Accepting request 1186963 from security:SELinux

OBS-URL: https://build.opensuse.org/request/show/1186963
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=79

libselinux-3.6.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ba4e0ef34b270e7672a5e5f1b523fe2beab3a40bb33d9389f4ad3a8728f21b52
-size 194210

libselinux-3.6.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEG+LA/wiUliMQL9JWRpWIHCVFCNEFAmV5xAIACgkQRpWIHCVF
-CNEkQw/9Go6DkB41CAdTC/DV30zM4fUT18aQR9GzbI2TWNv0akNpu6RSyGY0zW5c
-8xouAroaPovAMyZ4blIxxO3lOobuAl/wNgx47U0NMVMafFciHJXs/jBpfJkhOxiC
-fywHmXlY1k+zKfyMuOOWisNv5dbw/ldJWnY+PdGN6POgvriR0/AHTjYmsk76s0PF
-vpI8/ZNNqiSb+UyMVWO9ffZSJO2OufLajwIeg+RoNPXhaUZvYQzRCIJm0VwK5XTq
-fBdNFNDEA8TapmGQO8UBJpZXCodXvYzUxwFCoa7255cBRnvQJPSrCCZLbCnMjV+j
-0VhhhcFbhVytUYHTV67WvTbs7uqrmb1HUHUT6TuCGhUnZ36g2OYNMXwqi41zzHIf
-9e1ok0rGfCjRb/fJrgEsHRaWo8HT6/jIVdtib13/jzpZttX5sgGv7WoeZcj1413r
-cJmihECqxPV1+wWghnQEnGcE2XspXTueL4mzV7MqJDu8lu3itOdFxpOz4aMw4HbD
-sd7Ew8zEQcyAStH9Obx9p/ri73iR9+lQgxszqAm24jemrC4FBwlhbb43RqulCafb
-ieeH+1c9F8mc+R6BKvcE76Luiycy7Hm5ASUKANMWwxe6/hv1q9p3l4wKXWlkZXj7
-3kBhKP+Rua+be4g1TScIUwGscpVogSN2e3AqBb7dgHt3b6Ik3U4=
-=OnpU
------END PGP SIGNATURE-----

libselinux-3.7.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ea03f42d13a4f95757997dba8cf0b26321fac5d2f164418b4cc856a92d2b17bd
+size 194834

libselinux-3.7.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEG+LA/wiUliMQL9JWRpWIHCVFCNEFAmZ8NeAACgkQRpWIHCVF
+CNF3fA//Ypv/FVd6BDBmpZkWqui1kHUFv+TSKGfuObrOPfX8RXVnO4GWUKjnwJZF
+u5FWu5lXZGPFGLKyZJD+OPAGofC5GGApr175eBlxqokhfj7UfZMrdK8ARUgQTuIE
+QEh4LGR/7gzpc/HY8YL7rbzeAlXsFtuZoSlUfmyNs2tmXiOJ9dBQVxic91Q282Lr
+Y2CLv1fAlOUT3h7fw3+YfBGALdn3CMrOJvr1npEcfnXHxAN/w4OKNAKQIcoAjZCw
+w4EGA1FyvaT+hSOQZDzMBpYheSXCBxPg4OEIWNxge6jP/+J/mHqx1QHrDERa9vwA
+Qpd01uI5C7LthMNc2INy1m5jrSBL7/5yjboj8O+53JSDLRH/8j2ykMXBvvje5y+Z
+8optL/C7VEawaRWGVm4TCwm6adF28T2NoGWYnNymVLWc7oe/p7QpYxtNMDieeVAy
+bnl9OX8S1VoDo4momyG9Ya4d9fAKCvaN+LIPeyYB6qqrmMCAzAU3J25vzLElXA+1
+fNhFrQFuKt455OFy8LB94abWuwBTa/f+HkU6++6Ksr5B1ZBKsluCYVWONUHMLwDF
+ZN6SHwBq37v3sz+4i+Cy0K0uYA6DQanB8yQYC98rwUtatqaTajIUCKyxJO3GIX4R
+lBPwCC2/T1jOTG8u8jT5KcWFtETbjfSCePjdnhi67totbc1kST8=
+=eK5w
+-----END PGP SIGNATURE-----

libselinux-bindings.changes

@@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Mon Jul  1 07:53:14 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+
+- Update to version 3.7
+  https://github.com/SELinuxProject/selinux/releases/tag/3.7
+  * User-visible changes
+    * libselinux/utils/selabel_digest: drop unsupported option -d
+    * libselinux/utils: improve compute_av output
+    * libselinux: fail selabel_open(3) on invalid option
+    * Improved man pages
+  * Improvements
+    * libselinux, libsepol: Add CFLAGS and LDFLAGS to Makefile checks
+    * libselinux: enable usage with pedantic UB sanitizers
+    * libselinux: support huge passwd/group entries
+  * Bugfixes:
+    * libselinux/utils/selabel_digest: avoid buffer overflow
+    * libselinux: avoid pointer dereference before check
+    * libselinux/utils/selabel_digest: pass BASEONLY only for file backend
+    * libselinux: free empty scandir(3) result
+    * libselinux: free data on selabel open failure
+    * libselinux: use reentrant strtok_r(3)
+
 -------------------------------------------------------------------
 Wed Jan  3 09:36:44 UTC 2024 - Ben Greiner <code@bnavigator.de>
 

libselinux-bindings.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libselinux-bindings
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,10 +18,10 @@
 
