diff --git a/CVE-2021-36087.patch b/CVE-2021-36087.patch new file mode 100644 index 0000000..4211fdf --- /dev/null +++ b/CVE-2021-36087.patch @@ -0,0 +1,83 @@ +diff -r -u libsepol-3.2_orig/cil/src/cil_build_ast.c libsepol-3.2/cil/src/cil_build_ast.c +--- libsepol-3.2_orig/cil/src/cil_build_ast.c 2021-07-21 15:15:01.875585374 +0200 ++++ libsepol-3.2/cil/src/cil_build_ast.c 2021-07-21 15:15:10.655704516 +0200 +@@ -50,6 +50,7 @@ + struct cil_tree_node *ast; + struct cil_db *db; + struct cil_tree_node *macro; ++ struct cil_tree_node *optional; + struct cil_tree_node *boolif; + struct cil_tree_node *tunif; + struct cil_tree_node *in; +@@ -6098,6 +6099,7 @@ + struct cil_db *db = NULL; + struct cil_tree_node *ast_node = NULL; + struct cil_tree_node *macro = NULL; ++ struct cil_tree_node *optional = NULL; + struct cil_tree_node *boolif = NULL; + struct cil_tree_node *tunif = NULL; + struct cil_tree_node *in = NULL; +@@ -6143,6 +6145,18 @@ + } + } + ++ if (optional != NULL) { ++ if (parse_current->data == CIL_KEY_TUNABLE || ++ parse_current->data == CIL_KEY_IN || ++ parse_current->data == CIL_KEY_BLOCK || ++ parse_current->data == CIL_KEY_BLOCKABSTRACT || ++ parse_current->data == CIL_KEY_MACRO) { ++ rc = SEPOL_ERR; ++ cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in optionals", (char *)parse_current->data); ++ goto exit; ++ } ++ } ++ + if (boolif != NULL) { + if (parse_current->data != CIL_KEY_CONDTRUE && + parse_current->data != CIL_KEY_CONDFALSE && +@@ -6524,6 +6538,19 @@ + args->macro = NULL; + } + ++ if (ast->flavor == CIL_OPTIONAL) { ++ struct cil_tree_node *n = ast->parent; ++ args->optional = NULL; ++ /* Optionals can be nested */ ++ while (n && n->flavor != CIL_ROOT) { ++ if (n->flavor == CIL_OPTIONAL) { ++ args->optional = n; ++ break; ++ } ++ n = n->parent; ++ } ++ } ++ + if (ast->flavor == CIL_BOOLEANIF) { + args->boolif = NULL; + } +@@ -6561,6 +6588,7 @@ + extra_args.ast = ast; + extra_args.db = db; + extra_args.macro = NULL; ++ extra_args.optional = NULL; + extra_args.boolif = NULL; + extra_args.tunif = NULL; + extra_args.in = NULL; +diff -r -u libsepol-3.2_orig/cil/src/cil_resolve_ast.c libsepol-3.2/cil/src/cil_resolve_ast.c +--- libsepol-3.2_orig/cil/src/cil_resolve_ast.c 2021-07-21 15:15:01.879585428 +0200 ++++ libsepol-3.2/cil/src/cil_resolve_ast.c 2021-07-21 15:15:15.559771063 +0200 +@@ -3788,8 +3788,11 @@ + } + + if (optstack != NULL) { +- if (node->flavor == CIL_TUNABLE || node->flavor == CIL_MACRO) { +- /* tuanbles and macros are not allowed in optionals*/ ++ if (node->flavor == CIL_TUNABLE || ++ node->flavor == CIL_IN || ++ node->flavor == CIL_BLOCK || ++ node->flavor == CIL_BLOCKABSTRACT || ++ node->flavor == CIL_MACRO) { + cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node)); + rc = SEPOL_ERR; + goto exit; diff --git a/libsepol.changes b/libsepol.changes index af60787..184b49a 100644 --- a/libsepol.changes +++ b/libsepol.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Jul 21 13:16:54 UTC 2021 - Johannes Segitz + +- Fix heap-based buffer over-read in ebitmap_match_any (CVE-2021-36087, 1187928. + Added CVE-2021-36087.patch + ------------------------------------------------------------------- Mon Jul 5 11:31:07 UTC 2021 - Johannes Segitz diff --git a/libsepol.spec b/libsepol.spec index e24d788..f9b26f3 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -30,6 +30,7 @@ Source2: baselibs.conf # all upstream, remove in next version Patch0: CVE-2021-36085.patch Patch1: CVE-2021-36086.patch +Patch2: CVE-2021-36087.patch BuildRequires: flex BuildRequires: pkgconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -91,7 +92,9 @@ policies. %prep %setup -q -%autopatch -p2 +%patch0 -p2 +%patch1 -p2 +%patch2 -p1 %build %define _lto_cflags %{nil}