The musllibc version is quite old yes and so I believe the patch that you

in the version we pin to. For context, we’ve initially used the musllibc

Hi Ivan! Ok so now we have confirmation that the musllibc in LionsOS is vulnerable, my question is: does LionsOS use musllibc to resolve hostnames (maybe via libnfs)? What I'm trying to understand is if this vulnerability can be triggered in LionsOS in any way. I already know musllibc will be vulnerable to many bugs in the future (it is non verified C code...) and also know the difference among verified and unverified code... my real interest is the robustness of software design, so in a software solution where there are different pieces glued together, some of them very reliable (seL4) and some of them very unreliable (musllibc) and other pieces half way between realiable-unreliable world, how they interact each other... So, can this musllibc vulnerability be triggered in LionsOS in any way? Thank you! On Wednesday, November 27, 2024, Ivan Velickovic via Devel wrote: link would not be included that other seL4 projects used which

has not been updated in a long time. That will likely change in the future [1].

The libc has been used for porting off-the-shelf libraries/components such as libnfs and MicroPython which are already considered untrusted. I believe our trusted components such as sDDF virtualisers do not depend on musllibc at all, which is good because we want to be able to verify *all* their code.

Given that muslibc is unverified I’m sure that there are many more vulnerabilities to come!

[1] https://github.com/au-ts/lionsos/issues/48

Ivan

_______________________________________________ Devel mailing list -- devel@sel4.systems To unsubscribe send an email to devel-leave@sel4.systems