[meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631

[meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Source: https://libvirt.org/git/libvirt.git
MR: 112956
Type: Security Fix
Disposition: Backport from https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2
ChangeID: 314727e329e5b1351326737eb9c9232f465db184
Description:

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../libvirt/libvirt/CVE-2021-3631.patch       | 56 +++++++++++++++++++
 recipes-extended/libvirt/libvirt_7.2.0.bb     |  1 +
 2 files changed, 57 insertions(+)
 create mode 100644 recipes-extended/libvirt/libvirt/CVE-2021-3631.patch

diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
new file mode 100644
index 0000000..c1fa8c2
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
@@ -0,0 +1,56 @@
+From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 28 Jun 2021 13:09:04 +0100
+Subject: [PATCH] security: fix SELinux label generation logic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A process can access a file if the set of MCS categories
+for the file is equal-to *or* a subset-of, the set of
+MCS categories for the process.
+
+If there are two VMs:
+
+  a) svirt_t:s0:c117
+  b) svirt_t:s0:c117,c720
+
+Then VM (b) is able to access files labelled for VM (a).
+
+IOW, we must discard case where the categories are equal
+because that is a subset of many other valid category pairs.
+
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
+CVE-2021-3631
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3631
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/security/security_selinux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+Index: libvirt-6.1.0/src/security/security_selinux.c
+===================================================================
+--- libvirt-6.1.0.orig/src/security/security_selinux.c
++++ libvirt-6.1.0/src/security/security_selinux.c
+@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityMan
+         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
+ 
+         if (c1 == c2) {
+-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
++            /*
++             * A process can access a file if the set of MCS categories
++             * for the file is equal-to *or* a subset-of, the set of
++             * MCS categories for the process.
++             *
++             * IOW, we must discard case where the categories are equal
++             * because that is a subset of other category pairs.
++             */
++            continue;
+         } else {
+             if (c1 > c2) {
+                 int t = c1;
diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
index 9cf2951..7bc93ff 100644
--- a/recipes-extended/libvirt/libvirt_7.2.0.bb
+++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
            file://hook_support.py \
            file://gnutls-helper.py \
            file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
+           file://CVE-2021-3631.patch \
           "
 
 SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
-- 
2.25.1

Re: [meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631

[Bruce Ashfield]

Wind River had also submitted this, so I grabbed that patch (since
I was going in order), but I'll grab all your backported ones now.

Bruce

In message: [meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631
on 16/09/2021 Armin Kuster wrote:

> From: Armin Kuster <akuster@mvista.com>
> 
> Source: https://libvirt.org/git/libvirt.git
> MR: 112956
> Type: Security Fix
> Disposition: Backport from https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2
> ChangeID: 314727e329e5b1351326737eb9c9232f465db184
> Description:
> 
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> ---
>  .../libvirt/libvirt/CVE-2021-3631.patch       | 56 +++++++++++++++++++
>  recipes-extended/libvirt/libvirt_7.2.0.bb     |  1 +
>  2 files changed, 57 insertions(+)
>  create mode 100644 recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
> 
> diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
> new file mode 100644
> index 0000000..c1fa8c2
> --- /dev/null
> +++ b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
> @@ -0,0 +1,56 @@
> +From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
> +Date: Mon, 28 Jun 2021 13:09:04 +0100
> +Subject: [PATCH] security: fix SELinux label generation logic
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +A process can access a file if the set of MCS categories
> +for the file is equal-to *or* a subset-of, the set of
> +MCS categories for the process.
> +
> +If there are two VMs:
> +
> +  a) svirt_t:s0:c117
> +  b) svirt_t:s0:c117,c720
> +
> +Then VM (b) is able to access files labelled for VM (a).
> +
> +IOW, we must discard case where the categories are equal
> +because that is a subset of many other valid category pairs.
> +
> +Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
> +CVE-2021-3631
> +Reviewed-by: Peter Krempa <pkrempa@redhat.com>
> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> +
> +Upstream-Status: Backport
> +CVE: CVE-2021-3631
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + src/security/security_selinux.c | 10 +++++++++-
> + 1 file changed, 9 insertions(+), 1 deletion(-)
> +
> +Index: libvirt-6.1.0/src/security/security_selinux.c
> +===================================================================
> +--- libvirt-6.1.0.orig/src/security/security_selinux.c
> ++++ libvirt-6.1.0/src/security/security_selinux.c
> +@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityMan
> +         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
> + 
> +         if (c1 == c2) {
> +-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
> ++            /*
> ++             * A process can access a file if the set of MCS categories
> ++             * for the file is equal-to *or* a subset-of, the set of
> ++             * MCS categories for the process.
> ++             *
> ++             * IOW, we must discard case where the categories are equal
> ++             * because that is a subset of other category pairs.
> ++             */
> ++            continue;
> +         } else {
> +             if (c1 > c2) {
> +                 int t = c1;
> diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
> index 9cf2951..7bc93ff 100644
> --- a/recipes-extended/libvirt/libvirt_7.2.0.bb
> +++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
> @@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
>             file://hook_support.py \
>             file://gnutls-helper.py \
>             file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
> +           file://CVE-2021-3631.patch \
>            "
>  
>  SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
> -- 
> 2.25.1
> 

