libsepol-2.9-3.el8

エラータID: AXSA:2021-2596:02

Release date: 
Friday, December 10, 2021 - 07:45
Subject: 
libsepol-2.9-3.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The libsepol library provides an API for the manipulation of SELinux binary policies. It is used by checkpolicy (the policy compiler) and similar tools, as well as by programs like load_policy that need to perform specific transformations on binary policies (for example, customizing policy boolean settings).

Security Fix(es):

* libsepol: use-after-free in __cil_verify_classperms() (CVE-2021-36084)
* libsepol: use-after-free in __cil_verify_classperms() (CVE-2021-36085)
* libsepol: use-after-free in cil_reset_classpermission() (CVE-2021-36086)
* libsepol: heap-based buffer overflow in ebitmap_match_any() (CVE-2021-36087)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-36084
The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).
CVE-2021-36085
The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).
CVE-2021-36086
The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).
CVE-2021-36087
The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.

Solution: 

Update packages.

CVEs: 
CVE-2021-36084
The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).
CVE-2021-36085
The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).
CVE-2021-36086
The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).
CVE-2021-36087
The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.
Additional Info: 

N/A

Download: 

SRPMS
  1. libsepol-2.9-3.el8.src.rpm
    MD5: 4c5792df8813274cdcb5d3c656cc61b0
    SHA-256: 2242a97a819cd4d2ee4c18da31f140a02bf070c294af77bc5dab88d005cbc396
    Size: 548.32 kB

Asianux Server 8 for x86_64
  1. libsepol-2.9-3.el8.x86_64.rpm
    MD5: b3f4f38a1dde694564a20c7691f5fbd4
    SHA-256: dd990c52fcc7f21e0eb974b68711618caf777995de02f07e1516a3dd60b29bae
    Size: 338.83 kB
  2. libsepol-devel-2.9-3.el8.x86_64.rpm
    MD5: f19fa50981df608915dc2dafaa22ad76
    SHA-256: 1fb4347015ae968333c50441b636c049f1d0d4c77dddcfb3e5142aa538c5073b
    Size: 85.89 kB
  3. libsepol-static-2.9-3.el8.x86_64.rpm
    MD5: e734ae085bb783ca440aa5cb9da48947
    SHA-256: cd317a60b4f3dfbe881dbb1bda9e66a7b1e24f4b76572286a898d3637b7d1edc
    Size: 417.39 kB
  4. libsepol-2.9-3.el8.i686.rpm
    MD5: 9e47e7a2b49b9b198114e0463f3cb402
    SHA-256: f69908d91614d1bf936f1b4a6a337ea1ea11ef205bdaeb09f6d2acecc6a7e92d
    Size: 365.21 kB
  5. libsepol-devel-2.9-3.el8.i686.rpm
    MD5: f089473c912ad8e3a091ad32c48d1dd7
    SHA-256: 3e8d94029fe2a6f67602cb94c265350ca8b79a173d2dd2a3302c9144053262e9
    Size: 85.91 kB
  6. libsepol-static-2.9-3.el8.i686.rpm
    MD5: 0967f8d7fefa094c05ac1928bb48c107
    SHA-256: 6ae71e49cc4bc803130cc7cd937776168d7cb5a28842eddf65975bac255e04d1
    Size: 457.35 kB