From a93ab31db1b77c73d4e57c6402652a3b7e48c5c4 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Mon, 18 Nov 2024 09:42:02 +0300 Subject: [PATCH] import libselinux-3.7-5.el10 --- ...texecfilecon-Remove-useless-rc-check.patch | 37 +++++++++++++++++ ...chpathcon-RESOURCE_LEAK-Variable-con.patch | 40 +++++++++++++++++++ SPECS/libselinux.spec | 18 +++++++-- 3 files changed, 91 insertions(+), 4 deletions(-) create mode 100644 SOURCES/0007-libselinux-setexecfilecon-Remove-useless-rc-check.patch create mode 100644 SOURCES/0008-libselinux-matchpathcon-RESOURCE_LEAK-Variable-con.patch diff --git a/SOURCES/0007-libselinux-setexecfilecon-Remove-useless-rc-check.patch b/SOURCES/0007-libselinux-setexecfilecon-Remove-useless-rc-check.patch new file mode 100644 index 0000000..ea07402 --- /dev/null +++ b/SOURCES/0007-libselinux-setexecfilecon-Remove-useless-rc-check.patch @@ -0,0 +1,37 @@ +From edce1de156f1daa71875e210c1d55ad8d3aefc90 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 25 Oct 2024 20:30:13 +0200 +Subject: [PATCH] libselinux/setexecfilecon: Remove useless rc check + +Fixes: + Error: IDENTICAL_BRANCHES (CWE-398): + libselinux-3.6/src/setexecfilecon.c:45: implicit_else: The code from the above if-then branch is identical to the code after the if statement. + libselinux-3.6/src/setexecfilecon.c:43: identical_branches: The same code is executed when the condition "rc < 0" is true or false, because the code in the if-then branch and after the if statement is identical. Should the if statement be removed? + \# 41| + \# 42| rc = setexeccon(newcon); + \# 43|-> if (rc < 0) + \# 44| goto out; + \# 45| out: + +Signed-off-by: Vit Mojzis +Acked-by: James Carter +--- + libselinux/src/setexecfilecon.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/libselinux/src/setexecfilecon.c b/libselinux/src/setexecfilecon.c +index 2c6505a9..4b31e775 100644 +--- a/libselinux/src/setexecfilecon.c ++++ b/libselinux/src/setexecfilecon.c +@@ -40,8 +40,6 @@ int setexecfilecon(const char *filename, const char *fallback_type) + } + + rc = setexeccon(newcon); +- if (rc < 0) +- goto out; + out: + + if (rc < 0 && security_getenforce() == 0) +-- +2.47.0 + diff --git a/SOURCES/0008-libselinux-matchpathcon-RESOURCE_LEAK-Variable-con.patch b/SOURCES/0008-libselinux-matchpathcon-RESOURCE_LEAK-Variable-con.patch new file mode 100644 index 0000000..414ca7c --- /dev/null +++ b/SOURCES/0008-libselinux-matchpathcon-RESOURCE_LEAK-Variable-con.patch @@ -0,0 +1,40 @@ +From 48bfb96d452a6893010977325940ca17619c207c Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 25 Oct 2024 20:30:14 +0200 +Subject: [PATCH] libselinux/matchpathcon: RESOURCE_LEAK: Variable "con" + +Fixes: + Error: RESOURCE_LEAK (CWE-772): + libselinux-3.6/src/matchpathcon.c:519: alloc_arg: "lgetfilecon_raw" allocates memory that is stored into "con". [Note: The source code implementation of the function has been overridden by a user model.] + libselinux-3.6/src/matchpathcon.c:528: leaked_storage: Variable "con" going out of scope leaks the storage it points to. + \# 526| + \# 527| if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0)) + \# 528|-> return -1; + \# 529| + \# 530| if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) { + +Signed-off-by: Vit Mojzis +Acked-by: James Carter +--- + libselinux/src/matchpathcon.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c +index e44734c3..967520e4 100644 +--- a/libselinux/src/matchpathcon.c ++++ b/libselinux/src/matchpathcon.c +@@ -524,8 +524,10 @@ int selinux_file_context_verify(const char *path, mode_t mode) + return 0; + } + +- if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0)) ++ if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0)){ ++ freecon(con); + return -1; ++ } + + if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) { + if (errno != ENOENT) +-- +2.47.0 + diff --git a/SPECS/libselinux.spec b/SPECS/libselinux.spec index f24b864..3b5aba0 100644 --- a/SPECS/libselinux.spec +++ b/SPECS/libselinux.spec @@ -9,7 +9,7 @@ Summary: SELinux library and simple utilities Name: libselinux Version: 3.7 -Release: 4%{?dist} +Release: 5%{?dist} License: LicenseRef-Fedora-Public-Domain # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/3.7/libselinux-3.7.tar.gz @@ -30,6 +30,8 @@ Patch0003: 0003-libselinux-restorecon-Include-selinux-label.h.patch Patch0004: 0004-libselinux-Fix-integer-comparison-issues-when-compil.patch Patch0005: 0005-libselinux-deprecate-security_disable-3.patch Patch0006: 0006-libselinux-fix-swig-bindings-for-4.3.0.patch +Patch0007: 0007-libselinux-setexecfilecon-Remove-useless-rc-check.patch +Patch0008: 0008-libselinux-matchpathcon-RESOURCE_LEAK-Variable-con.patch # Patch list end BuildRequires: gcc make BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel @@ -229,12 +231,20 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %changelog ## START: Generated by rpmautospec -* Tue Oct 29 2024 Troy Dawson - 3.7-7 -- Bump release for October 2024 mass rebuild: +* Tue Nov 12 2024 Vit Mojzis - 3.7-5 +- setexecfilecon: Remove useless rc check (RHEL-35586) +- matchpathcon: RESOURCE_LEAK: Variable "con" (RHEL-35584) -* Fri Oct 25 2024 MSVSphere Packaging Team - 3.7-3 +* Tue Oct 29 2024 Troy Dawson - 3.7-4 +- Bump release for October 2024 mass rebuild (RHEL-64018) + +* Fri Oct 25 2024 MSVSphere Packaging Team - 3.7-3.1 - Rebuilt for MSVSphere 10 +* Thu Oct 17 2024 Petr Lautrbach - 3.7-3.1 +- fix swig bindings for 4.3.0 +- deprecate security_disable(3) + * Fri Aug 09 2024 Vit Mojzis - 3.7-3 - restorecon: Include (RHEL-53852) - Fix integer comparison issues when compiling for 32-bit