> 
> 
> 

Re: [meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631

[Armin Kuster]

On 9/16/21 3:19 PM, Bruce Ashfield wrote:
> Wind River had also submitted this, 
cool. just doing the master fix first policy, just want to ensure I was
covered for Dunfell in my workflow.

> so I grabbed that patch (since
> I was going in order), but I'll grab all your backported ones now.
thanks,
Armin
>
> Bruce
>
> In message: [meta-virtualization][PATCH] libvirt: Security fix for CVE-2021-3631
> on 16/09/2021 Armin Kuster wrote:
>
>> From: Armin Kuster <akuster@mvista.com>
>>
>> Source: https://libvirt.org/git/libvirt.git
>> MR: 112956
>> Type: Security Fix
>> Disposition: Backport from https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2
>> ChangeID: 314727e329e5b1351326737eb9c9232f465db184
>> Description:
>>
>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>> ---
>>  .../libvirt/libvirt/CVE-2021-3631.patch       | 56 +++++++++++++++++++
>>  recipes-extended/libvirt/libvirt_7.2.0.bb     |  1 +
>>  2 files changed, 57 insertions(+)
>>  create mode 100644 recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
>>
>> diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
>> new file mode 100644
>> index 0000000..c1fa8c2
>> --- /dev/null
>> +++ b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
>> @@ -0,0 +1,56 @@
>> +From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
>> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
>> +Date: Mon, 28 Jun 2021 13:09:04 +0100
>> +Subject: [PATCH] security: fix SELinux label generation logic
>> +MIME-Version: 1.0
>> +Content-Type: text/plain; charset=UTF-8
>> +Content-Transfer-Encoding: 8bit
>> +
>> +A process can access a file if the set of MCS categories
>> +for the file is equal-to *or* a subset-of, the set of
>> +MCS categories for the process.
>> +
>> +If there are two VMs:
>> +
>> +  a) svirt_t:s0:c117
>> +  b) svirt_t:s0:c117,c720
>> +
>> +Then VM (b) is able to access files labelled for VM (a).
>> +
>> +IOW, we must discard case where the categories are equal
>> +because that is a subset of many other valid category pairs.
>> +
>> +Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
>> +CVE-2021-3631
>> +Reviewed-by: Peter Krempa <pkrempa@redhat.com>
>> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
>> +
>> +Upstream-Status: Backport
>> +CVE: CVE-2021-3631
>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>> +
>> +---
>> + src/security/security_selinux.c | 10 +++++++++-
>> + 1 file changed, 9 insertions(+), 1 deletion(-)
>> +
>> +Index: libvirt-6.1.0/src/security/security_selinux.c
>> +===================================================================
>> +--- libvirt-6.1.0.orig/src/security/security_selinux.c
>> ++++ libvirt-6.1.0/src/security/security_selinux.c
>> +@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityMan
>> +         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
>> + 
>> +         if (c1 == c2) {
>> +-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
>> ++            /*
>> ++             * A process can access a file if the set of MCS categories
>> ++             * for the file is equal-to *or* a subset-of, the set of
>> ++             * MCS categories for the process.
>> ++             *
>> ++             * IOW, we must discard case where the categories are equal
>> ++             * because that is a subset of other category pairs.
>> ++             */
>> ++            continue;
>> +         } else {
>> +             if (c1 > c2) {
>> +                 int t = c1;
>> diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
>> index 9cf2951..7bc93ff 100644
>> --- a/recipes-extended/libvirt/libvirt_7.2.0.bb
>> +++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
>> @@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
>>             file://hook_support.py \
>>             file://gnutls-helper.py \
>>             file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
>> +           file://CVE-2021-3631.patch \
>>            "
>>  
>>  SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
>> -- 
>> 2.25.1
>>
>> 
>>