Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 799713 (CVE-2021-3631) - <app-emulation/libvirt-7.5.0: insufficient guest isolation with SELinux (CVE-2021-3631)
Summary: <app-emulation/libvirt-7.5.0: insufficient guest isolation with SELinux (CVE-...
Alias: CVE-2021-3631
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa?]
Depends on: CVE-2021-3667
  Show dependency tree
Reported: 2021-07-01 14:15 UTC by John Helmert III
Modified: 2022-06-02 22:01 UTC (History)
5 users (show)

See Also:
Package list:
app-emulation/libvirt-7.5.0 *
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-01 14:15:16 UTC
From URL:

In src/security/security_selinux.c, virSecuritySELinuxMCSFind(), We can see that the program randomly gets two numbers. But if c1 == c2, the program will generate a single category context like s0:cXXX,
But if we have got machine with context like "s0:cXXX,cYYY" ,It will be able to read the image of machine with "s0:cXXX". This should be avoided.

Fix is in 7.5.0, please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-07-14 17:56:38 UTC
The bug has been referenced in the following commit(s):

commit 3a3cc8f45694d05c69f0009f546798323a84fae9
Author:     Jonathan Davies <>
AuthorDate: 2021-07-07 19:05:44 +0000
Commit:     Joonas Niilola <>
CommitDate: 2021-07-14 17:56:31 +0000

    app-emulation/libvirt: Version updated to 7.5.0, with changes:
    * Use meson_feature for apparmor_profiles.
    * Updated minimum Xen version to 4.9.0.
    Signed-off-by: Jonathan Davies <>
    Signed-off-by: Joonas Niilola <>

 app-emulation/libvirt/Manifest             |   2 +
 app-emulation/libvirt/libvirt-7.5.0.ebuild | 327 +++++++++++++++++++++++++++++
 2 files changed, 329 insertions(+)
Comment 2 Jonathan Davies 2021-07-14 22:04:54 UTC needs to be merged into our policy packages before we stabilize this... or everything is going to break for users enforcing selinux.
Comment 3 NATTkA bot gentoo-dev 2021-12-10 00:24:43 UTC
Unable to check for sanity:

> no match for package: app-emulation/libvirt-7.5.0
Comment 4 Michal Privoznik 2022-04-07 19:45:39 UTC
Since there's no ebuild for <libvirt-7.5.0 anymore can this be closed?
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-09 13:47:47 UTC
(In reply to Michal Privoznik from comment #4)
> Since there's no ebuild for <libvirt-7.5.0 anymore can this be closed?

Needs GLSA.