2 files changed, 57 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
new file mode 100644
index 00000000..c1fa8c2f
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
@@ -0,0 +1,56 @@
+From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 28 Jun 2021 13:09:04 +0100
+Subject: [PATCH] security: fix SELinux label generation logic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+A process can access a file if the set of MCS categories
+for the file is equal-to *or* a subset-of, the set of
+MCS categories for the process.
+If there are two VMs:
+  a) svirt_t:s0:c117
+  b) svirt_t:s0:c117,c720
+Then VM (b) is able to access files labelled for VM (a).
+IOW, we must discard case where the categories are equal
+because that is a subset of many other valid category pairs.
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
+CVE-2021-3631
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2021-3631
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/security/security_selinux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+Index: libvirt-6.1.0/src/security/security_selinux.c
+===================================================================
+--- libvirt-6.1.0.orig/src/security/security_selinux.c
+++ libvirt-6.1.0/src/security/security_selinux.c
+@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityMan
+         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
+ 
+         if (c1 == c2) {
+-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
+            /*
+             * A process can access a file if the set of MCS categories
+             * for the file is equal-to *or* a subset-of, the set of
+             * MCS categories for the process.
+             *
+             * IOW, we must discard case where the categories are equal
+             * because that is a subset of other category pairs.
+             */
+            continue;
+         } else {
+             if (c1 > c2) {
+                 int t = c1;
diff --git a/recipes-extended/libvirt/libvirt_6.1.0.bb b/recipes-extended/libvirt/libvirt_6.1.0.bb
index aa7563f6..d4978b38 100644
--- a/recipes-extended/libvirt/libvirt_6.1.0.bb
+++ b/recipes-extended/libvirt/libvirt_6.1.0.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
           file://CVE-2020-25637_2.patch \
           file://CVE-2020-25637_3.patch \
           file://CVE-2020-25637_4.patch \
+           file://CVE-2021-3631.patch \
          "
 SRC_URI[libvirt.md5sum] = "a870e63f20fac2ccf98e716d05256145"

diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch new file mode 100644 index 00000000..c1fa8c2f --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
@@ -0,0 +1,56 @@
		1	From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
		3	Date: Mon, 28 Jun 2021 13:09:04 +0100
		4	Subject: [PATCH] security: fix SELinux label generation logic
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	A process can access a file if the set of MCS categories
		10	for the file is equal-to or a subset-of, the set of
		11	MCS categories for the process.
		12
		13	If there are two VMs:
		14
		15	a) svirt_t:s0:c117
		16	b) svirt_t:s0:c117,c720
		17
		18	Then VM (b) is able to access files labelled for VM (a).
		19
		20	IOW, we must discard case where the categories are equal
		21	because that is a subset of many other valid category pairs.
		22
		23	Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
		24	CVE-2021-3631
		25	Reviewed-by: Peter Krempa <pkrempa@redhat.com>
		26	Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
		27
		28	Upstream-Status: Backport
		29	CVE: CVE-2021-3631
		30	Signed-off-by: Armin Kuster <akuster@mvista.com>
		31
		32	---
		33	src/security/security_selinux.c \| 10 +++++++++-
		34	1 file changed, 9 insertions(+), 1 deletion(-)
		35
		36	Index: libvirt-6.1.0/src/security/security_selinux.c
		37	===================================================================
		38	--- libvirt-6.1.0.orig/src/security/security_selinux.c
		39	+++ libvirt-6.1.0/src/security/security_selinux.c
		40	@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityMan
		41	VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
		42
		43	if (c1 == c2) {
		44	- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
		45	+ /*
		46	+ * A process can access a file if the set of MCS categories
		47	+ * for the file is equal-to or a subset-of, the set of
		48	+ * MCS categories for the process.
		49	+ *
		50	+ * IOW, we must discard case where the categories are equal
		51	+ * because that is a subset of other category pairs.
		52	+ */
		53	+ continue;
		54	} else {
		55	if (c1 > c2) {
		56	int t = c1;


diff --git a/recipes-extended/libvirt/libvirt_6.1.0.bb b/recipes-extended/libvirt/libvirt_6.1.0.bb index aa7563f6..d4978b38 100644 --- a/recipes-extended/libvirt/libvirt_6.1.0.bb +++ b/recipes-extended/libvirt/libvirt_6.1.0.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
45	file://CVE-2020-25637_2.patch \	45	file://CVE-2020-25637_2.patch \
46	file://CVE-2020-25637_3.patch \	46	file://CVE-2020-25637_3.patch \
47	file://CVE-2020-25637_4.patch \	47	file://CVE-2020-25637_4.patch \
		48	file://CVE-2021-3631.patch \
48	"	49	"
49		50
50	SRC_URI[libvirt.md5sum] = "a870e63f20fac2ccf98e716d05256145"	51	SRC_URI[libvirt.md5sum] = "a870e63f20fac2ccf98e716d05256145"