CVE-2021-36087 – libsepol: heap-based buffer overflow in ebitmap_match_any()
https://notcve.org/view.php?id=CVE-2021-36087
The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block. El compilador CIL en SELinux 3.2 tiene una sobrelectura del búfer basada en el montón en ebitmap_match_any (llamado indirectamente desde cil_check_neverallow). Esto ocurre porque a veces no se comprueban las declaraciones no válidas en un bloque opcional • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32675 https://github.com/SELinuxProject/selinux/commit/340f0eb7f3673e8aacaf0a96cbfcd4d12a405521 https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-585.yaml https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U7ZYR3PIJ75N6U2IONJWCKZ5L2NKJTGR https://lore.kernel.org/selinux/CAEN2sdqJKHvDzPnxS-J8grU8fSf32DDtx=kyh84OsCq_Vm+yaQ%40mail.gmail.com/T https://access.redhat.com/security/cve/CVE-2021-36087 https:/ • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVE-2021-36086 – libsepol: use-after-free in cil_reset_classpermission()
https://notcve.org/view.php?id=CVE-2021-36086
The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list). El compilador CIL en SELinux versión 3.2, presenta un uso de la memoria previamente liberada en la función cil_reset_classpermission (llamado desde cil_reset_classperms_set y cil_reset_classperms_list) • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32177 https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6770fec2c8 https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-536.yaml https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U7ZYR3PIJ75N6U2IONJWCKZ5L2NKJTGR https://access.redhat.com/security/cve/CVE-2021-36086 https://bugzilla.redhat.com/show_bug.cgi?id=1979666 • CWE-416: Use After Free •
CVE-2021-36085 – libsepol: use-after-free in __cil_verify_classperms()
https://notcve.org/view.php?id=CVE-2021-36085
The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map). El compilador CIL en SELinux versión 3.2, presenta un uso de la memoria previamente liberada en la función __cil_verify_classperms (llamado desde __verify_map_perm_classperms y hashtab_map) • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31124 https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-421.yaml https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U7ZYR3PIJ75N6U2IONJWCKZ5L2NKJTGR https://access.redhat.com/security/cve/CVE-2021-36085 https://bugzilla.redhat.com/show_bug.cgi?id=1979664 • CWE-416: Use After Free •
CVE-2021-36084 – libsepol: use-after-free in __cil_verify_classperms()
https://notcve.org/view.php?id=CVE-2021-36084
The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper). El compilador CIL en SELinux versión 3.2,, presenta un uso de la memoria previamente liberada en la función __cil_verify_classperms (llamado desde __cil_verify_classpermission y __cil_pre_verify_helper) • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31065 https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3 https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-417.yaml https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U7ZYR3PIJ75N6U2IONJWCKZ5L2NKJTGR https://access.redhat.com/security/cve/CVE-2021-36084 https://bugzilla.redhat.com/show_bug.cgi?id=1979662 • CWE-416: Use After Free •
CVE-2018-1063 – policycoreutils: Relabelling of symbolic links in /tmp and /var/tmp change the context of their target instead
https://notcve.org/view.php?id=CVE-2018-1063
Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing). The issue was found in policycoreutils 2.5-11. El reetiquetado de contexto de sistemas de archivos es vulnerable a ataques de enlace simbólico, lo que permite que una entidad maliciosa local no privilegiada cambie el contexto SELinux de un archivo arbitrario a un contexto con pocas restricciones. Esto solo ocurre cuando termina el proceso de reetiquetado, normalmente cuando se cambia el estado de SELinux de deshabilitado a habilitado (permisivo o impositivo). • https://access.redhat.com/errata/RHSA-2018:0913 https://bugzilla.redhat.com/show_bug.cgi?id=1550122 https://access.redhat.com/security/cve/CVE-2018-1063 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-282: Improper Ownership Management •