- Issued:
- 2011-05-19
- Updated:
- 2011-05-19
RHBA-2011:0751 - libselinux bug fix update
Synopsis
libselinux bug fix update
Type/Severity
Bug Fix Advisory (none)
Topic
Updated libselinux packages that fix various bugs are now available.
Description
libselinux is the core library of an SELinux system. It provides an API for SELinux applications to get and set process and file security contexts and to obtain security policy decisions. It is required for any applications that use the SELinux API and used by all applications that are SELinux-aware.
These updated packages contain fixes for the following bugs:
-
libselinux used __thread variables to store malloc() data in order to minimize computation. Destructors cannot be associated with __thread variables, so malloc() data stored in a __thread void* variable could potentially cause memory leaks upon thread exit. For example, repeatedly starting and stopping domains with libvirt could trigger out-of-memory exceptions, since libvirt starts one thread per domain, and each thread uses libselinux calls such as fgetfilecon. libselinux has been updated to be thread-safe, preventing these potential memory leaks. (BZ#658571)
-
An update to libselinux added global destructors, which deleted thread-specific keys without checking that they had been initialized. Since the keys were not always initialized with the pthread_key_create() method and their default value was 0, it was possible that key 0 would be removed by these destructors. This resulted in segmentation faults in programs using active threads whose keys were removed, specifically in OpenJDK. Keys now receive a default value of -1, protecting uninitialized keys from attempts by global destructor to delete them. Note that this issue was discovered and corrected during development, and was not seen in production systems in the field. (BZ#693600)
-
An update to libselinux caused a segmentation fault to appear in the multi-threaded pam_chauthtok() test program. If a shared library attempted to call pthread_key_create(), the associated destructors were registered with that library. The segmentation fault occurred when pthread_key_delete() was called, if that library was dereferenced with dlclose() before the destructors were removed with pthread_key_delete(). This issue has now been corrected. Note: this issue was discovered and corrected during development, and was not seen in production systems in the field. (BZ#680887)
All users of libselinux are advised to upgrade to these updated packages, which resolve these issues.
Solution
Before applying this update, make sure that all previously-released errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Scientific Computing | 6 | x86_64 |
| Red Hat Enterprise Linux for Power, big endian | 6 | ppc64 |
| Red Hat Enterprise Linux for IBM z Systems | 6 | s390x |
| Red Hat Enterprise Linux Workstation | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | i386 |
| Red Hat Enterprise Linux Server | 6 | x86_64 |
| Red Hat Enterprise Linux Server | 6 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 6 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 6 | i386 |
| Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Desktop | 6 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | i386 |
Updated Packages
- libselinux-utils-2.0.94-5.el6.i686.rpm
- libselinux-debuginfo-2.0.94-5.el6.s390.rpm
- libselinux-2.0.94-5.el6.s390x.rpm
- libselinux-ruby-2.0.94-5.el6.ppc64.rpm
- libselinux-2.0.94-5.el6.i686.rpm
- libselinux-utils-2.0.94-5.el6.s390x.rpm
- libselinux-static-2.0.94-5.el6.x86_64.rpm
- libselinux-2.0.94-5.el6.x86_64.rpm
- libselinux-devel-2.0.94-5.el6.x86_64.rpm
- libselinux-devel-2.0.94-5.el6.ppc.rpm
- libselinux-utils-2.0.94-5.el6.x86_64.rpm
- libselinux-ruby-2.0.94-5.el6.i686.rpm
- libselinux-2.0.94-5.el6.ppc64.rpm
- libselinux-utils-2.0.94-5.el6.ppc64.rpm
- libselinux-debuginfo-2.0.94-5.el6.s390x.rpm
- libselinux-devel-2.0.94-5.el6.i686.rpm
- libselinux-debuginfo-2.0.94-5.el6.ppc64.rpm
- libselinux-ruby-2.0.94-5.el6.x86_64.rpm
- libselinux-2.0.94-5.el6.ppc.rpm
- libselinux-debuginfo-2.0.94-5.el6.ppc.rpm
- libselinux-2.0.94-5.el6.src.rpm
- libselinux-python-2.0.94-5.el6.ppc64.rpm
- libselinux-ruby-2.0.94-5.el6.s390x.rpm
- libselinux-devel-2.0.94-5.el6.s390x.rpm
- libselinux-devel-2.0.94-5.el6.ppc64.rpm
- libselinux-debuginfo-2.0.94-5.el6.i686.rpm
- libselinux-static-2.0.94-5.el6.ppc64.rpm
- libselinux-static-2.0.94-5.el6.i686.rpm
- libselinux-python-2.0.94-5.el6.i686.rpm
- libselinux-devel-2.0.94-5.el6.s390.rpm
- libselinux-debuginfo-2.0.94-5.el6.x86_64.rpm
- libselinux-static-2.0.94-5.el6.s390x.rpm
- libselinux-python-2.0.94-5.el6.x86_64.rpm
- libselinux-2.0.94-5.el6.s390.rpm
- libselinux-python-2.0.94-5.el6.s390x.rpm
Fixes
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.