Your message dated Wed, 17 Jul 2019 21:35:18 +0000
with message-id <[email protected]>
and subject line Bug#924646: fixed in libseccomp 2.4.1-1
has caused the Debian Bug report #924646,
regarding libseccomp: CVE-2019-9893: incorrect generation of syscall argument
filters
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
924646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924646
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libseccomp
Version: 2.3.3-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/seccomp/libseccomp/issues/139
Control: found -1 2.3.1-2.1+deb9u1
Control: found -1 2.3.1-2.1
Control: affecs -1 tor,systemd
Hi
See: https://www.openwall.com/lists/oss-security/2019/03/15/1
> Jann Horn (CC'd) identified a problem in current versions of
> libseccomp where the library did not correctly generate 64-bit syscall
> argument comparisons using the arithmetic operators (LT, GT, LE, GE).
> Jann has done a search using codesearch.debian.net and it would appear
> that only systemd and Tor are using libseccomp in such a way as to
> trigger the bad code. In the case of systemd this appears to affect
> the socket address family and scheduling class filters. In the case
> of Tor it appears that the bad filters could impact the memory
> addresses passed to mprotect(2).
>
> The libseccomp v2.4.0 release fixes this problem, and should be a
> direct drop-in replacement for previous v2.x releases. Due the
> complexity, and associated risk, of backporting the fix to the v2.3.x
> release stream, I've made the difficult decision not to backport the
> fix. Further, I'm not aware of any workarounds for this issue.
> Adminstrators and distros are strongly encouraged to upgrade to
> libseccomp v2.4.0 as soon as possible.
>
> The related GitHub issue, complete with a brief discussion of the
> problem and a list of the assocated patches can be found at the link
> below:
>
> * https://github.com/seccomp/libseccomp/issues/139
>
> The libseccomp v2.4.0 release can be found at the link below:
>
> * https://github.com/seccomp/libseccomp/releases/tag/v2.4.0
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libseccomp
Source-Version: 2.4.1-1
We believe that the bug you reported is fixed in the latest version of
libseccomp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <[email protected]> (supplier of updated libseccomp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 17 Jul 2019 23:23:28 +0200
Source: libseccomp
Architecture: source
Version: 2.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Kees Cook <[email protected]>
Changed-By: Felix Geyer <[email protected]>
Closes: 924646
Changes:
libseccomp (2.4.1-1) unstable; urgency=medium
.
* New upstream release.
- Addresses CVE-2019-9893 (Closes: #924646)
* Drop all patches for parisc arch support, merged upstream.
* Build-depend on valgrind to run more unit tests.
* Run dh_auto_configure for every python 3 version to install the extension
in the correct path.
* Update the symbols file.
* Adapt autopkgtest to new upstream version:
- Build against pthread
- Build scmp_api_level tool
* Upgrade to debhelper compat level 12.
- Add d/not-installed file
* Fix install path of the python module.
- Add python_install_dir.patch
* Add autopkgtest for python packages.
Checksums-Sha1:
b63a37d7b856f8887a93472ffc2f07aa7f9decdc 2608 libseccomp_2.4.1-1.dsc
bd9932c1f208b6051c89a4253dc05ad0307338ec 606860 libseccomp_2.4.1.orig.tar.gz
3730d88b06b3bfdcd5b12eba8e654c30ea2ee68b 6296 libseccomp_2.4.1-1.debian.tar.xz
Checksums-Sha256:
b22fdad8b316c9417d612d1e709f0e82d08dec0171dc6b77939eb516eebc6b18 2608
libseccomp_2.4.1-1.dsc
1ca3735249af66a1b2f762fe6e710fcc294ad7185f1cc961e5bd83f9988006e8 606860
libseccomp_2.4.1.orig.tar.gz
493717cb5b6395c33f5788c9fe345440985288cc268a3e44bfea1253cd70d01f 6296
libseccomp_2.4.1-1.debian.tar.xz
Files:
95b8cd32c499f58ef6758ca81237ee1c 2608 libs optional libseccomp_2.4.1-1.dsc
4fa6b0f39b48b8644415d7a9a9dfe9f4 606860 libs optional
libseccomp_2.4.1.orig.tar.gz
48207e1e3b80af0bb0753f48d8afc688 6296 libs optional
libseccomp_2.4.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEFkxwUS95KUdnZKtW/iLG/YMTXUUFAl0vkloACgkQ/iLG/YMT
XUXsMRAAnKn1aA9o7uQnh0ce0tLBuuvsBa/p6PPizTZRs8ifXp8Exs+7lcr5kh5i
clPHxRH7RIiB1yq++yW/nlMUhJj92V2GQHH1oYJPrD4oSZwO/3CztUurMCUpbjli
37K9cT9Jb3ZB7xSjfbAGSylvhzaRDkljaFVVAEe7iQqnD3Tn7zLRrGkdGfMSsKX2
4pm7akfCWZOuuxt9OuVgCxipXfsTU/yt8Oayb5TCzKyfp5D6fy8/xnpJN0yeDsyl
5ldpNZM81+LoKPDcmcdMLeUMOAkGTa6Qd3rGMv2JZmY+lVT9qqkvEAqjRfQjJsEx
4PMUFWgwJt0PCGcwIpRjJVqXSvobGCTffSehpaBZYQQmu86Bxp4o3A1i4DB6qrgJ
pY/of89RJh0jFMJfauYNkfkiEs8m6eEh/e9Lz0mJOr5XE1HzMJMYvGl85Ggp4l90
wfyxXEBOwwG7S8Vh0ywuihPVwUKzEHryUP8PBJ8UaL0Mf6GcUqECFRhw5Hsd+JG2
aHPm5npaqu93kYaR4lUhaU6BKARcMYqzOOsdr+Sg1CXkSztpgYXFzQLXf78lIxxB
kkcsRMEBZzGq7y4EAFIJsCf8i+qQwJSd+0ijmf8AQddlbchdw7+QUZ+J2xur7doD
dB4mFy03Itqyrz1azb3EFxZz/NqwdQdYGxYxIrAicErHrlZV7oE=
=YSVV
-----END PGP SIGNATURE-----
--- End Message ---
