Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 799713 (CVE-2021-3631) - <app-emulation/libvirt-7.5.0: insufficient guest isolation with SELinux (CVE-2021-3631)
Summary: <app-emulation/libvirt-7.5.0: insufficient guest isolation with SELinux (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2021-3631
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://gitlab.com/libvirt/libvirt/-/...
Whiteboard: B4 [glsa+]
Keywords:
Depends on: CVE-2021-3667
Blocks:
  Show dependency tree
 
Reported: 2021-07-01 14:15 UTC by John Helmert III
Modified: 2022-10-16 14:58 UTC (History)
5 users (show)

See Also:
Package list:
app-emulation/libvirt-7.5.0 *
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-01 14:15:16 UTC 
From URL:

In src/security/security_selinux.c, virSecuritySELinuxMCSFind(), We can see that the program randomly gets two numbers. But if c1 == c2, the program will generate a single category context like s0:cXXX,
But if we have got machine with context like "s0:cXXX,cYYY" ,It will be able to read the image of machine with "s0:cXXX". This should be avoided.


Fix is in 7.5.0, please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-07-14 17:56:38 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a3cc8f45694d05c69f0009f546798323a84fae9

commit 3a3cc8f45694d05c69f0009f546798323a84fae9
Author:     Jonathan Davies <jpds@protonmail.com>
AuthorDate: 2021-07-07 19:05:44 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-14 17:56:31 +0000

    app-emulation/libvirt: Version updated to 7.5.0, with changes:
    
    * Use meson_feature for apparmor_profiles.
    * Updated minimum Xen version to 4.9.0.
    
    Bug: https://bugs.gentoo.org/799713
    
    Signed-off-by: Jonathan Davies <jpds@protonmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-emulation/libvirt/Manifest             |   2 +
 app-emulation/libvirt/libvirt-7.5.0.ebuild | 327 +++++++++++++++++++++++++++++
 2 files changed, 329 insertions(+)
Comment 2 Jonathan Davies 2021-07-14 22:04:54 UTC 
https://github.com/SELinuxProject/refpolicy/pull/395 needs to be merged into our policy packages before we stabilize this... or everything is going to break for users enforcing selinux.
Comment 3 NATTkA bot gentoo-dev 2021-12-10 00:24:43 UTC 
Unable to check for sanity:

> no match for package: app-emulation/libvirt-7.5.0
Comment 4 Michal Privoznik 2022-04-07 19:45:39 UTC 
Since there's no ebuild for <libvirt-7.5.0 anymore can this be closed?
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-09 13:47:47 UTC 
(In reply to Michal Privoznik from comment #4)
> Since there's no ebuild for <libvirt-7.5.0 anymore can this be closed?

Needs GLSA.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 03:24:33 UTC 
GLSA request filed
Comment 7 Larry the Git Cow gentoo-dev 2022-10-16 14:46:04 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=48e6804ed5fa75343b7496c1033000fda3741b42

commit 48e6804ed5fa75343b7496c1033000fda3741b42
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-16 14:42:10 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-16 14:45:24 +0000

    [ GLSA 202210-06 ] libvirt: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/746119
    Bug: https://bugs.gentoo.org/799713
    Bug: https://bugs.gentoo.org/812317
    Bug: https://bugs.gentoo.org/836128
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-06.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-16 14:58:13 UTC 
GLSA released, all done!