commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2024-07-12 17:04:21 Comparing /work/SRC/openSUSE:Factory/libsepol (Old) and /work/SRC/openSUSE:Factory/.libsepol.new.17339 (New) Package is "libsepol" Fri Jul 12 17:04:21 2024 rev:56 rq:1185748 version:3.7 Changes: --- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2024-01-08 23:43:53.115308503 +0100 +++ /work/SRC/openSUSE:Factory/.libsepol.new.17339/libsepol.changes 2024-07-12 17:04:26.547676225 +0200 @@ -1,0 +2,24 @@ +Mon Jul 1 08:01:08 UTC 2024 - Cathy Hu + +- Update to version 3.7 + https://github.com/SELinuxProject/selinux/releases/tag/3.7 + * User-visible changes: +* libsepol: improve policy lookup failure message +* libsepol: include prefix for module policy versions +* libsepol: validate type-attribute-map for old policies +* libsepol: only exempt gaps checking for kernel policies + * Bugfixes: +* libsepol/src/Makefile: fix reallocarray detection +* libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772) +* libsepol: ensure transitivity in compare functions + * oss-fuzz fixes: +* libsepol: check scope permissions refer to valid class +* libsepol: validate attribute-type maps +* libsepol: reject self flag in type rules in old policies +* libsepol: validate class permissions +* libsepol: validate access vector permissions +* libsepol: reject MLS support in pre-MLS policies +* libsepol: Fix buffer overflow when using sepol_av_to_string() +* libsepol: Use a dynamic buffer in sepol_av_to_string() + +--- Old: libsepol-3.6.tar.gz libsepol-3.6.tar.gz.asc New: libsepol-3.7.tar.gz libsepol-3.7.tar.gz.asc Other differences: -- ++ libsepol.spec ++ --- /var/tmp/diff_new_pack.v3mzoy/_old 2024-07-12 17:04:29.323778224 +0200 +++ /var/tmp/diff_new_pack.v3mzoy/_new 2024-07-12 17:04:29.327778371 +0200 @@ -1,7 +1,7 @@ # # spec file for package libsepol # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %define libname libsepol2 Name: libsepol -Version:3.6 +Version:3.7 Release:0 Summary:SELinux binary policy manipulation library License:LGPL-2.1-or-later ++ libsepol-3.6.tar.gz -> libsepol-3.7.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/VERSION new/libsepol-3.7/VERSION --- old/libsepol-3.6/VERSION2023-12-13 15:46:22.0 +0100 +++ new/libsepol-3.7/VERSION2024-06-26 17:30:41.0 +0200 @@ -1 +1 @@ -3.6 +3.7 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/cil/src/cil_binary.c new/libsepol-3.7/cil/src/cil_binary.c --- old/libsepol-3.6/cil/src/cil_binary.c 2023-12-13 15:46:22.0 +0100 +++ new/libsepol-3.7/cil/src/cil_binary.c 2024-06-26 17:30:41.0 +0200 @@ -904,10 +904,10 @@ rc = mls_level_cpy(mls_level, sepol_level->level); if (rc != SEPOL_OK) { + free(mls_level); goto exit; } sepol_alias->level = mls_level; - sepol_alias->defined = 1; sepol_alias->isalias = 1; return SEPOL_OK; @@ -3163,8 +3163,6 @@ } } - sepol_level->defined = 1; - return SEPOL_OK; exit: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/cil/src/cil_post.c new/libsepol-3.7/cil/src/cil_post.c --- old/libsepol-3.6/cil/src/cil_post.c 2023-12-13 15:46:22.0 +0100 +++ new/libsepol-3.7/cil/src/cil_post.c 2024-06-26 17:30:41.0 +0200 @@ -52,6 +52,8 @@ #define GEN_REQUIRE_ATTR "cil_gen_require" /* Also in libsepol/src/module_to_cil.c */ #define TYPEATTR_INFIX "_typeattr_"/* Also in libsepol/src/module_to_cil.c */ +#define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b))) + struct fc_data { unsigned int meta; size_t stem_len; @@ -263,8 +265,8 @@ if (rc) return rc; - rc = (aibpkeycon->pkey_high - aibpkeycon->pkey_low) - - (bibpkeycon->pkey_high - bibpkeycon->pkey_low); + rc = spaceship_cmp(aibpkeycon->pkey_high - aibpkeycon->pkey_low, + bibpkeycon->pkey_high - bibpkeycon->pkey_low); if (rc == 0) { if (aibpkeycon->pkey_low < bibpkeycon->pkey_low)
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2024-01-08 23:43:46 Comparing /work/SRC/openSUSE:Factory/libsepol (Old) and /work/SRC/openSUSE:Factory/.libsepol.new.21961 (New) Package is "libsepol" Mon Jan 8 23:43:46 2024 rev:55 rq:1137090 version:3.6 Changes: --- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2023-10-08 12:20:40.847253600 +0200 +++ /work/SRC/openSUSE:Factory/.libsepol.new.21961/libsepol.changes 2024-01-08 23:43:53.115308503 +0100 @@ -1,0 +2,24 @@ +Tue Dec 19 09:20:58 UTC 2023 - Cathy Hu + +- Update to version 3.6 + https://github.com/SELinuxProject/selinux/releases/tag/3.6 + * struct cond_expr_t bool renamed to boolean +The change is indicated by COND_EXPR_T_RENAME_BOOL_BOOLEAN macro + * Add notself support for neverallow rules + * Improve man pages + * man pages: Remove the Russian translations + * Add notself and other support to CIL + * Add support for deny rules + * Translations updated from +https://translate.fedoraproject.org/projects/selinux/ + * Bug fixes +- Remove keys from keyring since they expired: + - E853C1848B0185CF42864DF363A8AD4B982C4373 +Petr Lautrbach + - 63191CE94183098689CAB8DB7EF137EC935B0EAF +Jason Zaman +- Add key to keyring: + - B8682847764DF60DF52D992CBC3905F235179CF1 +Petr Lautrbach + +--- Old: libsepol-3.5.tar.gz libsepol-3.5.tar.gz.asc New: libsepol-3.6.tar.gz libsepol-3.6.tar.gz.asc Other differences: -- ++ libsepol.spec ++ --- /var/tmp/diff_new_pack.c12yVH/_old 2024-01-08 23:43:54.143345845 +0100 +++ /var/tmp/diff_new_pack.c12yVH/_new 2024-01-08 23:43:54.147345991 +0100 @@ -19,7 +19,7 @@ %define libname libsepol2 Name: libsepol -Version:3.5 +Version:3.6 Release:0 Summary:SELinux binary policy manipulation library License:LGPL-2.1-or-later @@ -111,7 +111,6 @@ %{_bindir}/sepol_compute_relabel %{_bindir}/sepol_validate_transition %{_mandir}/man8/*.8%{ext_man} -%{_mandir}/ru/man8/*.8%{ext_man} %files -n %{libname} %defattr(-,root,root) ++ libsepol-3.5.tar.gz -> libsepol-3.6.tar.gz ++ 14200 lines of diff (skipped) ++ libsepol.keyring ++ --- /var/tmp/diff_new_pack.c12yVH/_old 2024-01-08 23:43:54.343353110 +0100 +++ /var/tmp/diff_new_pack.c12yVH/_new 2024-01-08 23:43:54.343353110 +0100 @@ -1,306 +1,111 @@ -BEGIN PGP PUBLIC KEY BLOCK- -mQINBE97JQcBEAC/aeBxbuToAJokMiVxtMVFoUMgCbcVQDB21YhMq4i5a/HDzFno -qVPhQjGViGTKXQYR7SnT8CCfC3ggG7hqU0oaWKN3D003V6e/ivTJwMKrQRFqf5/A -vN7ELulXFxEt/ZjYmvTukpW5Li2AU7JBD0aO243Ld9jYdZOZn2zdfA8IpnE9Bmm3 -K/LO1Xb2F9ujF9faI5/IlJvdUFk3uiCKTSvM8kGwOmAwBI921Z5x/CYvy5kKEazU -lUxMqECl+Tu2YS6NDhWYNkifAIZ7lsUvGjW3/wfh7AvmAQyt/CxOXu9LL2nGzFhw -CIS4jVIxy5bDswNfHcaMX7B5WEyqTPtjzPAEMiLL4yHJZrHDPd26QHSaqtilVA4K -AeTYbME8iZIdacquFEq02PO9qAM21O48OknCTSolF7z6nBkk6l26W3EL+Gz5I2Et -3S9pab3FMjiiKVavM6UA5D0DQkNxxDn9blDXZyhX4HFrk+NnoETcGYFymPbbijgi -kFC4339/Z1aK31aJLkxiana5mqLthD4jCeg3B8Cp5IurqPr8QEh3FH8ZZhtdx2fX -TXHTmGQF/lXG4tg1eH5cb6wWGU93wD+5mf6czJlUZTY+kdevKtZCQnA0/2ENCOFW -Jdm/oMTUw6ozPd474ctzWKeO78e8yMvZst/Zp3Gq6SD9kcoPgiuMQ+BOkwARAQAB -tCRQZXRyIExhdXRyYmFjaCA8cGxhdXRyYmFAcmVkaGF0LmNvbT6IRgQTEQIABgUC -UGrhaAAKCRDgn+8l2WSErGaNAJ96+VrAVoZPHnycMU37iP/ZTq5oZwCfaDWxlxNS -sQRgd0tvIDLDUY0uSw6IXgQQEQgABgUCT32YIwAKCRD/aJIEAzcfEOK8AP4u7xTn -iIaAvn6H0ql5X5mUeAimPhwP4FUvzkvoBDcY/QD/VPBnW1LoCDe63YboAvbB7BHe -/0yC7rwTQzl6zPmh/iiJARwEEwECAAYFAk+H1m4ACgkQGWJaEyWIEIcxJQf/fRX8 -T3fQ5NOhZ6r5AqRMm4wXSWsDk1oDL7Fa2vKcwqiIC4zQoU0Y9+s96GSjFHgP4wpc -f7GHSPZseXp9c4ckIpkuEK2wL+jyPuSSMgmOLEGXBgy6XbWvF5yR7tm3henEcBEn -HjbTwuTO2nM53tmcM/ophq/eK2nErwTKPiDw3aiahNDYNx36wJrSOBGTKySk/F23 -R8rQPThdbtvUtmTHDPCsAZKmMBlXOkoFcA1xKZRAMBoiEa9hIqiLBV7Z5oTmVSa8 -BolBpOtR38sIjAWh9MtJoFFfx8Q575TC9bfpW3Kc/IRPJE55Myn/8Kbl7YJBU+gO -/v2yjKIT+hRb0MUOEIkBHAQTAQIABgUCT457oQAKCRCUZdkzlNzEiUhHB/9WN9s3 -d5V/rjy9e8Ny2xd+5yXfuLpi57YI4mIZi5k6s3vBjFW8fa2jw/dXndhX06oOkmXY -1dSujVWJSMUe4gqnbdVu3IEBiyst5MyYcuOdeVpQ9KvolQMdRCEIXfgFOTXt73Lu -1eUSyEVhXI+Ua6bsmHJqscHatF2NCTyTJOqZDjIePD+c/8eW9XF2Bv6ZOa51M9UF -p85PVH0wn9I3bHhtyVPhxDSGM0TL9OwXNV25CPzI04wUb2vqnVVv67XCfcFMA0iH -nlH1oOHckUUhX+MFOTG6TFHmLIZCJHneeXR7SqdAXGl+EUZyWHRGS2OsdncMEDNy -5hennjRW71qr1C48iQIcBBABAgAGBQJPht1GAAoJEMI9kbsdgkTfgW0QAJ+o/BZI -i2TWU1cTQc4zVi4dcV8wZREXUCi2yQlq3C2MbL2gNRCSN+w9E6daOAf2zTEPZSaV -OuMl9aIF0fSRMuITFVQ6a+cz1UUxGFjFBkzCId5ybgVnkhZTPh7TmgYKQcVsyzBc -SgQb6qpu058s2lfrvLL8kzpZ77w+JdX9za9oSukflLxgKFvnAP2URY0zZo8E5SZv -M40zX98QV3wAXp9RVg3uG27IbWfnNO/6ijCY7ZzS16slEaYyBW4u6AgScoqFpD4f -Urpt1knuZfjHHHmLMTJh5iGL0OEEdLAIuFZH5iKWqRzlTSesX7dn4Jv1McemmLTv -
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2023-10-08 12:17:38 Comparing /work/SRC/openSUSE:Factory/libsepol (Old) and /work/SRC/openSUSE:Factory/.libsepol.new.28202 (New) Package is "libsepol" Sun Oct 8 12:17:38 2023 rev:54 rq:1115852 version:3.5 Changes: --- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2023-03-07 16:48:24.112974378 +0100 +++ /work/SRC/openSUSE:Factory/.libsepol.new.28202/libsepol.changes 2023-10-08 12:20:40.847253600 +0200 @@ -1,0 +2,5 @@ +Thu Mar 23 16:06:02 UTC 2023 - Martin Liška + +- Enable LTO now (boo#1138813). + +--- Other differences: -- ++ libsepol.spec ++ --- /var/tmp/diff_new_pack.5ynYRF/_old 2023-10-08 12:20:42.003295165 +0200 +++ /var/tmp/diff_new_pack.5ynYRF/_new 2023-10-08 12:20:42.003295165 +0200 @@ -92,7 +92,7 @@ %setup -q %build -%define _lto_cflags %{nil} +%global _lto_cflags %{_lto_cflags} -ffat-lto-objects export CFLAGS="%{optflags} -fcommon" make %{?_smp_mflags}
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2023-03-07 16:48:20 Comparing /work/SRC/openSUSE:Factory/libsepol (Old) and /work/SRC/openSUSE:Factory/.libsepol.new.31432 (New) Package is "libsepol" Tue Mar 7 16:48:20 2023 rev:53 rq:1068398 version:3.5 Changes: --- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2022-06-20 15:36:53.162825327 +0200 +++ /work/SRC/openSUSE:Factory/.libsepol.new.31432/libsepol.changes 2023-03-07 16:48:24.112974378 +0100 @@ -1,0 +2,9 @@ +Fri Feb 24 07:50:14 UTC 2023 - Johannes Segitz + +- Update to version 3.5 + * Stricter policy validation + * do not write empty class definitions to allow simpler round-trip tests + * reject attributes in type av rules for kernel policies +- Added additional developer key (Jason Zaman) + +--- Old: libsepol-3.4.tar.gz libsepol-3.4.tar.gz.asc New: libsepol-3.5.tar.gz libsepol-3.5.tar.gz.asc Other differences: -- ++ libsepol.spec ++ --- /var/tmp/diff_new_pack.8j5tL2/_old 2023-03-07 16:48:24.884978440 +0100 +++ /var/tmp/diff_new_pack.8j5tL2/_new 2023-03-07 16:48:24.892978483 +0100 @@ -1,7 +1,7 @@ # # spec file for package libsepol # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %define libname libsepol2 Name: libsepol -Version:3.4 +Version:3.5 Release:0 Summary:SELinux binary policy manipulation library License:LGPL-2.1-or-later ++ libsepol-3.4.tar.gz -> libsepol-3.5.tar.gz ++ 4656 lines of diff (skipped) ++ libsepol.keyring ++ --- /var/tmp/diff_new_pack.8j5tL2/_old 2023-03-07 16:48:25.136979767 +0100 +++ /var/tmp/diff_new_pack.8j5tL2/_new 2023-03-07 16:48:25.140979788 +0100 @@ -167,4 +167,140 @@ t4zhuhOJjZ2YaPVALQ== =UVQc -END PGP PUBLIC KEY BLOCK- +-BEGIN PGP PUBLIC KEY BLOCK- + +mQINBFMyh7gBEADHbVdNWxivgqISiinIAE7gOl9vFemvnqfzn7hdfw2y02hUzojd +0HzEJsyqxGBYHpdNYoiLbCYNubMDA/Xd0Att2D7fIAuNFo3gnKEm27xLSzjC02bk +h2Pxp9d92dxPXsk+zDvY74Vwem74Yon824ESurH4gTK/HsiX2Y+7+5z3Ep07xC7p +IA0RzD3zlKhfT9dpS0QR2LP1utFcT40eEjSZY8QK3iKapNtyvIrpKpkWx0tZTWwX ++F8IoL9MzJBi5L/pS8fyUOkyBVIwdRXLNuX+sle+llH7i+6DWsWHEphiZ3ObiXDm +iXKBu/I0useEE4K7TmOLqqeEZl+CTU6YWJLPpD38pq+p64TlAcT7rZSmRUr7zY0a +X1gsXqm7e95Txm6UYy3Xth1jmZ0PuHjCBIvy8foxZVKGsR34ntAYcZzZhDca+J2S +WyL/YcQbSFhad1N1ZpCXj4eYGQIg57b1OLrabopdSQ73s8uGdS12aNQKcehkAvKs +Pab45Qxk7PWGNXuvHGYFCvedl8Gh/MUy3UqlXE58GBob9ldB+7eaO5VgR0GydSFO +cbRDDpXBdWbsq4u0BDT3uB4FZTqYC3i83NFdCSppxG6aXDl4Hux+Fq7FcjFV7scw +e/ndpnLMzj0oSyOmq6GZfvbZKRbyPztYxrEIoDw1mgvJQhm2AnfnhoOWVwARAQAB +tCJKYXNvbiBaYW1hbiA8amFzb256YW1hbkBnbWFpbC5jb20+iQJXBBMBCABBAhsD +Ah4BAheABQsJCAcDBRUKCQgLBRYCAwEAAhkBFiEEYxkc6UGDCYaJyrjbfvE37JNb +Dq8FAl1mIt8FCQw1xCcACgkQfvE37JNbDq8mKA/7BnUyy3K0nEboJfXKP7mbI7vH +hnDYP9ojwi6Lv7BJLOGNVmHDrZa9HA8uzH7AZIIf1XLOWd+bABqHETETElckXK+x +gtE9GUQO0DQRVH2gCyJUaLtYgK/VD2GRXLlFRUA81XLmU0pNZVIRL6u5P1RbHjdd +G01NgzH2sDKtmAtIashj25YD5m2RukTDfGYDMujjxR2bBRp8QnNiDHp93pYmF6oR +iElJKrUOhBS7Mw2Cuy7GhcvPmFsUY7o/Kq+4bu9DzZOMrPTmVQMF//PV5JChWCou +Aqv1Qybrt5I4/OzOVX+9bID7xowueMbTlak/1yqmgGNmFA5jN5XDuwZxoOX7F/m2 +ITJPRADEvZZLNF0kdj4zcLvk+/C8ofwcPcltO9SmDYwi3aKuMifVHqQnaG+Tu4qI +okSA+Vngamvy0BFBLjjZ1DZhRBS4GELzprzQ4brBqmdFnwtGnc3GOHK5Q8teZeRW +SbCh1u7CNBNXIdnTX5VlGonxjAO27ISDP7oaQyiJetnMy2W2qEG1DIDnLJtlPwDR ++UFO5kBHdJSnuTnCl20XUADeH0tx4jHAAYcIyx0tvJCuOWylMG8yVadxS73IA6a9 +GA+fOku9XBh4eP5vIoMRfuVwDDu2y2n5J68OCfshs3JllGImrWUzR8hpZmjXmpAZ +VjN4Ft83ZEvUEntlI620NUphc29uIFphbWFuIChHZW50b28gRGV2ZWxvcGVyKSA8 +cGVyZmluaW9uQGdlbnRvby5vcmc+iQJUBBMBCAA+AhsDBQsJCAcDBRUKCQgLBRYD +AgEAAh4BAheAFiEEYxkc6UGDCYaJyrjbfvE37JNbDq8FAl1mIucFCQw1xCcACgkQ +fvE37JNbDq8dtA//cUEBx8rIvXyO14TcUu5o3Cc2DRhFxLwVIPOnw6cfZYhRrIKr +2wegsllvV4vJ+KJoIBvlw83VAunHt07N2+hF72LM6qPWkX055gY5PkFSGPBpybZk +oevE9rI+8p7aOqu0Qns4O3juDMava+nSnHjmZCJO7wnjrkGC57eBwI7Z3H32EFIU +b+IvOivBFA6iSeXkmEg1ub3iaA2vXdKOGDfoxrEjSJWt04q8VDUmtscKRkRrc1AX +XToVzcSd4w8C6j4tlOk8DbCLfyf8M3cDeETzyD6ICYWkSN1OxYFopNvsty2L9xQ2 +oTCp/1CjJTO2mxOY7K75vLr8MNYnVrYPzCruazt0YetOY74raTMFhnA6mQapcM+c +L0DKylIOHra/jSj7WQCy/xujMWZKDg8LfcfTuknSFPXVL6s95TYwBayRkVhFs73c +Z5Tpk4dAxSLZI040uExlFmzqwaMRoAhLJShhe/QRGu5rBnjtaKRYl08Hnb2gLc+0 +LH1gsGIvrsB89coa4y5Grues0mw9Bbk5tjGJHWlSgGG6NPds/L2RWCsXgkb4qn6p +Prsq6dyA8qp7O4LiZkzvKpFxmpO3ggIeIh17N21piUs9awnFySLR68gv0E6OnLdL +s2fpRYclaw2DxS4WHloWfW2MoV/b4K+GzovlVGAi19gwzBVk1uHneB504eW0IUph +c29uIFphbWFuIDxqYXNvbkBwZXJmaW5pb24uY29tPokCVAQTAQgAPgIbAwIeAQIX
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2022-06-20 15:36:47 Comparing /work/SRC/openSUSE:Factory/libsepol (Old) and /work/SRC/openSUSE:Factory/.libsepol.new.1548 (New) Package is "libsepol" Mon Jun 20 15:36:47 2022 rev:52 rq:978302 version:3.4 Changes: --- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2021-11-15 15:27:36.165843702 +0100 +++ /work/SRC/openSUSE:Factory/.libsepol.new.1548/libsepol.changes 2022-06-20 15:36:53.162825327 +0200 @@ -1,0 +2,12 @@ +Mon May 9 10:27:53 UTC 2022 - Johannes Segitz + +- Update to version 3.4 + * Add 'ioctl_skip_cloexec' policy capability + * Add sepol_av_perm_to_string + * Add policy utilities + * Support IPv4/IPv6 address embedding + * Hardened/added many validations + * Add support for file types in writing out policy.conf + * Allow optional file type in genfscon rules + +--- Old: libsepol-3.3.tar.gz New: libsepol-3.4.tar.gz libsepol-3.4.tar.gz.asc libsepol.keyring Other differences: -- ++ libsepol.spec ++ --- /var/tmp/diff_new_pack.XIeoHQ/_old 2022-06-20 15:36:53.670826070 +0200 +++ /var/tmp/diff_new_pack.XIeoHQ/_new 2022-06-20 15:36:53.678826082 +0200 @@ -1,7 +1,7 @@ # # spec file for package libsepol # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,14 +19,16 @@ %define libname libsepol2 Name: libsepol -Version:3.3 +Version:3.4 Release:0 Summary:SELinux binary policy manipulation library License:LGPL-2.1-or-later Group: Development/Libraries/C and C++ URL:https://github.com/SELinuxProject/selinux/wiki/Releases -Source: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz -Source2:baselibs.conf +Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz +Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz.asc +Source2:libsepol.keyring +Source3:baselibs.conf BuildRequires: flex BuildRequires: pkgconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -103,6 +105,11 @@ %files utils %defattr(-,root,root) %{_bindir}/chkcon +%{_bindir}/sepol_check_access +%{_bindir}/sepol_compute_av +%{_bindir}/sepol_compute_member +%{_bindir}/sepol_compute_relabel +%{_bindir}/sepol_validate_transition %{_mandir}/man8/*.8%{ext_man} %{_mandir}/ru/man8/*.8%{ext_man} ++ libsepol-3.3.tar.gz -> libsepol-3.4.tar.gz ++ 7455 lines of diff (skipped)
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2021-11-15 15:26:03 Comparing /work/SRC/openSUSE:Factory/libsepol (Old) and /work/SRC/openSUSE:Factory/.libsepol.new.1890 (New) Package is "libsepol" Mon Nov 15 15:26:03 2021 rev:51 rq:930939 version:3.3 Changes: --- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2021-07-25 20:09:04.495456287 +0200 +++ /work/SRC/openSUSE:Factory/.libsepol.new.1890/libsepol.changes 2021-11-15 15:27:36.165843702 +0100 @@ -1,0 +2,8 @@ +Thu Nov 11 13:28:14 UTC 2021 - Johannes Segitz + +- Update to version 3.3 + * Dropped CVE-2021-36085.patch, CVE-2021-36086.patch, CVE-2021-36087.patch +are all included + * Lot of smaller fixes identified by fuzzing + +--- Old: CVE-2021-36085.patch CVE-2021-36086.patch CVE-2021-36087.patch libsepol-3.2.tar.gz New: libsepol-3.3.tar.gz Other differences: -- ++ libsepol.spec ++ --- /var/tmp/diff_new_pack.JnYloa/_old 2021-11-15 15:27:36.613843827 +0100 +++ /var/tmp/diff_new_pack.JnYloa/_new 2021-11-15 15:27:36.617843829 +0100 @@ -19,7 +19,7 @@ %define libname libsepol2 Name: libsepol -Version:3.2 +Version:3.3 Release:0 Summary:SELinux binary policy manipulation library License:LGPL-2.1-or-later @@ -27,10 +27,6 @@ URL:https://github.com/SELinuxProject/selinux/wiki/Releases Source: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz Source2:baselibs.conf -# all upstream, remove in next version -Patch0: CVE-2021-36085.patch -Patch1: CVE-2021-36086.patch -Patch2: CVE-2021-36087.patch BuildRequires: flex BuildRequires: pkgconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -92,9 +88,6 @@ %prep %setup -q -%patch0 -p2 -%patch1 -p2 -%patch2 -p1 %build %define _lto_cflags %{nil} ++ libsepol-3.2.tar.gz -> libsepol-3.3.tar.gz ++ 11869 lines of diff (skipped)
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2021-07-25 20:09:04 Comparing /work/SRC/openSUSE:Factory/libsepol (Old) and /work/SRC/openSUSE:Factory/.libsepol.new.1899 (New) Package is "libsepol" Sun Jul 25 20:09:04 2021 rev:50 rq:907664 version:3.2 Changes: --- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2021-07-09 23:56:35.581805886 +0200 +++ /work/SRC/openSUSE:Factory/.libsepol.new.1899/libsepol.changes 2021-07-25 20:09:04.495456287 +0200 @@ -1,0 +2,6 @@ +Wed Jul 21 13:16:54 UTC 2021 - Johannes Segitz + +- Fix heap-based buffer over-read in ebitmap_match_any (CVE-2021-36087, 1187928. + Added CVE-2021-36087.patch + +--- New: CVE-2021-36087.patch Other differences: -- ++ libsepol.spec ++ --- /var/tmp/diff_new_pack.rRGaHe/_old 2021-07-25 20:09:05.203455498 +0200 +++ /var/tmp/diff_new_pack.rRGaHe/_new 2021-07-25 20:09:05.207455494 +0200 @@ -30,6 +30,7 @@ # all upstream, remove in next version Patch0: CVE-2021-36085.patch Patch1: CVE-2021-36086.patch +Patch2: CVE-2021-36087.patch BuildRequires: flex BuildRequires: pkgconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -91,7 +92,9 @@ %prep %setup -q -%autopatch -p2 +%patch0 -p2 +%patch1 -p2 +%patch2 -p1 %build %define _lto_cflags %{nil} ++ CVE-2021-36087.patch ++ diff -r -u libsepol-3.2_orig/cil/src/cil_build_ast.c libsepol-3.2/cil/src/cil_build_ast.c --- libsepol-3.2_orig/cil/src/cil_build_ast.c 2021-07-21 15:15:01.875585374 +0200 +++ libsepol-3.2/cil/src/cil_build_ast.c2021-07-21 15:15:10.655704516 +0200 @@ -50,6 +50,7 @@ struct cil_tree_node *ast; struct cil_db *db; struct cil_tree_node *macro; + struct cil_tree_node *optional; struct cil_tree_node *boolif; struct cil_tree_node *tunif; struct cil_tree_node *in; @@ -6098,6 +6099,7 @@ struct cil_db *db = NULL; struct cil_tree_node *ast_node = NULL; struct cil_tree_node *macro = NULL; + struct cil_tree_node *optional = NULL; struct cil_tree_node *boolif = NULL; struct cil_tree_node *tunif = NULL; struct cil_tree_node *in = NULL; @@ -6143,6 +6145,18 @@ } } + if (optional != NULL) { + if (parse_current->data == CIL_KEY_TUNABLE || + parse_current->data == CIL_KEY_IN || + parse_current->data == CIL_KEY_BLOCK || + parse_current->data == CIL_KEY_BLOCKABSTRACT || + parse_current->data == CIL_KEY_MACRO) { + rc = SEPOL_ERR; + cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in optionals", (char *)parse_current->data); + goto exit; + } + } + if (boolif != NULL) { if (parse_current->data != CIL_KEY_CONDTRUE && parse_current->data != CIL_KEY_CONDFALSE && @@ -6524,6 +6538,19 @@ args->macro = NULL; } + if (ast->flavor == CIL_OPTIONAL) { + struct cil_tree_node *n = ast->parent; + args->optional = NULL; + /* Optionals can be nested */ + while (n && n->flavor != CIL_ROOT) { + if (n->flavor == CIL_OPTIONAL) { + args->optional = n; + break; + } + n = n->parent; + } + } + if (ast->flavor == CIL_BOOLEANIF) { args->boolif = NULL; } @@ -6561,6 +6588,7 @@ extra_args.ast = ast; extra_args.db = db; extra_args.macro = NULL; + extra_args.optional = NULL; extra_args.boolif = NULL; extra_args.tunif = NULL; extra_args.in = NULL; diff -r -u libsepol-3.2_orig/cil/src/cil_resolve_ast.c libsepol-3.2/cil/src/cil_resolve_ast.c --- libsepol-3.2_orig/cil/src/cil_resolve_ast.c 2021-07-21 15:15:01.879585428 +0200 +++ libsepol-3.2/cil/src/cil_resolve_ast.c 2021-07-21 15:15:15.559771063 +0200 @@ -3788,8 +3788,11 @@ } if (optstack != NULL) { - if (node->flavor == CIL_TUNABLE || node->flavor == CIL_MACRO) { - /* tuanbles and macros are not allowed in optionals*/ + if (node->flavor == CIL_TUNABLE || + node->flavor == CIL_IN || + node->flavor == CIL_BLOCK || + node->flavor == CIL_BLOCKABSTRACT || +
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2021-07-09 23:56:34 Comparing /work/SRC/openSUSE:Factory/libsepol (Old) and /work/SRC/openSUSE:Factory/.libsepol.new.2625 (New) Package is "libsepol" Fri Jul 9 23:56:34 2021 rev:49 rq:904154 version:3.2 Changes: --- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2021-03-24 16:08:49.803679446 +0100 +++ /work/SRC/openSUSE:Factory/.libsepol.new.2625/libsepol.changes 2021-07-09 23:56:35.581805886 +0200 @@ -1,0 +2,8 @@ +Mon Jul 5 11:31:07 UTC 2021 - Johannes Segitz + +- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965). + Added CVE-2021-36085.patch +- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964). + Added CVE-2021-36086.patch + +--- New: CVE-2021-36085.patch CVE-2021-36086.patch Other differences: -- ++ libsepol.spec ++ --- /var/tmp/diff_new_pack.svuAvH/_old 2021-07-09 23:56:36.097801873 +0200 +++ /var/tmp/diff_new_pack.svuAvH/_new 2021-07-09 23:56:36.101801842 +0200 @@ -27,6 +27,9 @@ URL:https://github.com/SELinuxProject/selinux/wiki/Releases Source: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz Source2:baselibs.conf +# all upstream, remove in next version +Patch0: CVE-2021-36085.patch +Patch1: CVE-2021-36086.patch BuildRequires: flex BuildRequires: pkgconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -88,6 +91,7 @@ %prep %setup -q +%autopatch -p2 %build %define _lto_cflags %{nil} ++ CVE-2021-36085.patch ++ >From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001 From: James Carter Date: Thu, 8 Apr 2021 13:32:04 -0400 Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms Map perms share the same struct as regular perms, but only the map perms use the classperms field. This field is a pointer to a list of classperms that is created and added to when resolving classmapping rules, so the map permission doesn't own any of the data in the list and this list should be destroyed when the AST is reset. When resetting a perm, destroy the classperms list without destroying the data in the list. Signed-off-by: James Carter --- libsepol/cil/src/cil_reset_ast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: libsepol/libsepol-3.2/cil/src/cil_reset_ast.c === --- libsepol.orig/libsepol-3.2/cil/src/cil_reset_ast.c +++ libsepol/libsepol-3.2/cil/src/cil_reset_ast.c @@ -36,7 +36,7 @@ static void cil_reset_class(struct cil_c static void cil_reset_perm(struct cil_perm *perm) { - cil_reset_classperms_list(perm->classperms); + cil_list_destroy(&perm->classperms, CIL_FALSE); } static inline void cil_reset_classperms(struct cil_classperms *cp) ++ CVE-2021-36086.patch ++ >From c49a8ea09501ad66e799ea41b8154b6770fec2c8 Mon Sep 17 00:00:00 2001 From: James Carter Date: Thu, 8 Apr 2021 13:32:06 -0400 Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset classpermission In struct cil_classperms_set, the set field is a pointer to a struct cil_classpermission which is looked up in the symbol table. Since the cil_classperms_set does not create the cil_classpermission, it should not reset it. Set the set field to NULL instead of resetting the classpermission that it points to. Signed-off-by: James Carter --- libsepol/cil/src/cil_reset_ast.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c index 89f91e56..1d9ca704 100644 --- a/libsepol/cil/src/cil_reset_ast.c +++ b/libsepol/cil/src/cil_reset_ast.c @@ -59,7 +59,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp) static void cil_reset_classperms_set(struct cil_classperms_set *cp_set) { - cil_reset_classpermission(cp_set->set); + if (cp_set == NULL) { + return; + } + + cp_set->set = NULL; } static inline void cil_reset_classperms_list(struct cil_list *cp_list) -- 2.26.2
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2021-03-24 16:08:48 Comparing /work/SRC/openSUSE:Factory/libsepol (Old) and /work/SRC/openSUSE:Factory/.libsepol.new.2401 (New) Package is "libsepol" Wed Mar 24 16:08:48 2021 rev:48 rq:878577 version:3.2 Changes: --- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2020-11-26 23:09:15.488821331 +0100 +++ /work/SRC/openSUSE:Factory/.libsepol.new.2401/libsepol.changes 2021-03-24 16:08:49.803679446 +0100 @@ -1,0 +2,9 @@ +Tue Mar 9 09:11:42 UTC 2021 - Johannes Segitz + +- Update to version 3.2 + * more space-efficient form of storing filename transitions in the binary +policy and reduced the size of the binary policy + * dropped old and deprecated symbols and functions. Version was bumped to +libsepol.so.2 + +--- Old: libsepol-3.1.tar.gz New: libsepol-3.2.tar.gz Other differences: -- ++ libsepol.spec ++ --- /var/tmp/diff_new_pack.yXWxLi/_old 2021-03-24 16:08:51.287681005 +0100 +++ /var/tmp/diff_new_pack.yXWxLi/_new 2021-03-24 16:08:51.287681005 +0100 @@ -1,7 +1,7 @@ # # spec file for package libsepol # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,14 +16,16 @@ # +%define libname libsepol2 + Name: libsepol -Version:3.1 +Version:3.2 Release:0 Summary:SELinux binary policy manipulation library License:LGPL-2.1-or-later Group: Development/Libraries/C and C++ URL:https://github.com/SELinuxProject/selinux/wiki/Releases -Source: https://github.com/SELinuxProject/selinux/releases/download/20200710/%{name}-%{version}.tar.gz +Source: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz Source2:baselibs.conf BuildRequires: flex BuildRequires: pkgconfig @@ -47,11 +49,11 @@ specific transformations on binary policies such as customizing policy boolean settings. -%package -n libsepol1 +%package -n %{libname} Summary:SELinux binary policy manipulation library Group: System/Libraries -%description -n libsepol1 +%description -n %{libname} libsepol provides an API for the manipulation of SELinux binary policies. It is used by checkpolicy (the policy compiler) and similar tools, as well as by programs like load_policy that need to perform @@ -66,8 +68,8 @@ %package devel Summary:Development files for SELinux's binary policy manipulation library Group: Development/Libraries/C and C++ +Requires: %{libname} = %{version} Requires: glibc-devel -Requires: libsepol1 = %{version} %description devel The libsepol-devel package contains the libraries and header files @@ -95,8 +97,8 @@ %install %make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" -%post -n libsepol1 -p /sbin/ldconfig -%postun -n libsepol1 -p /sbin/ldconfig +%post -n %{libname} -p /sbin/ldconfig +%postun -n %{libname} -p /sbin/ldconfig %files utils %defattr(-,root,root) @@ -104,7 +106,7 @@ %{_mandir}/man8/*.8%{ext_man} %{_mandir}/ru/man8/*.8%{ext_man} -%files -n libsepol1 +%files -n %{libname} %defattr(-,root,root) %{_libdir}/libsepol.so.* ++ baselibs.conf ++ --- /var/tmp/diff_new_pack.yXWxLi/_old 2021-03-24 16:08:51.311681030 +0100 +++ /var/tmp/diff_new_pack.yXWxLi/_new 2021-03-24 16:08:51.315681035 +0100 @@ -1 +1 @@ -libsepol1 +libsepol2 ++ libsepol-3.1.tar.gz -> libsepol-3.2.tar.gz ++ 4080 lines of diff (skipped)
[opensuse-commit] commit libsepol for openSUSE:Factory
Hello community, here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2020-11-26 23:09:10 Comparing /work/SRC/openSUSE:Factory/libsepol (Old) and /work/SRC/openSUSE:Factory/.libsepol.new.5913 (New) Package is "libsepol" Thu Nov 26 23:09:10 2020 rev:47 rq:849698 version:3.1 Changes: --- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2020-10-06 17:09:31.113444790 +0200 +++ /work/SRC/openSUSE:Factory/.libsepol.new.5913/libsepol.changes 2020-11-26 23:09:15.488821331 +0100 @@ -1,0 +2,5 @@ +Thu Oct 29 10:40:16 UTC 2020 - Ludwig Nussel + +- install to /usr (boo#1029961) + +--- Other differences: -- ++ libsepol.spec ++ --- /var/tmp/diff_new_pack.uAIjHv/_old 2020-11-26 23:09:16.092821925 +0100 +++ /var/tmp/diff_new_pack.uAIjHv/_new 2020-11-26 23:09:16.096821930 +0100 @@ -93,7 +93,7 @@ make %{?_smp_mflags} %install -%make_install LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}" +%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" %post -n libsepol1 -p /sbin/ldconfig %postun -n libsepol1 -p /sbin/ldconfig @@ -106,7 +106,7 @@ %files -n libsepol1 %defattr(-,root,root) -/%{_lib}/libsepol.so.* +%{_libdir}/libsepol.so.* %files devel %defattr(-,root,root) ___ openSUSE Commits mailing list -- commit@lists.opensuse.org To unsubscribe, email commit-le...@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/commit@lists.opensuse.org