Accepting request 930930 from home:jsegitz:branches:security:SELinux

- Update to version 3.3 * Dropped CVE-2021-36085.patch, CVE-2021-36086.patch, CVE-2021-36087.patch are all included * Lot of smaller fixes identified by fuzzing OBS-URL: https://build.opensuse.org/request/show/930930 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libsepol?expand=0&rev=89
2021-11-11 16:01:43 +00:00 · 2021-11-11 16:01:43 +00:00 · 673aa21af7
commit 673aa21af7
parent dbf4cf0499
7 changed files with 12 additions and 166 deletions
--- a/CVE-2021-36085.patch
+++ b/CVE-2021-36085.patch
@ -1,33 +0,0 @@
-From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Thu, 8 Apr 2021 13:32:04 -0400
-Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
-
-Map perms share the same struct as regular perms, but only the
-map perms use the classperms field. This field is a pointer to a
-list of classperms that is created and added to when resolving
-classmapping rules, so the map permission doesn't own any of the
-data in the list and this list should be destroyed when the AST is
-reset.
-
-When resetting a perm, destroy the classperms list without destroying
-the data in the list.
-
-Signed-off-by: James Carter <jwcart2@gmail.com>
---
- libsepol/cil/src/cil_reset_ast.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: libsepol/libsepol-3.2/cil/src/cil_reset_ast.c
-===================================================================
--- libsepol.orig/libsepol-3.2/cil/src/cil_reset_ast.c
-+++ libsepol/libsepol-3.2/cil/src/cil_reset_ast.c
-@@ -36,7 +36,7 @@ static void cil_reset_class(struct cil_c
- 
- static void cil_reset_perm(struct cil_perm *perm)
- {
-	cil_reset_classperms_list(perm->classperms);
-+	cil_list_destroy(&perm->classperms, CIL_FALSE);
- }
- 
- static inline void cil_reset_classperms(struct cil_classperms *cp)
--- a/CVE-2021-36086.patch
+++ b/CVE-2021-36086.patch
@ -1,39 +0,0 @@
-From c49a8ea09501ad66e799ea41b8154b6770fec2c8 Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Thu, 8 Apr 2021 13:32:06 -0400
-Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset
- classpermission
-
-In struct cil_classperms_set, the set field is a pointer to a
-struct cil_classpermission which is looked up in the symbol table.
-Since the cil_classperms_set does not create the cil_classpermission,
-it should not reset it.
-
-Set the set field to NULL instead of resetting the classpermission
-that it points to.
-
-Signed-off-by: James Carter <jwcart2@gmail.com>
---
- libsepol/cil/src/cil_reset_ast.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
-index 89f91e56..1d9ca704 100644
--- a/libsepol/cil/src/cil_reset_ast.c
-+++ b/libsepol/cil/src/cil_reset_ast.c
-@@ -59,7 +59,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp)
- 
- static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
- {
-	cil_reset_classpermission(cp_set->set);
-+	if (cp_set == NULL) {
-+		return;
-+	}
-+
-+	cp_set->set = NULL;
- }
- 
- static inline void cil_reset_classperms_list(struct cil_list *cp_list)
-- 
-2.26.2
-
--- a/CVE-2021-36087.patch
+++ b/CVE-2021-36087.patch
@ -1,83 +0,0 @@
-diff -r -u libsepol-3.2_orig/cil/src/cil_build_ast.c libsepol-3.2/cil/src/cil_build_ast.c
--- libsepol-3.2_orig/cil/src/cil_build_ast.c	2021-07-21 15:15:01.875585374 +0200
-+++ libsepol-3.2/cil/src/cil_build_ast.c	2021-07-21 15:15:10.655704516 +0200
-@@ -50,6 +50,7 @@
- 	struct cil_tree_node *ast;
- 	struct cil_db *db;
- 	struct cil_tree_node *macro;
-+	struct cil_tree_node *optional;
- 	struct cil_tree_node *boolif;
- 	struct cil_tree_node *tunif;
- 	struct cil_tree_node *in;
-@@ -6098,6 +6099,7 @@
- 	struct cil_db *db = NULL;
- 	struct cil_tree_node *ast_node = NULL;
- 	struct cil_tree_node *macro = NULL;
-+	struct cil_tree_node *optional = NULL;
