27 Nov
2024
27 Nov
'24
10:14 a.m.
The musllibc version is quite old yes and so I believe the patch that you link would not be included in the version we pin to. For context, we’ve initially used the musllibc that other seL4 projects used which has not been updated in a long time. That will likely change in the future [1]. The libc has been used for porting off-the-shelf libraries/components such as libnfs and MicroPython which are already considered untrusted. I believe our trusted components such as sDDF virtualisers do not depend on musllibc at all, which is good because we want to be able to verify *all* their code. Given that muslibc is unverified I’m sure that there are many more vulnerabilities to come! [1] https://github.com/au-ts/lionsos/issues/48 Ivan