Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12djZjLTY5cjYtY2hnOc4ABAQQ
Go-Landlock in best-effort mode did not restrict TCP bind and connect operations correctly
Impact
When using the recommended "best-effort" mode, Go-Landlock did not restrict the TCP bind() and connect() operations any more when they were requested. This affects Go-Landlock users to whom both of the following conditions apply:
- They use Landlock rulesets that are supposed to restrict networking (through
landlock.V4
,landlock.V5
, or self-configured). - These Landlock rulesets are used in best-effort mode.
Typically, affected code uses the Go-Landlock API like this (the crucial part being the combination of V4
/V5
and .BestEffort()
):
err := landlock.V5.BestEffort().Restrict(...)
- This is a bug in the Go-Landlock library and does not affect programs that use Landlock via C or other language bindings.
- The bug only affects networking restrictions. File system restrictions continue to work as expected.
Patches
Patched in: https://github.com/landlock-lsm/go-landlock/commit/fb3ad845df462d013f9c8a965c496617c6a5778b
Users should upgrade to: v0.0.0-20241013234402-fb3ad845df46
Go package dependencies can be updated using go get -u
from the project directory.
Projects on Github might get notified by Dependabot, once this advisory is public.
Workarounds
None.
References
Currently none.
The existing users of Go-Landlock on Github have the following bugs filed:
- https://github.com/Foxboron/ssh-the-planet/issues/1
- https://github.com/ngergs/websrv/issues/15
- https://github.com/pufferffish/wireproxy/issues/142
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12djZjLTY5cjYtY2hnOc4ABAQQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 1 day ago
Updated: 1 day ago
Identifiers: GHSA-vv6c-69r6-chg9
References:
- https://github.com/landlock-lsm/go-landlock/security/advisories/GHSA-vv6c-69r6-chg9
- https://github.com/landlock-lsm/go-landlock/commit/fb3ad845df462d013f9c8a965c496617c6a5778b
- https://github.com/advisories/GHSA-vv6c-69r6-chg9
Blast Radius: 0.0
Affected Packages
go:github.com/landlock-lsm/go-landlock
Dependent packages: 8Dependent repositories: 6
Downloads:
Affected Version Ranges: >= 0.0.0-20240109, < 0.0.0-20241013234402-fb3ad845df46
Fixed in: 0.0.0-20241013234402-fb3ad845df46
All affected versions: 0.0.0-20221114184819-4ed765d30e70, 0.0.0-20221217100533-f0382d142170, 0.0.0-20230126200800-572d13278e8f, 0.0.0-20230212201647-821adaecc1a5, 0.0.0-20230225094210-7a98d7db83f2, 0.0.0-20230604202510-598aeb39de6d, 0.0.0-20230604202754-6a7538cc6397, 0.0.0-20230604203448-28da5576ad06, 0.0.0-20230605175258-20265594a4a7, 0.0.0-20230607164353-b03374193cb2, 0.0.0-20240106194611-43ca26dda906, 0.0.0-20240109204007-d5b09ccb3f60, 0.0.0-20240110195929-9e68e6507282, 0.0.0-20240115190327-e337b01c55fd, 0.0.0-20240119205636-0267bd0f19da
All unaffected versions: