29664 – libsepol new security issues CVE-2021-3608[4-7]

Bug 29664 - libsepol new security issues CVE-2021-3608[4-7]

Summary: libsepol new security issues CVE-2021-3608[4-7]

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	Nicolas Lécureuil
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-11-16 18:15 CET by David Walser
Modified:	2024-03-13 14:06 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	libsepol-3.2-0.rc1.4.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-11-16 18:15:47 CET

Fedora has issued an advisory on November 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U7ZYR3PIJ75N6U2IONJWCKZ5L2NKJTGR/

Mageia 8 is also affected.

David Walser 2021-11-16 18:16:32 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2021-11-20 13:56:48 CET

Assigning to the registered maintainer

CC: (none) => marja11
Assignee: bugsquad => ngompa13

Comment 2 Nicolas Lécureuil 2021-12-30 22:07:45 CET

Fixed in cauldron

CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 3 Nicolas Lécureuil 2021-12-30 22:12:30 CET

Fixed in mga8 for CVE-2021-3608[4-6]

src:
    - libsepol-3.2-0.rc1.4.1.mga8

i don't fix CVE-2021-36087. This is a documentation fix but we don't have the .md files in our package.

Assignee: ngompa13 => qa-bugs
CC: (none) => ngompa13

Comment 4 David Walser 2021-12-30 22:23:58 CET

libsepol2-3.2-0.rc1.4.1.mga8
libsepol-devel-3.2-0.rc1.4.1.mga8
libsepol-static-devel-3.2-0.rc1.4.1.mga8

from libsepol-3.2-0.rc1.4.1.mga8.src.rpm

But you missed CVE-2021-36087 indeed, which is not a documentation fix, but a code one.  It's Fedora patch 0034-libsepol-cil-Check-for-statements-not-allowed-in-opt.patch and upstream commit here:
https://github.com/SELinuxProject/selinux/commit/340f0eb7f3673e8aacaf0a96cbfcd4d12a405521

Assignee: qa-bugs => mageia
Whiteboard: (none) => MGA8TOO
Version: 8 => Cauldron

Comment 5 Nicolas Lécureuil 2021-12-31 09:27:52 CET

this is not what i can find here: https://security-tracker.debian.org/tracker/CVE-2021-36087

Comment 6 Nicolas Lécureuil 2021-12-31 09:32:53 CET

ok seems an error in deb cve checker. I add your patch.

Comment 7 David Walser 2022-01-26 23:31:05 CET

(In reply to Nicolas Lécureuil from comment #6)
> ok seems an error in deb cve checker. I add your patch.

Ping.

Comment 8 David Walser 2022-05-02 19:33:03 CEST

Ubuntu has issued an advisory for this on April 27:
https://ubuntu.com/security/notices/USN-5391-1

Comment 9 Nicolas Salguero 2024-03-13 14:06:51 CET

Mageia 8 EOL.

Resolution: (none) => OLD
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Status: NEW => RESOLVED
Version: Cauldron => 8

Note You need to log in before you can comment on or make changes to this bug.