From 9588e4620381763ef13772c7736e303f8999e5ff Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 13 Nov 2018 10:29:36 +0100 Subject: [PATCH] libselinux-2.8-5 - Fix RESOURCE_LEAK coverity scan defects --- libselinux-fedora.patch | 150 ++++++++++++++++++++++++++++++++++++++++ libselinux.spec | 9 ++- 2 files changed, 156 insertions(+), 3 deletions(-) diff --git a/libselinux-fedora.patch b/libselinux-fedora.patch index 0b22e7c..072e5c9 100644 --- a/libselinux-fedora.patch +++ b/libselinux-fedora.patch @@ -121,6 +121,22 @@ index ba4c9a2..c815872 100644 if (!selinux_mnt) { errno = ENOENT; return -1; +diff --git libselinux-2.8/src/checkAccess.c libselinux-2.8/src/checkAccess.c +index 8de5747..16bfcfb 100644 +--- libselinux-2.8/src/checkAccess.c ++++ libselinux-2.8/src/checkAccess.c +@@ -89,8 +89,10 @@ int selinux_check_passwd_access(access_vector_t requested) + int retval; + + passwd_class = string_to_security_class("passwd"); +- if (passwd_class == 0) ++ if (passwd_class == 0) { ++ freecon(user_context); + return 0; ++ } + + retval = security_compute_av_raw(user_context, + user_context, diff --git libselinux-2.8/src/check_context.c libselinux-2.8/src/check_context.c index 8a7997f..5be8434 100644 --- libselinux-2.8/src/check_context.c @@ -236,6 +252,63 @@ index 52707d0..0cbe12d 100644 if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno; +diff --git libselinux-2.8/src/label_db.c libselinux-2.8/src/label_db.c +index c46d0a1..fa481e0 100644 +--- libselinux-2.8/src/label_db.c ++++ libselinux-2.8/src/label_db.c +@@ -283,10 +283,12 @@ db_init(const struct selinux_opt *opts, unsigned nopts, + } + if (fstat(fileno(filp), &sb) < 0) { + free(catalog); ++ fclose(filp); + return NULL; + } + if (!S_ISREG(sb.st_mode)) { + free(catalog); ++ fclose(filp); + errno = EINVAL; + return NULL; + } +@@ -340,6 +342,7 @@ out_error: + free(spec->lr.ctx_trans); + } + free(catalog); ++ fclose(filp); + + return NULL; + } +diff --git libselinux-2.8/src/label_file.c libselinux-2.8/src/label_file.c +index 560d8c3..21c8d36 100644 +--- libselinux-2.8/src/label_file.c ++++ libselinux-2.8/src/label_file.c +@@ -317,8 +317,10 @@ end_arch_check: + goto out; + } + rc = next_entry(str_buf, mmap_area, entry_len); +- if (rc < 0) ++ if (rc < 0) { ++ free(str_buf); + goto out; ++ } + + if (str_buf[entry_len - 1] != '\0') { + free(str_buf); +diff --git libselinux-2.8/src/load_policy.c libselinux-2.8/src/load_policy.c +index e9f1264..20052be 100644 +--- libselinux-2.8/src/load_policy.c ++++ libselinux-2.8/src/load_policy.c +@@ -262,8 +262,10 @@ checkbool: + rc = security_get_boolean_names(&names, &len); + if (!rc) { + values = malloc(sizeof(int) * len); +- if (!values) ++ if (!values) { ++ free(names); + goto unmap; ++ } + for (i = 0; i < len; i++) + values[i] = + security_get_boolean_active(names[i]); diff --git libselinux-2.8/src/lsetfilecon.c libselinux-2.8/src/lsetfilecon.c index 1d3b28a..ea6d70b 100644 --- libselinux-2.8/src/lsetfilecon.c @@ -256,6 +329,83 @@ index 1d3b28a..ea6d70b 100644 if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno; +diff --git libselinux-2.8/src/selinux_config.c libselinux-2.8/src/selinux_config.c +index 292728f..b06cb63 100644 +--- libselinux-2.8/src/selinux_config.c ++++ libselinux-2.8/src/selinux_config.c +@@ -177,8 +177,7 @@ static void init_selinux_config(void) + + if (!strncasecmp(buf_p, SELINUXTYPETAG, + sizeof(SELINUXTYPETAG) - 