The musllibc version is quite old yes and so I believe the patch that you
in the version we pin to. For context, we’ve initially used the musllibc
Hi Ivan!
Ok so now we have confirmation that the musllibc in LionsOS is vulnerable,
my question is: does LionsOS use musllibc to resolve hostnames (maybe via
libnfs)?
What I'm trying to understand is if this vulnerability can be triggered in
LionsOS in any way.
I already know musllibc will be vulnerable to many bugs in the future (it
is non verified C code...) and also know the difference among verified and
unverified code... my real interest is the robustness of software design,
so in a software solution where there are different pieces glued together,
some of them very reliable (seL4) and some of them very unreliable
(musllibc) and other pieces half way between realiable-unreliable world,
how they interact each other...
So, can this musllibc vulnerability be triggered in LionsOS in any way?
Thank you!
On Wednesday, November 27, 2024, Ivan Velickovic via Devel
has not been updated in a long time. That will likely change in the future [1].
The libc has been used for porting off-the-shelf libraries/components such as libnfs and MicroPython which are already considered untrusted. I believe our trusted components such as sDDF virtualisers do not depend on musllibc at all, which is good because we want to be able to verify *all* their code.
Given that muslibc is unverified I’m sure that there are many more vulnerabilities to come!
[1] https://github.com/au-ts/lionsos/issues/48
Ivan
_______________________________________________ Devel mailing list -- devel@sel4.systems To unsubscribe send an email to devel-leave@sel4.systems