The musllibc version is quite old yes and so I believe the patch that you link would not be included in the version we pin to. For context, we’ve initially used the musllibc that other seL4 projects used which has not been updated in a long time. That will likely change in the future [1].
The libc has been used for porting off-the-shelf libraries/components such as libnfs and MicroPython which are already considered untrusted. I believe our trusted components such as sDDF virtualisers do not depend on musllibc at all, which is good because we want to be able to verify *all* their code. Given that muslibc is unverified I’m sure that there are many more vulnerabilities to come! [1] https://github.com/au-ts/lionsos/issues/48 Ivan _______________________________________________ Devel mailing list -- devel@sel4.systems To unsubscribe send an email to devel-leave@sel4.systems