Bug 799713 (CVE-2021-3631)

Summary:	<app-emulation/libvirt-7.5.0: insufficient guest isolation with SELinux (CVE-2021-3631)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	michal.privoznik, sam, selinux, tamiko, virtualization
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://gitlab.com/libvirt/libvirt/-/issues/153
Whiteboard:	B4 [glsa+]
Package list:	app-emulation/libvirt-7.5.0 *	Runtime testing required:	---
Bug Depends on:	812317
Bug Blocks:

Description John Helmert III archtester

2021-07-01 14:15:16 UTC

From URL:

In src/security/security_selinux.c, virSecuritySELinuxMCSFind(), We can see that the program randomly gets two numbers. But if c1 == c2, the program will generate a single category context like s0:cXXX,
But if we have got machine with context like "s0:cXXX,cYYY" ,It will be able to read the image of machine with "s0:cXXX". This should be avoided.


Fix is in 7.5.0, please bump.

Comment 1 Larry the Git Cow gentoo-dev

2021-07-14 17:56:38 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a3cc8f45694d05c69f0009f546798323a84fae9

commit 3a3cc8f45694d05c69f0009f546798323a84fae9
Author:     Jonathan Davies <jpds@protonmail.com>
AuthorDate: 2021-07-07 19:05:44 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-14 17:56:31 +0000

    app-emulation/libvirt: Version updated to 7.5.0, with changes:
    
    * Use meson_feature for apparmor_profiles.
    * Updated minimum Xen version to 4.9.0.
    
    Bug: https://bugs.gentoo.org/799713
    
    Signed-off-by: Jonathan Davies <jpds@protonmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-emulation/libvirt/Manifest             |   2 +
 app-emulation/libvirt/libvirt-7.5.0.ebuild | 327 +++++++++++++++++++++++++++++
 2 files changed, 329 insertions(+)

Comment 2 Jonathan Davies 2021-07-14 22:04:54 UTC

https://github.com/SELinuxProject/refpolicy/pull/395 needs to be merged into our policy packages before we stabilize this... or everything is going to break for users enforcing selinux.

Comment 3 NATTkA bot gentoo-dev

2021-12-10 00:24:43 UTC

Unable to check for sanity:

> no match for package: app-emulation/libvirt-7.5.0

Comment 4 Michal Privoznik 2022-04-07 19:45:39 UTC

Since there's no ebuild for <libvirt-7.5.0 anymore can this be closed?

Comment 5 John Helmert III archtester

2022-04-09 13:47:47 UTC

(In reply to Michal Privoznik from comment #4)
> Since there's no ebuild for <libvirt-7.5.0 anymore can this be closed?

Needs GLSA.

Comment 6 John Helmert III archtester

2022-10-14 03:24:33 UTC

GLSA request filed

Comment 7 Larry the Git Cow gentoo-dev

2022-10-16 14:46:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=48e6804ed5fa75343b7496c1033000fda3741b42

commit 48e6804ed5fa75343b7496c1033000fda3741b42
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-16 14:42:10 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-16 14:45:24 +0000

    [ GLSA 202210-06 ] libvirt: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/746119
    Bug: https://bugs.gentoo.org/799713
    Bug: https://bugs.gentoo.org/812317
    Bug: https://bugs.gentoo.org/836128
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-06.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

Comment 8 John Helmert III archtester

2022-10-16 14:58:13 UTC

GLSA released, all done!