1.137. libselinux

Updated libselinux packages that fix various bugs are now available.
libselinux is the core library of an SELinux system. It provides an API for SELinux applications to get and set process and file security contexts and to obtain security policy decisions. It is required for any applications that use the SELinux API and used by all applications that are SELinux-aware.
Bug Fixes
libselinux used __thread variables to store malloc() data in order to minimize computation. Destructors cannot be associated with __thread variables, so malloc() data stored in a __thread void* variable could potentially cause memory leaks upon thread exit. For example, repeatedly starting and stopping domains with libvirt could trigger out-of-memory exceptions, since libvirt starts one thread per domain, and each thread uses libselinux calls such as fgetfilecon. libselinux has been updated to be thread-safe, preventing these potential memory leaks.
An update to libselinux added global destructors, which deleted thread-specific keys without checking that they had been initialized. Since the keys were not always initialized with the pthread_key_create() method and their default value was 0, it was possible that key 0 would be removed by these destructors. This resulted in segmentation faults in programs using active threads whose keys were removed, specifically in OpenJDK. Keys now receive a default value of -1, protecting uninitialized keys from attempts by global destructor to delete them. Note that this issue was discovered and corrected during development, and was not seen in production systems in the field.
An update to libselinux caused a segmentation fault to appear in the multi-threaded pam_chauthtok() test program. If a shared library attempted to call pthread_key_create(), the associated destructors were registered with that library. The segmentation fault occurred when pthread_key_delete() was called, if that library was dereferenced with dlclose() before the destructors were removed with pthread_key_delete(). This issue has now been corrected. Note: this issue was discovered and corrected during development, and was not seen in production systems in the field.
All users of libselinux are advised to upgrade to these updated packages, which resolve these issues.