CVE-2017-18367

libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single matching argument.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
VendorProductVersion
libseccomp-golang_projectlibseccomp-golang
𝑥
≤ 0.9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-github-seccomp-libseccomp-golang
bullseye
0.9.1-2
fixed
sid
0.10.0-3
fixed
trixie
0.10.0-3
fixed
bookworm
0.10.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-seccomp-libseccomp-golang
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
not-affected
disco
ignored
cosmic
ignored
bionic
needed
xenial
Fixed 0.0~git20150813.0.1b506fc-2+deb9u1build0.16.04.1
released
trusty
dne
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2019/04/25/6
https://access.redhat.com/errata/RHSA-2019:4087
https://access.redhat.com/errata/RHSA-2019:4090
https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e
https://github.com/seccomp/libseccomp-golang/issues/22
https://lists.debian.org/debian-lts-announce/2020/08/msg00016.html
https://usn.ubuntu.com/4574-1/
http://www.openwall.com/lists/oss-security/2019/04/25/6
https://access.redhat.com/errata/RHSA-2019:4087
https://access.redhat.com/errata/RHSA-2019:4090
https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e
https://github.com/seccomp/libseccomp-golang/issues/22
https://lists.debian.org/debian-lts-announce/2020/08/msg00016.html
https://usn.ubuntu.com/4574-1/