GHSA-vv6c-69r6-chg9

Suggest an improvement
Source
https://github.com/advisories/GHSA-vv6c-69r6-chg9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-vv6c-69r6-chg9/GHSA-vv6c-69r6-chg9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vv6c-69r6-chg9
Aliases
Published
2024-10-14T20:30:25Z
Modified
2024-10-16T02:27:29.833925Z
Summary
Go-Landlock in best-effort mode did not restrict TCP bind and connect operations correctly
Details

Impact

When using the recommended "best-effort" mode, Go-Landlock did not restrict the TCP bind() and connect() operations any more when they were requested. This affects Go-Landlock users to whom both of the following conditions apply:

  • They use Landlock rulesets that are supposed to restrict networking (through landlock.V4, landlock.V5, or self-configured).
  • These Landlock rulesets are used in best-effort mode.

Typically, affected code uses the Go-Landlock API like this (the crucial part being the combination of V4/V5 and .BestEffort()):

err := landlock.V5.BestEffort().Restrict(...)
  • This is a bug in the Go-Landlock library and does not affect programs that use Landlock via C or other language bindings.
  • The bug only affects networking restrictions. File system restrictions continue to work as expected.

Patches

Patched in: https://github.com/landlock-lsm/go-landlock/commit/fb3ad845df462d013f9c8a965c496617c6a5778b Users should upgrade to: v0.0.0-20241013234402-fb3ad845df46

Go package dependencies can be updated using go get -u from the project directory.

Projects on Github might get notified by Dependabot, once this advisory is public.

Workarounds

None.

References

Currently none.

The existing users of Go-Landlock on Github have the following bugs filed: * https://github.com/Foxboron/ssh-the-planet/issues/1 * https://github.com/ngergs/websrv/issues/15 * https://github.com/pufferffish/wireproxy/issues/142

Database specific
{
    "nvd_published_at": null,
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-14T20:30:25Z",
    "severity": "LOW",
    "cwe_ids": []
}
References

Affected packages

Go / github.com/landlock-lsm/go-landlock

Package

Name
github.com/landlock-lsm/go-landlock
View open source insights on deps.dev
Purl
pkg:golang/github.com/landlock-lsm/go-landlock

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-20240109
Fixed
0.0.0-20241013234402-fb3ad845df46