- 	struct cil_tree_node *boolif = NULL;
- 	struct cil_tree_node *tunif = NULL;
- 	struct cil_tree_node *in = NULL;
-@@ -6143,6 +6145,18 @@
- 		}
- 	}
- 
-+	if (optional != NULL) {
-+		if (parse_current->data == CIL_KEY_TUNABLE ||
-+			parse_current->data == CIL_KEY_IN ||
-+			parse_current->data == CIL_KEY_BLOCK ||
-+			parse_current->data == CIL_KEY_BLOCKABSTRACT ||
-+			parse_current->data == CIL_KEY_MACRO) {
-+			rc = SEPOL_ERR;
-+			cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in optionals", (char *)parse_current->data);
-+			goto exit;
-+		}
-+	}
-+
- 	if (boolif != NULL) {
- 		if (parse_current->data != CIL_KEY_CONDTRUE &&
- 			parse_current->data != CIL_KEY_CONDFALSE &&
-@@ -6524,6 +6538,19 @@
- 		args->macro = NULL;
- 	}
- 
-+	if (ast->flavor == CIL_OPTIONAL) {
-+		struct cil_tree_node *n = ast->parent;
-+		args->optional = NULL;
-+		/* Optionals can be nested */
-+		while (n && n->flavor != CIL_ROOT) {
-+			if (n->flavor == CIL_OPTIONAL) {
-+				args->optional = n;
-+				break;
-+			}
-+			n = n->parent;
-+		}
-+	}
-+
- 	if (ast->flavor == CIL_BOOLEANIF) {
- 		args->boolif = NULL;
- 	}
-@@ -6561,6 +6588,7 @@
- 	extra_args.ast = ast;
- 	extra_args.db = db;
- 	extra_args.macro = NULL;
-+	extra_args.optional = NULL;
- 	extra_args.boolif = NULL;
- 	extra_args.tunif = NULL;
- 	extra_args.in = NULL;
-diff -r -u libsepol-3.2_orig/cil/src/cil_resolve_ast.c libsepol-3.2/cil/src/cil_resolve_ast.c
--- libsepol-3.2_orig/cil/src/cil_resolve_ast.c	2021-07-21 15:15:01.879585428 +0200
-+++ libsepol-3.2/cil/src/cil_resolve_ast.c	2021-07-21 15:15:15.559771063 +0200
-@@ -3788,8 +3788,11 @@
- 	}
- 
- 	if (optstack != NULL) {
-		if (node->flavor == CIL_TUNABLE || node->flavor == CIL_MACRO) {
-			/* tuanbles and macros are not allowed in optionals*/
-+ 		if (node->flavor == CIL_TUNABLE ||
-+			node->flavor == CIL_IN ||
-+			node->flavor == CIL_BLOCK ||
-+			node->flavor == CIL_BLOCKABSTRACT ||
-+ 		    node->flavor == CIL_MACRO) {
- 			cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node));
- 			rc = SEPOL_ERR;
- 			goto exit;
--- a/libsepol-3.2.tar.gz
+++ b/libsepol-3.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:dfc7f662af8000116e56a01de6a0394ed79be1b34b999e551346233c5dd19508
-size 477749
--- a/libsepol-3.3.tar.gz
+++ b/libsepol-3.3.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2d97df3eb8466169b389c3660acbb90c54200ac96e452eca9f41a9639f4f238b
+size 482546
--- a/libsepol.changes
+++ b/libsepol.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Nov 11 13:28:14 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 3.3
+  * Dropped CVE-2021-36085.patch, CVE-2021-36086.patch, CVE-2021-36087.patch
+    are all included
+  * Lot of smaller fixes identified by fuzzing
+
 -------------------------------------------------------------------
 Wed Jul 21 13:16:54 UTC 2021 - Johannes Segitz <jsegitz@suse.com>

--- a/libsepol.spec
+++ b/libsepol.spec
@ -19,7 +19,7 @@
 %define libname libsepol2

 Name:           libsepol
-Version:        3.2
+Version:        3.3
 Release:        0
 Summary:        SELinux binary policy manipulation library
 License:        LGPL-2.1-or-later
@ -27,10 +27,6 @@ Group:          Development/Libraries/C and C++
 URL:            https://github.com/SELinuxProject/selinux/wiki/Releases
 Source:         https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
 Source2:        baselibs.conf
-# all upstream, remove in next version
-Patch0:         CVE-2021-36085.patch
-Patch1:         CVE-2021-36086.patch
-Patch2:         CVE-2021-36087.patch
 BuildRequires:  flex
 BuildRequires:  pkgconfig
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -92,9 +88,6 @@ policies.

 %prep
 %setup -q
-%patch0 -p2
-%patch1 -p2
-%patch2 -p1

 %build
 %define _lto_cflags %{nil}