On 9/16/21 3:19 PM, Bruce Ashfield wrote: > Wind River had also submitted this, cool. just doing the master fix first policy, just want to ensure I was covered for Dunfell in my workflow.
> so I grabbed that patch (since > I was going in order), but I'll grab all your backported ones now. thanks, Armin > > Bruce > > In message: [meta-virtualization][PATCH] libvirt: Security fix for > CVE-2021-3631 > on 16/09/2021 Armin Kuster wrote: > >> From: Armin Kuster <[email protected]> >> >> Source: https://libvirt.org/git/libvirt.git >> MR: 112956 >> Type: Security Fix >> Disposition: Backport from >> https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2 >> ChangeID: 314727e329e5b1351326737eb9c9232f465db184 >> Description: >> >> Signed-off-by: Armin Kuster <[email protected]> >> --- >> .../libvirt/libvirt/CVE-2021-3631.patch | 56 +++++++++++++++++++ >> recipes-extended/libvirt/libvirt_7.2.0.bb | 1 + >> 2 files changed, 57 insertions(+) >> create mode 100644 recipes-extended/libvirt/libvirt/CVE-2021-3631.patch >> >> diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch >> b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch >> new file mode 100644 >> index 0000000..c1fa8c2 >> --- /dev/null >> +++ b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch >> @@ -0,0 +1,56 @@ >> +From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001 >> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <[email protected]> >> +Date: Mon, 28 Jun 2021 13:09:04 +0100 >> +Subject: [PATCH] security: fix SELinux label generation logic >> +MIME-Version: 1.0 >> +Content-Type: text/plain; charset=UTF-8 >> +Content-Transfer-Encoding: 8bit >> + >> +A process can access a file if the set of MCS categories >> +for the file is equal-to *or* a subset-of, the set of >> +MCS categories for the process. >> + >> +If there are two VMs: >> + >> + a) svirt_t:s0:c117 >> + b) svirt_t:s0:c117,c720 >> + >> +Then VM (b) is able to access files labelled for VM (a). >> + >> +IOW, we must discard case where the categories are equal >> +because that is a subset of many other valid category pairs. >> + >> +Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153 >> +CVE-2021-3631 >> +Reviewed-by: Peter Krempa <[email protected]> >> +Signed-off-by: Daniel P. Berrangé <[email protected]> >> + >> +Upstream-Status: Backport >> +CVE: CVE-2021-3631 >> +Signed-off-by: Armin Kuster <[email protected]> >> + >> +--- >> + src/security/security_selinux.c | 10 +++++++++- >> + 1 file changed, 9 insertions(+), 1 deletion(-) >> + >> +Index: libvirt-6.1.0/src/security/security_selinux.c >> +=================================================================== >> +--- libvirt-6.1.0.orig/src/security/security_selinux.c >> ++++ libvirt-6.1.0/src/security/security_selinux.c >> +@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityMan >> + VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin); >> + >> + if (c1 == c2) { >> +- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1); >> ++ /* >> ++ * A process can access a file if the set of MCS categories >> ++ * for the file is equal-to *or* a subset-of, the set of >> ++ * MCS categories for the process. >> ++ * >> ++ * IOW, we must discard case where the categories are equal >> ++ * because that is a subset of other category pairs. >> ++ */ >> ++ continue; >> + } else { >> + if (c1 > c2) { >> + int t = c1; >> diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb >> b/recipes-extended/libvirt/libvirt_7.2.0.bb >> index 9cf2951..7bc93ff 100644 >> --- a/recipes-extended/libvirt/libvirt_7.2.0.bb >> +++ b/recipes-extended/libvirt/libvirt_7.2.0.bb >> @@ -29,6 +29,7 @@ SRC_URI = >> "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ >> file://hook_support.py \ >> file://gnutls-helper.py \ >> file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \ >> + file://CVE-2021-3631.patch \ >> " >> >> SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3" >> -- >> 2.25.1 >> >> >>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6788): https://lists.yoctoproject.org/g/meta-virtualization/message/6788 Mute This Topic: https://lists.yoctoproject.org/mt/85660544/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
