Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package libsepol for openSUSE:Factory 
checked in at 2021-07-25 20:09:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libsepol (Old)
 and      /work/SRC/openSUSE:Factory/.libsepol.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libsepol"

Sun Jul 25 20:09:04 2021 rev:50 rq:907664 version:3.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes        2021-07-09 
23:56:35.581805886 +0200
+++ /work/SRC/openSUSE:Factory/.libsepol.new.1899/libsepol.changes      
2021-07-25 20:09:04.495456287 +0200
@@ -1,0 +2,6 @@
+Wed Jul 21 13:16:54 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Fix heap-based buffer over-read in ebitmap_match_any (CVE-2021-36087, 
1187928.
+  Added CVE-2021-36087.patch
+
+-------------------------------------------------------------------

New:
----
  CVE-2021-36087.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libsepol.spec ++++++
--- /var/tmp/diff_new_pack.rRGaHe/_old  2021-07-25 20:09:05.203455498 +0200
+++ /var/tmp/diff_new_pack.rRGaHe/_new  2021-07-25 20:09:05.207455494 +0200
@@ -30,6 +30,7 @@
 # all upstream, remove in next version
 Patch0:         CVE-2021-36085.patch
 Patch1:         CVE-2021-36086.patch
+Patch2:         CVE-2021-36087.patch
 BuildRequires:  flex
 BuildRequires:  pkgconfig
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -91,7 +92,9 @@
 
 %prep
 %setup -q
-%autopatch -p2
+%patch0 -p2
+%patch1 -p2
+%patch2 -p1
 
 %build
 %define _lto_cflags %{nil}

++++++ CVE-2021-36087.patch ++++++
diff -r -u libsepol-3.2_orig/cil/src/cil_build_ast.c 
libsepol-3.2/cil/src/cil_build_ast.c
--- libsepol-3.2_orig/cil/src/cil_build_ast.c   2021-07-21 15:15:01.875585374 
+0200
+++ libsepol-3.2/cil/src/cil_build_ast.c        2021-07-21 15:15:10.655704516 
+0200
@@ -50,6 +50,7 @@
        struct cil_tree_node *ast;
        struct cil_db *db;
        struct cil_tree_node *macro;
+       struct cil_tree_node *optional;
        struct cil_tree_node *boolif;
        struct cil_tree_node *tunif;
        struct cil_tree_node *in;
@@ -6098,6 +6099,7 @@
        struct cil_db *db = NULL;
        struct cil_tree_node *ast_node = NULL;
        struct cil_tree_node *macro = NULL;
+       struct cil_tree_node *optional = NULL;
        struct cil_tree_node *boolif = NULL;
        struct cil_tree_node *tunif = NULL;
        struct cil_tree_node *in = NULL;
@@ -6143,6 +6145,18 @@
                }
        }
 
+       if (optional != NULL) {
+               if (parse_current->data == CIL_KEY_TUNABLE ||
+                       parse_current->data == CIL_KEY_IN ||
+                       parse_current->data == CIL_KEY_BLOCK ||
+                       parse_current->data == CIL_KEY_BLOCKABSTRACT ||
+                       parse_current->data == CIL_KEY_MACRO) {
+                       rc = SEPOL_ERR;
+                       cil_tree_log(parse_current, CIL_ERR, "%s is not allowed 
in optionals", (char *)parse_current->data);
+                       goto exit;
+               }
+       }
+
        if (boolif != NULL) {
                if (parse_current->data != CIL_KEY_CONDTRUE &&
                        parse_current->data != CIL_KEY_CONDFALSE &&
@@ -6524,6 +6538,19 @@
                args->macro = NULL;
        }
 
+       if (ast->flavor == CIL_OPTIONAL) {
+               struct cil_tree_node *n = ast->parent;
+               args->optional = NULL;
+               /* Optionals can be nested */
+               while (n && n->flavor != CIL_ROOT) {
+                       if (n->flavor == CIL_OPTIONAL) {
+                               args->optional = n;
+                               break;
+                       }
+                       n = n->parent;
+               }
+       }
+
        if (ast->flavor == CIL_BOOLEANIF) {
                args->boolif = NULL;
        }
@@ -6561,6 +6588,7 @@
        extra_args.ast = ast;
        extra_args.db = db;
        extra_args.macro = NULL;
+       extra_args.optional = NULL;
        extra_args.boolif = NULL;
        extra_args.tunif = NULL;
        extra_args.in = NULL;
diff -r -u libsepol-3.2_orig/cil/src/cil_resolve_ast.c 
libsepol-3.2/cil/src/cil_resolve_ast.c
--- libsepol-3.2_orig/cil/src/cil_resolve_ast.c 2021-07-21 15:15:01.879585428 
+0200
+++ libsepol-3.2/cil/src/cil_resolve_ast.c      2021-07-21 15:15:15.559771063 
+0200
@@ -3788,8 +3788,11 @@
        }
 
        if (optstack != NULL) {
-               if (node->flavor == CIL_TUNABLE || node->flavor == CIL_MACRO) {
-                       /* tuanbles and macros are not allowed in optionals*/
+               if (node->flavor == CIL_TUNABLE ||
+                       node->flavor == CIL_IN ||
+                       node->flavor == CIL_BLOCK ||
+                       node->flavor == CIL_BLOCKABSTRACT ||
+                   node->flavor == CIL_MACRO) {
                        cil_tree_log(node, CIL_ERR, "%s statement is not 
allowed in optionals", cil_node_to_string(node));
                        rc = SEPOL_ERR;
                        goto exit;

Reply via email to