 %{?sle15allpythons}
 %define python_subpackage_only 1
-%define libsepol_ver 3.6
+%define libsepol_ver 3.7
 %define upname libselinux
 Name:           libselinux-bindings
-Version:        3.6
+Version:        3.7
 Release:        0
 Summary:        SELinux runtime library and utilities
 License:        SUSE-Public-Domain

libselinux-set-free-d-data-to-NULL.patch

@@ -0,0 +1,48 @@
+Index: libselinux-3.7/src/label_backends_android.c
+===================================================================
+--- libselinux-3.7.orig/src/label_backends_android.c
++++ libselinux-3.7/src/label_backends_android.c
+@@ -260,6 +260,7 @@ static void closef(struct selabel_handle
+ 		free(data->spec_arr);
+ 
+ 	free(data);
++	rec->data = NULL;
+ }
+ 
+ static struct selabel_lookup_rec *property_lookup(struct selabel_handle *rec,
+Index: libselinux-3.7/src/label_file.c
+===================================================================
+--- libselinux-3.7.orig/src/label_file.c
++++ libselinux-3.7/src/label_file.c
+@@ -942,6 +942,7 @@ static void closef(struct selabel_handle
+ 		free(last_area);
+ 	}
+ 	free(data);
++	rec->data = NULL;
+ }
+ 
+ // Finds all the matches of |key| in the given context. Returns the result in
+Index: libselinux-3.7/src/label_media.c
+===================================================================
+--- libselinux-3.7.orig/src/label_media.c
++++ libselinux-3.7/src/label_media.c
+@@ -183,6 +183,7 @@ static void close(struct selabel_handle
+ 	    free(spec_arr);
+ 
+ 	free(data);
++	rec->data = NULL;
+ }
+ 
+ static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,
+Index: libselinux-3.7/src/label_x.c
+===================================================================
+--- libselinux-3.7.orig/src/label_x.c
++++ libselinux-3.7/src/label_x.c
+@@ -210,6 +210,7 @@ static void close(struct selabel_handle
+ 	    free(spec_arr);
+ 
+ 	free(data);
++	rec->data = NULL;
+ }
+ 
+ static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,

libselinux.changes

@@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Thu Jul 11 19:47:41 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+
+- Fix segfault caused by upstream changes in selabel_open():
+  libselinux-set-free-d-data-to-NULL.patch 
+  Can be removed once it is upstream.
+
+-------------------------------------------------------------------
+Mon Jul  1 07:53:14 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+
+- Update to version 3.7
+  https://github.com/SELinuxProject/selinux/releases/tag/3.7
+  * User-visible changes
+    * libselinux/utils/selabel_digest: drop unsupported option -d
+    * libselinux/utils: improve compute_av output
+    * libselinux: fail selabel_open(3) on invalid option
+    * Improved man pages
+  * Improvements
+    * libselinux, libsepol: Add CFLAGS and LDFLAGS to Makefile checks
+    * libselinux: enable usage with pedantic UB sanitizers
+    * libselinux: support huge passwd/group entries
+  * Bugfixes:
+    * libselinux/utils/selabel_digest: avoid buffer overflow
+    * libselinux: avoid pointer dereference before check
+    * libselinux/utils/selabel_digest: pass BASEONLY only for file backend
+    * libselinux: free empty scandir(3) result
+    * libselinux: free data on selabel open failure
+    * libselinux: use reentrant strtok_r(3)
+
 -------------------------------------------------------------------
 Tue Dec 19 11:04:55 UTC 2023 - Cathy Hu <cathy.hu@suse.com>
 

libselinux.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libselinux
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,9 +16,9 @@
 #
 
 
-%define libsepol_ver 3.6
+%define libsepol_ver 3.7
 Name:           libselinux
-Version:        3.6
+Version:        3.7
 Release:        0
 Summary:        SELinux runtime library and utilities
 License:        SUSE-Public-Domain
@@ -36,6 +36,9 @@ Patch5:         skip_cycles.patch
 # Make linking working even when default pkg-config doesn’t provide -lpython<ver>
 Patch6:         python3.8-compat.patch
 Patch7:         swig4_moduleimport.patch
+# Fixes segfault in 3.7, please remove once this is upstream:
+# https://lore.kernel.org/selinux/CAP+JOzQCu0srfss921Ew42oHxsaqRYGiTs56_h9j2Yfw0cYGjg@mail.gmail.com/T/#t
+Patch8:         libselinux-set-free-d-data-to-NULL.patch
 BuildRequires:  fdupes
 BuildRequires:  libsepol-devel >= %{libsepol_ver}
 BuildRequires:  libsepol-devel-static >= %{libsepol_ver}