From: "Bruce Ashfield" <bruce.ashfield@gmail.com>
To: Armin Kuster <akuster808@gmail.com>
Cc: meta-virtualization@lists.yoctoproject.org,
Armin Kuster <akuster@mvista.com>
Subject: Re: [meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631
Date: Thu, 16 Sep 2021 18:19:17 -0400 [thread overview]
Message-ID: <20210916221916.GC25504@gmail.com> (raw)
In-Reply-To: <20210916194711.759443-1-akuster808@gmail.com>
Wind River had also submitted this, so I grabbed that patch (since
I was going in order), but I'll grab all your backported ones now.
Bruce
In message: [meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631
on 16/09/2021 Armin Kuster wrote:
> From: Armin Kuster <akuster@mvista.com>
>
> Source: https://libvirt.org/git/libvirt.git
> MR: 112956
> Type: Security Fix
> Disposition: Backport from https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2
> ChangeID: 314727e329e5b1351326737eb9c9232f465db184
> Description:
>
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> ---
> .../libvirt/libvirt/CVE-2021-3631.patch | 56 +++++++++++++++++++
> recipes-extended/libvirt/libvirt_7.2.0.bb | 1 +
> 2 files changed, 57 insertions(+)
> create mode 100644 recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
>
> diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
> new file mode 100644
> index 0000000..c1fa8c2
> --- /dev/null
> +++ b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
> @@ -0,0 +1,56 @@
> +From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
> +Date: Mon, 28 Jun 2021 13:09:04 +0100
> +Subject: [PATCH] security: fix SELinux label generation logic
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +A process can access a file if the set of MCS categories
> +for the file is equal-to *or* a subset-of, the set of
> +MCS categories for the process.
> +
> +If there are two VMs:
> +
> + a) svirt_t:s0:c117
> + b) svirt_t:s0:c117,c720
> +
> +Then VM (b) is able to access files labelled for VM (a).
> +
> +IOW, we must discard case where the categories are equal
> +because that is a subset of many other valid category pairs.
> +
> +Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
> +CVE-2021-3631
> +Reviewed-by: Peter Krempa <pkrempa@redhat.com>
> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> +
> +Upstream-Status: Backport
> +CVE: CVE-2021-3631
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + src/security/security_selinux.c | 10 +++++++++-
> + 1 file changed, 9 insertions(+), 1 deletion(-)
> +
> +Index: libvirt-6.1.0/src/security/security_selinux.c
> +===================================================================
> +--- libvirt-6.1.0.orig/src/security/security_selinux.c
> ++++ libvirt-6.1.0/src/security/security_selinux.c
> +@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityMan
> + VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
> +
> + if (c1 == c2) {
> +- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
> ++ /*
> ++ * A process can access a file if the set of MCS categories
> ++ * for the file is equal-to *or* a subset-of, the set of
> ++ * MCS categories for the process.
> ++ *
> ++ * IOW, we must discard case where the categories are equal
> ++ * because that is a subset of other category pairs.
> ++ */
> ++ continue;
> + } else {
> + if (c1 > c2) {
> + int t = c1;
> diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
> index 9cf2951..7bc93ff 100644
> --- a/recipes-extended/libvirt/libvirt_7.2.0.bb
> +++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
> @@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
> file://hook_support.py \
> file://gnutls-helper.py \
> file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
> + file://CVE-2021-3631.patch \
> "
>
> SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
> --
> 2.25.1
>
>
>
>
next prev parent reply other threads:[~2021-09-16 22:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-16 19:47 [meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631 Armin Kuster
2021-09-16 22:19 ` Bruce Ashfield [this message]
2021-09-16 23:29 ` Armin Kuster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210916221916.GC25504@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=akuster808@gmail.com \
--cc=akuster@mvista.com \
--cc=meta-virtualization@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.