Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Blocker
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.0.beta
Component/s: libseccomp
Labels:
None

Fixed in Build:
libseccomp-2.5.6-1.el10
Regression:
No
Severity:
Moderate
Epic Link:
SECENGSP-6575
AssignedTeam:
rhel-security-special-projects
Sub-System Group:

ssg_security
sprint_count:
2

Story Points:
3
Product Documentation Required:
No
Sprint:
SECENGSP Cycle 22, SECENGSP Cycle 23

Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/151950
Test Coverage:

Automated

Release Note Type:
Release Note Not Required

Architecture:

All

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

libseccomp in both CentOS 9 & 10 is "old" and missing the knowledge of recent syscalls. When using docker or podman to run non-privileged containers, seccomp is actually filtering these syscalls which might be used by more recent OS containers, like for example fchmodat2 used by the glibc in RHEL 10 or Fedora. We should let syscalls actually implemented by the kernel be used instead of using the glibc fallback code in these cases.

Thus I propose we upgrade libseccomp to the latest version 2.5.x (I doubt you will want to go for 2.6.0 for now).

links to

RHBA-2025:151950 libseccomp update

Assignee:: Adam Prikryl

Reporter:: Romain Geissler (Inactive)

Developer:: Anderson Toshiyuki Sasaki

QA Contact:: SSG Security QE

Votes:: 1 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2025/02/18 11:22 PM

Updated:: 2025/11/11 9:16 AM

Resolved:: 2025/11/11 9:16 AM

Next Planned Release Date:: 2025/11/11

Release Date:: 2025/11/11