* [meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631
@ 2021-09-16 19:47 Armin Kuster
2021-09-16 22:19 ` Bruce Ashfield
0 siblings, 1 reply; 3+ messages in thread
From: Armin Kuster @ 2021-09-16 19:47 UTC (permalink / raw)
To: meta-virtualization; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Source: https://libvirt.org/git/libvirt.git
MR: 112956
Type: Security Fix
Disposition: Backport from https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2
ChangeID: 314727e329e5b1351326737eb9c9232f465db184
Description:
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../libvirt/libvirt/CVE-2021-3631.patch | 56 +++++++++++++++++++
recipes-extended/libvirt/libvirt_7.2.0.bb | 1 +
2 files changed, 57 insertions(+)
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
new file mode 100644
index 0000000..c1fa8c2
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
@@ -0,0 +1,56 @@
+From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 28 Jun 2021 13:09:04 +0100
+Subject: [PATCH] security: fix SELinux label generation logic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A process can access a file if the set of MCS categories
+for the file is equal-to *or* a subset-of, the set of
+MCS categories for the process.
+
+If there are two VMs:
+
+ a) svirt_t:s0:c117
+ b) svirt_t:s0:c117,c720
+
+Then VM (b) is able to access files labelled for VM (a).
+
+IOW, we must discard case where the categories are equal
+because that is a subset of many other valid category pairs.
+
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
+CVE-2021-3631
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3631
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/security/security_selinux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+Index: libvirt-6.1.0/src/security/security_selinux.c
+===================================================================
+--- libvirt-6.1.0.orig/src/security/security_selinux.c
++++ libvirt-6.1.0/src/security/security_selinux.c
+@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityMan
+ VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
+
+ if (c1 == c2) {
+- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
++ /*
++ * A process can access a file if the set of MCS categories
++ * for the file is equal-to *or* a subset-of, the set of
++ * MCS categories for the process.
++ *
++ * IOW, we must discard case where the categories are equal
++ * because that is a subset of other category pairs.
++ */
++ continue;
+ } else {
+ if (c1 > c2) {
+ int t = c1;
diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
index 9cf2951..7bc93ff 100644
--- a/recipes-extended/libvirt/libvirt_7.2.0.bb
+++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://hook_support.py \
file://gnutls-helper.py \
file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
+ file://CVE-2021-3631.patch \
"
SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631
2021-09-16 19:47 [meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631 Armin Kuster
@ 2021-09-16 22:19 ` Bruce Ashfield
2021-09-16 23:29 ` Armin Kuster
0 siblings, 1 reply; 3+ messages in thread
From: Bruce Ashfield @ 2021-09-16 22:19 UTC (permalink / raw)
To: Armin Kuster; +Cc: meta-virtualization, Armin Kuster
Wind River had also submitted this, so I grabbed that patch (since
I was going in order), but I'll grab all your backported ones now.
Bruce
In message: [meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631
on 16/09/2021 Armin Kuster wrote:
> From: Armin Kuster <akuster@mvista.com>
>
> Source: https://libvirt.org/git/libvirt.git
> MR: 112956
> Type: Security Fix
> Disposition: Backport from https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2
> ChangeID: 314727e329e5b1351326737eb9c9232f465db184
> Description:
>
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> ---
> .../libvirt/libvirt/CVE-2021-3631.patch | 56 +++++++++++++++++++
> recipes-extended/libvirt/libvirt_7.2.0.bb | 1 +
> 2 files changed, 57 insertions(+)
> create mode 100644 recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
>
> diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
> new file mode 100644
> index 0000000..c1fa8c2
> --- /dev/null
> +++ b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
> @@ -0,0 +1,56 @@
> +From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
> +Date: Mon, 28 Jun 2021 13:09:04 +0100
> +Subject: [PATCH] security: fix SELinux label generation logic
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +A process can access a file if the set of MCS categories
> +for the file is equal-to *or* a subset-of, the set of
> +MCS categories for the process.
> +
> +If there are two VMs:
> +
> + a) svirt_t:s0:c117
> + b) svirt_t:s0:c117,c720
> +
> +Then VM (b) is able to access files labelled for VM (a).
> +
> +IOW, we must discard case where the categories are equal
> +because that is a subset of many other valid category pairs.
> +
> +Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
> +CVE-2021-3631
> +Reviewed-by: Peter Krempa <pkrempa@redhat.com>
> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> +
> +Upstream-Status: Backport
> +CVE: CVE-2021-3631
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + src/security/security_selinux.c | 10 +++++++++-
> + 1 file changed, 9 insertions(+), 1 deletion(-)
> +
> +Index: libvirt-6.1.0/src/security/security_selinux.c
> +===================================================================
> +--- libvirt-6.1.0.orig/src/security/security_selinux.c
> ++++ libvirt-6.1.0/src/security/security_selinux.c
> +@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityMan
> + VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
> +
> + if (c1 == c2) {
> +- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
> ++ /*
> ++ * A process can access a file if the set of MCS categories
> ++ * for the file is equal-to *or* a subset-of, the set of
> ++ * MCS categories for the process.
