ALAS2022-2022-208

Amazon Linux 2022 Security Advisory: ALAS-2022-208
Advisory Release Date: 2022-11-04 22:30 Pacific
Advisory Updated Date: 2023-01-24 21:37 Pacific
Severity: Medium
Issue Overview:

The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper). (CVE-2021-36084)

The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map). (CVE-2021-36085)

The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list). (CVE-2021-36086)

The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block. (CVE-2021-36087)


Affected Packages:

libsepol


Issue Correction:
Run dnf update libsepol to update your system.

New Packages:
aarch64:
    libsepol-static-3.4-3.amzn2022.0.2.aarch64
    libsepol-3.4-3.amzn2022.0.2.aarch64
    libsepol-utils-debuginfo-3.4-3.amzn2022.0.2.aarch64
    libsepol-utils-3.4-3.amzn2022.0.2.aarch64
    libsepol-devel-3.4-3.amzn2022.0.2.aarch64
    libsepol-debuginfo-3.4-3.amzn2022.0.2.aarch64
    libsepol-debugsource-3.4-3.amzn2022.0.2.aarch64

src:
    libsepol-3.4-3.amzn2022.0.2.src

x86_64:
    libsepol-static-3.4-3.amzn2022.0.2.x86_64
    libsepol-utils-debuginfo-3.4-3.amzn2022.0.2.x86_64
    libsepol-utils-3.4-3.amzn2022.0.2.x86_64
    libsepol-debugsource-3.4-3.amzn2022.0.2.x86_64
    libsepol-devel-3.4-3.amzn2022.0.2.x86_64
    libsepol-debuginfo-3.4-3.amzn2022.0.2.x86_64
    libsepol-3.4-3.amzn2022.0.2.x86_64

Additional References

Red Hat: CVE-2021-36084, CVE-2021-36085, CVE-2021-36086, CVE-2021-36087

Mitre: CVE-2021-36084, CVE-2021-36085, CVE-2021-36086, CVE-2021-36087