Security update for libseccomp SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2280-1 Final 1 1 2019-10-07T14:21:04Z current 2019-10-07T14:21:04Z 2019-10-07T14:21:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libseccomp This update for libseccomp fixes the following issues: Security issues fixed: - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828) libseccomp was updated to new upstream release 2.4.1: - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates libseccomp was updated to release 2.3.3: - Updated the syscall table for Linux v4.15-rc7 This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2280 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T6BTDMAAEMEE2KT356XYSAOY6YPXMQ6B/#T6BTDMAAEMEE2KT356XYSAOY6YPXMQ6B E-Mail link for openSUSE-SU-2019:2280-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1082318 SUSE Bug 1082318 https://bugzilla.suse.com/1128828 SUSE Bug 1128828 https://bugzilla.suse.com/1142614 SUSE Bug 1142614 https://www.suse.com/security/cve/CVE-2019-9893/ SUSE CVE CVE-2019-9893 page openSUSE Leap 15.0 libseccomp-devel-2.4.1-lp150.2.3.1 libseccomp-tools-2.4.1-lp150.2.3.1 libseccomp2-2.4.1-lp150.2.3.1 libseccomp2-32bit-2.4.1-lp150.2.3.1 libseccomp-devel-2.4.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 libseccomp-tools-2.4.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 libseccomp2-2.4.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 libseccomp2-32bit-2.4.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE), which might able to lead to bypassing seccomp filters and potential privilege escalations. CVE-2019-9893 openSUSE Leap 15.0:libseccomp-devel-2.4.1-lp150.2.3.1 openSUSE Leap 15.0:libseccomp-tools-2.4.1-lp150.2.3.1 openSUSE Leap 15.0:libseccomp2-2.4.1-lp150.2.3.1 openSUSE Leap 15.0:libseccomp2-32bit-2.4.1-lp150.2.3.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T6BTDMAAEMEE2KT356XYSAOY6YPXMQ6B/#T6BTDMAAEMEE2KT356XYSAOY6YPXMQ6B https://www.suse.com/security/cve/CVE-2019-9893.html CVE-2019-9893 https://bugzilla.suse.com/1128828 SUSE Bug 1128828