> ++ *
> ++ * IOW, we must discard case where the categories are equal
> ++ * because that is a subset of other category pairs.
> ++ */
> ++ continue;
> + } else {
> + if (c1 > c2) {
> + int t = c1;
> diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
> index 9cf2951..7bc93ff 100644
> --- a/recipes-extended/libvirt/libvirt_7.2.0.bb
> +++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
> @@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
> file://hook_support.py \
> file://gnutls-helper.py \
> file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
> + file://CVE-2021-3631.patch \
> "
>
> SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
> --
> 2.25.1
>
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631
2021-09-16 22:19 ` Bruce Ashfield
@ 2021-09-16 23:29 ` Armin Kuster
0 siblings, 0 replies; 3+ messages in thread
From: Armin Kuster @ 2021-09-16 23:29 UTC (permalink / raw)
To: Bruce Ashfield, Armin Kuster; +Cc: meta-virtualization
On 9/16/21 3:19 PM, Bruce Ashfield wrote:
> Wind River had also submitted this,
cool. just doing the master fix first policy, just want to ensure I was
covered for Dunfell in my workflow.
> so I grabbed that patch (since
> I was going in order), but I'll grab all your backported ones now.
thanks,
Armin
>
> Bruce
>
> In message: [meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631
> on 16/09/2021 Armin Kuster wrote:
>
>> From: Armin Kuster <akuster@mvista.com>
>>
>> Source: https://libvirt.org/git/libvirt.git
>> MR: 112956
>> Type: Security Fix
>> Disposition: Backport from https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2
>> ChangeID: 314727e329e5b1351326737eb9c9232f465db184
>> Description:
>>
>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>> ---
>> .../libvirt/libvirt/CVE-2021-3631.patch | 56 +++++++++++++++++++
>> recipes-extended/libvirt/libvirt_7.2.0.bb | 1 +
>> 2 files changed, 57 insertions(+)
>> create mode 100644 recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
>>
>> diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
>> new file mode 100644
>> index 0000000..c1fa8c2
>> --- /dev/null
>> +++ b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
>> @@ -0,0 +1,56 @@
>> +From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
>> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
>> +Date: Mon, 28 Jun 2021 13:09:04 +0100
>> +Subject: [PATCH] security: fix SELinux label generation logic
>> +MIME-Version: 1.0
>> +Content-Type: text/plain; charset=UTF-8
>> +Content-Transfer-Encoding: 8bit
>> +
>> +A process can access a file if the set of MCS categories
>> +for the file is equal-to *or* a subset-of, the set of
>> +MCS categories for the process.
>> +
>> +If there are two VMs:
>> +
>> + a) svirt_t:s0:c117
>> + b) svirt_t:s0:c117,c720
>> +
>> +Then VM (b) is able to access files labelled for VM (a).
>> +
>> +IOW, we must discard case where the categories are equal
>> +because that is a subset of many other valid category pairs.
>> +
>> +Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
>> +CVE-2021-3631
>> +Reviewed-by: Peter Krempa <pkrempa@redhat.com>
>> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
>> +
>> +Upstream-Status: Backport
>> +CVE: CVE-2021-3631
>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>> +
>> +---
>> + src/security/security_selinux.c | 10 +++++++++-
>> + 1 file changed, 9 insertions(+), 1 deletion(-)
>> +
>> +Index: libvirt-6.1.0/src/security/security_selinux.c
>> +===================================================================
>> +--- libvirt-6.1.0.orig/src/security/security_selinux.c
>> ++++ libvirt-6.1.0/src/security/security_selinux.c
>> +@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityMan
>> + VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
>> +
>> + if (c1 == c2) {
>> +- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
>> ++ /*
>> ++ * A process can access a file if the set of MCS categories
>> ++ * for the file is equal-to *or* a subset-of, the set of
>> ++ * MCS categories for the process.
>> ++ *
>> ++ * IOW, we must discard case where the categories are equal
>> ++ * because that is a subset of other category pairs.
>> ++ */
>> ++ continue;
>> + } else {
>> + if (c1 > c2) {
>> + int t = c1;
>> diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
>> index 9cf2951..7bc93ff 100644
>> --- a/recipes-extended/libvirt/libvirt_7.2.0.bb
>> +++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
>> @@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
>> file://hook_support.py \
>> file://gnutls-helper.py \
>> file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
>> + file://CVE-2021-3631.patch \
>> "
>>
>> SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
>> --
>> 2.25.1
>>
>>
>>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-09-16 23:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-16 19:47 [meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631 Armin Kuster
2021-09-16 22:19 ` Bruce Ashfield
2021-09-16 23:29 ` Armin Kuster
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).