Version 2.4.0 has been announced on March 14: https://www.openwall.com/lists/oss-security/2019/03/15/1 It's not clear what the exact security implications are, but it should be upgraded.
Whiteboard: (none) => MGA6TOO
Assigning to our registered libseccomp maintainer.
Component: RPM Packages => SecurityCC: (none) => marja11QA Contact: (none) => securityAssignee: bugsquad => olav
Summary: libseccomp should be upgraded to 2.4.0 => libseccomp should be upgraded to 2.4.0 (CVE-2019-9893)
Status comment: (none) => Fixed upstream in 2.4.0
Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
Ubuntu has issued an advisory for this on May 30: https://usn.ubuntu.com/4001-1/
Severity: normal => major
RedHat has issued an advisory for this on November 5: https://access.redhat.com/errata/RHSA-2019:3624
openSUSE has issued an advisory for this on October 7: https://lists.opensuse.org/opensuse-updates/2019-10/msg00049.html
libseccomp-2.4.2-1.mga8 uploaded for Cauldron by Pascal.
CC: (none) => pterjanWhiteboard: MGA7TOO, MGA6TOO => (none)Version: Cauldron => 7
We'll go with the same 2.4.2 in mga7 too as it also adds support for newer features in the kernels that we are shipping So I submitted a libseccomp-2.4.2-1.mga7 to testing
CC: (none) => tmb
Advisory: ======================== Updated libseccomp packages fix security vulnerability: Jann Horn discovered that libseccomp did not correctly generate 64-bit syscall argument comparisons with arithmetic operators (LT, GT, LE, GE). An attacker could use this to bypass intended access restrictions for argument-filtered system calls (CVE-2019-9893). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9893 https://usn.ubuntu.com/4001-1/ ======================== Updated packages in core/updates_testing: ======================== libseccomp2-2.4.2-1.mga7 libseccomp-devel-2.4.2-1.mga7 from libseccomp2-2.4.2-1.mga7.src.rpm
Status comment: Fixed upstream in 2.4.0 => (none)Assignee: olav => qa-bugs
Not knowing how to test this, on my workstation i simply updated lib64seccomp2 to -2.4.2-1.mga7, rebooted, and everything i normally do still seem to work.
CC: (none) => fri
Keywords: (none) => advisory
MGA7-64 Plasma on Lenovo B50 No installation issues. # urpmq --whatrequires lib64seccomp2 gives long list, picked zathure as a simple example. Installed it and its pdf plugin and strace'd it, opening a pdf file. The trace showed: openat(AT_FDCWD, "/lib64/libseccomp.so.2", O_RDONLY|O_CLOEXEC) = 3 So OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0136.html
Status: NEW => RESOLVEDResolution: (none) => FIXED