CVE-2018-1000660

Name of the Vulnerable Software and Affected Versions TOCK versions prior to commit 42f7f36e74088036068d62253e1d8fb26605feed

Description The issue is related to Insecure Permissions in the get package name function, located in the file kernel/src/tbfheader.rs. Specifically, the variable pub package name: &'static str in the file process.rs is involved. This can allow a TOCK capsule (untrusted driver) to access arbitrary memory using only safe code.

Recommendations For versions prior to commit 42f7f36e74088036068d62253e1d8fb26605feed, update to a version that includes the fix from commit 42f7f36e74088036068d62253e1d8fb26605feed to resolve the issue. As a temporary workaround, consider restricting access to the get package name function in the kernel/src/tbfheader.rs file until the update is applied.