logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-vv6c-69r6-chg9 github.com/landlock-lsm/go-landlock

Package

Manager: go
Name: github.com/landlock-lsm/go-landlock
Vulnerable Version: >=0.0.0-20240109 <0.0.0-20241013234402-fb3ad845df46

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Go-Landlock in best-effort mode did not restrict TCP bind and connect operations correctly ### Impact When using the recommended "best-effort" mode, Go-Landlock did not restrict the TCP bind() and connect() operations any more when they were requested. This affects Go-Landlock users to whom both of the following conditions apply: * They use Landlock rulesets that are supposed to restrict networking (through `landlock.V4`, `landlock.V5`, or self-configured). * These Landlock rulesets are used in best-effort mode. Typically, affected code uses the Go-Landlock API like this (the crucial part being the combination of `V4`/`V5` and `.BestEffort()`): ``` err := landlock.V5.BestEffort().Restrict(...) ``` * This is a bug in the Go-Landlock library and does not affect programs that use Landlock via C or other language bindings. * The bug only affects networking restrictions. File system restrictions continue to work as expected. ### Patches Patched in: https://github.com/landlock-lsm/go-landlock/commit/fb3ad845df462d013f9c8a965c496617c6a5778b Users should upgrade to: v0.0.0-20241013234402-fb3ad845df46 Go package dependencies can be updated using `go get -u` from the project directory. Projects on Github might get notified by Dependabot, once this advisory is public. ### Workarounds None. ### References Currently none. [The existing users of Go-Landlock on Github](https://pkg.go.dev/github.com/landlock-lsm/go-landlock/landlock?tab=importedby) have the following bugs filed: * https://github.com/Foxboron/ssh-the-planet/issues/1 * https://github.com/ngergs/websrv/issues/15 * https://github.com/pufferffish/wireproxy/issues/142

Metadata

Created: 2024-10-14T20:30:25Z
Modified: 2024-10-14T20:30:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-vv6c-69r6-chg9/GHSA-vv6c-69r6-chg9.json
CWE IDs: []
Alternative ID: N/A
Finding: F115
Auto approve: 1