20:06 CET (History)
7 users (show)

See Also:
Source RPM: libseccomp-2.3.3-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-03-17 16:09:40 CET
Version 2.4.0 has been announced on March 14:
https://www.openwall.com/lists/oss-security/2019/03/15/1

It's not clear what the exact security implications are, but it should be upgraded.
David Walser 2019-03-17 16:09:47 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-03-17 17:37:25 CET
Assigning to our registered libseccomp maintainer.

Component: RPM Packages => Security
CC: (none) => marja11
QA Contact: (none) => security
Assignee: bugsquad => olav

David Walser 2019-03-21 13:16:55 CET

Summary: libseccomp should be upgraded to 2.4.0 => libseccomp should be upgraded to 2.4.0 (CVE-2019-9893)

David Walser 2019-03-28 21:21:20 CET

Status comment: (none) => Fixed upstream in 2.4.0

David Walser 2019-06-23 19:19:35 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Comment 2 David Walser 2019-08-11 21:53:04 CEST
Ubuntu has issued an advisory for this on May 30:
https://usn.ubuntu.com/4001-1/

Severity: normal => major

Comment 3 David Walser 2019-11-12 20:08:06 CET
RedHat has issued an advisory for this on November 5:
https://access.redhat.com/errata/RHSA-2019:3624
Comment 4 David Walser 2019-12-03 18:11:32 CET
openSUSE has issued an advisory for this on October 7:
https://lists.opensuse.org/opensuse-updates/2019-10/msg00049.html
Comment 5 David Walser 2020-03-04 22:03:46 CET
libseccomp-2.4.2-1.mga8 uploaded for Cauldron by Pascal.

CC: (none) => pterjan
Whiteboard: MGA7TOO, MGA6TOO => (none)
Version: Cauldron => 7

Comment 6 Thomas Backlund 2020-03-04 23:04:43 CET
We'll go with the same 2.4.2 in mga7 too as it also adds support for newer  features in the kernels that we are shipping

So I submitted a libseccomp-2.4.2-1.mga7 to testing

CC: (none) => tmb

Comment 7 David Walser 2020-03-05 00:08:47 CET
Advisory:
========================

Updated libseccomp packages fix security vulnerability:

Jann Horn discovered that libseccomp did not correctly generate 64-bit syscall
argument comparisons with arithmetic operators (LT, GT, LE, GE). An attacker
could use this to bypass intended access restrictions for argument-filtered
system calls (CVE-2019-9893).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9893
https://usn.ubuntu.com/4001-1/
========================

Updated packages in core/updates_testing:
========================
libseccomp2-2.4.2-1.mga7
libseccomp-devel-2.4.2-1.mga7

from libseccomp2-2.4.2-1.mga7.src.rpm

Status comment: Fixed upstream in 2.4.0 => (none)
Assignee: olav => qa-bugs

Comment 8 Morgan Leijström 2020-03-05 14:10:17 CET
Not knowing how to test this, on my workstation i simply updated lib64seccomp2 to -2.4.2-1.mga7, rebooted, and everything i normally do still seem to work.

CC: (none) => fri

Thomas Backlund 2020-03-06 17:36:40 CET

Keywords: (none) => advisory

Comment 9 Herman Viaene 2020-03-09 14:01:06 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
# urpmq --whatrequires lib64seccomp2       
gives  long list, picked zathure as a simple example. Installed it and its pdf plugin and strace'd it, opening a pdf file.
The trace showed:
openat(AT_FDCWD, "/lib64/libseccomp.so.2", O_RDONLY|O_CLOEXEC) = 3
So OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 10 Thomas Andrews 2020-03-09 17:12:28 CET
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 11 Mageia Robot 2020-03-10 20:06:12 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0136.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.