1)) { +- selinux_policytype = type = +- strdup(buf_p + sizeof(SELINUXTYPETAG) - 1); ++ type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1); + if (!type) + return; + end = type + strlen(type) - 1; +@@ -187,6 +186,11 @@ static void init_selinux_config(void) + *end = 0; + end--; + } ++ if (setpolicytype(type) != 0) { ++ free(type); ++ return; ++ } ++ free(type); + continue; + } else if (!strncmp(buf_p, SETLOCALDEFS, + sizeof(SETLOCALDEFS) - 1)) { +@@ -212,13 +216,10 @@ static void init_selinux_config(void) + fclose(fp); + } + +- if (!type) { +- selinux_policytype = type = strdup(SELINUXDEFAULT); +- if (!type) +- return; +- } ++ if (!selinux_policytype && setpolicytype(SELINUXDEFAULT) != 0) ++ return; + +- if (asprintf(&selinux_policyroot, "%s%s", SELINUXDIR, type) == -1) ++ if (asprintf(&selinux_policyroot, "%s%s", SELINUXDIR, selinux_policytype) == -1) + return; + + for (i = 0; i < NEL; i++) +diff --git libselinux-2.8/src/selinux_restorecon.c libselinux-2.8/src/selinux_restorecon.c +index ced4115..8714a70 100644 +--- libselinux-2.8/src/selinux_restorecon.c ++++ libselinux-2.8/src/selinux_restorecon.c +@@ -350,12 +350,19 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, + new_entry->next = NULL; + + new_entry->directory = strdup(directory); +- if (!new_entry->directory) ++ if (!new_entry->directory) { ++ free(new_entry); ++ free(sha1_buf); + goto oom; ++ } + + new_entry->digest = strdup(sha1_buf); +- if (!new_entry->digest) ++ if (!new_entry->digest) { ++ free(new_entry->directory); ++ free(new_entry); ++ free(sha1_buf); + goto oom; ++ } + + new_entry->result = digest_result; + +@@ -849,6 +856,7 @@ int selinux_restorecon(const char *pathname_orig, + + if (lstat(pathname, &sb) < 0) { + if (flags.ignore_noent && errno == ENOENT) { ++ free(xattr_value); + free(pathdnamer); + free(pathname); + return 0; diff --git libselinux-2.8/src/setfilecon.c libselinux-2.8/src/setfilecon.c index d05969c..3f0200e 100644 --- libselinux-2.8/src/setfilecon.c diff --git a/libselinux.spec b/libselinux.spec index 9a03a6e..a7980c8 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,10 +1,10 @@ %define ruby_inc %(pkg-config --cflags ruby) -%define libsepolver 2.8-1 +%define libsepolver 2.8-3 Summary: SELinux library and simple utilities Name: libselinux Version: 2.8 -Release: 4%{?dist} +Release: 5%{?dist} License: Public Domain # https://github.com/SELinuxProject/selinux/wiki/Releases Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/libselinux-2.8.tar.gz @@ -14,7 +14,7 @@ Url: https://github.com/SELinuxProject/selinux/wiki # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.8 ./make-fedora-selinux-patch.sh libselinux -# HEAD https://github.com/fedora-selinux/selinux/commit/db1433d3b785eadb4eecf5c82430d57c92855a35 +# HEAD https://github.com/fedora-selinux/selinux/commit/decd49caec76a87817686f84716503151cf2be5d Patch1: libselinux-fedora.patch BuildRequires: gcc BuildRequires: python2 python2-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel @@ -229,6 +229,9 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %{ruby_vendorarchdir}/selinux.so %changelog +* Tue Nov 13 2018 Petr Lautrbach - 2.8-5 +- Fix RESOURCE_LEAK coverity scan defects + * Tue Sep 4 2018 Petr Lautrbach - 2.8-4 - Fix the whatis line for the selinux_boolean_sub.3 manpage - Fix line wrapping in selabel_file.5