* libsepol CVE patch issue
@ 2021-07-23 15:42 Garrett Tucker
2021-07-23 17:18 ` James Carter
0 siblings, 1 reply; 3+ messages in thread
From: Garrett Tucker @ 2021-07-23 15:42 UTC (permalink / raw)
To: selinux
Hi everyone, I'm a product security engineer at Red Hat and we noticed
that libsepol CVE-2021-36087 was assigned, and marked as resolved
within the OSS-Fuzz project. The patch info provided for the CVE
appears to be wrong, and after looking into the provided commits and
commit ranges, these seem to be the wrong commits and commit ranges
for this CVE.
Would anyone be able to confirm if there is a fix for this CVE, and if
so, point us towards the correct patch for this.
All the best,
Garrett
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: libsepol CVE patch issue
2021-07-23 15:42 libsepol CVE patch issue Garrett Tucker
@ 2021-07-23 17:18 ` James Carter
2021-07-23 17:32 ` Garrett Tucker
0 siblings, 1 reply; 3+ messages in thread
From: James Carter @ 2021-07-23 17:18 UTC (permalink / raw)
To: Garrett Tucker; +Cc: SElinux list
On Fri, Jul 23, 2021 at 11:43 AM Garrett Tucker <gtucker@redhat.com> wrote:
>
> Hi everyone, I'm a product security engineer at Red Hat and we noticed
> that libsepol CVE-2021-36087 was assigned, and marked as resolved
> within the OSS-Fuzz project. The patch info provided for the CVE
> appears to be wrong, and after looking into the provided commits and
> commit ranges, these seem to be the wrong commits and commit ranges
> for this CVE.
>
> Would anyone be able to confirm if there is a fix for this CVE, and if
> so, point us towards the correct patch for this.
>
It is very hard to figure out what is going on in the policy provided
by the fuzzer. The best I can figure out is that the problem was
caused by something in an optional block that had been disabled and
deleted being referred to outside of the optional block. Removing all
of the optional blocks that are going to be disabled anyway eliminates
the problem, so that seems to confirm that idea.
This commit prevents that whole class of bugs from occurring.
340f0eb7f3673e8aacaf0a96cbfcd4d12a405521
libsepol/cil: Check for statements not allowed in optional blocks
The problem is definitely there before this patch. After this patch an
error is produced because a block is declared in an optional.
I hope that helps,
Jim
> All the best,
>
> Garrett
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: libsepol CVE patch issue
2021-07-23 17:18 ` James Carter
@ 2021-07-23 17:32 ` Garrett Tucker
0 siblings, 0 replies; 3+ messages in thread
From: Garrett Tucker @ 2021-07-23 17:32 UTC (permalink / raw)
To: James Carter; +Cc: SElinux list
Thanks for the detailed explanation Jim, that definitely helps clear
things up on our end.
All the best,
Garrett
On Fri, Jul 23, 2021 at 1:18 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Fri, Jul 23, 2021 at 11:43 AM Garrett Tucker <gtucker@redhat.com> wrote:
> >
> > Hi everyone, I'm a product security engineer at Red Hat and we noticed
> > that libsepol CVE-2021-36087 was assigned, and marked as resolved
> > within the OSS-Fuzz project. The patch info provided for the CVE
> > appears to be wrong, and after looking into the provided commits and
> > commit ranges, these seem to be the wrong commits and commit ranges
> > for this CVE.
> >
> > Would anyone be able to confirm if there is a fix for this CVE, and if
> > so, point us towards the correct patch for this.
> >
>
> It is very hard to figure out what is going on in the policy provided
> by the fuzzer. The best I can figure out is that the problem was
> caused by something in an optional block that had been disabled and
> deleted being referred to outside of the optional block. Removing all
> of the optional blocks that are going to be disabled anyway eliminates
> the problem, so that seems to confirm that idea.
>
> This commit prevents that whole class of bugs from occurring.
> 340f0eb7f3673e8aacaf0a96cbfcd4d12a405521
> libsepol/cil: Check for statements not allowed in optional blocks
>
> The problem is definitely there before this patch. After this patch an
> error is produced because a block is declared in an optional.
>
> I hope that helps,
> Jim
>
>
> > All the best,
> >
> > Garrett
> >
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-07-23 17:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-23 15:42 libsepol CVE patch issue Garrett Tucker
2021-07-23 17:18 ` James Carter
2021-07-23 17:32 ` Garrett Tucker
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).