The musllibc version is quite old yes and so I believe the patch that you link 
would not be included
in the version we pin to. For context, we’ve initially used the musllibc that 
other seL4 projects used which
has not been updated in a long time. That will likely change in the future [1].

The libc has been used for porting off-the-shelf libraries/components such as 
libnfs and MicroPython
which are already considered untrusted. I believe our trusted components such 
as sDDF virtualisers do not
depend on musllibc at all, which is good because we want to be able to verify 
*all* their code.

Given that muslibc is unverified I’m sure that there are many more 
vulnerabilities to come!

[1] https://github.com/au-ts/lionsos/issues/48

Ivan

_______________________________________________
Devel mailing list -- devel@sel4.systems
To unsubscribe send an email to devel-leave@sel4.systems

Reply via email to