import libsepol-3.7-4.el10

SOURCES/0002-libsepol-cil-Check-that-sym_index-is-within-bounds.patch

@@ -0,0 +1,40 @@
+From d045edd5298a75284ce1cc289d039cce8b7a24ae Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 23 Jul 2024 16:41:57 +0200
+Subject: [PATCH] libsepol/cil: Check that sym_index is within bounds
+
+Make sure sym_index is within the bounds of symtab array before using it
+to index the array.
+
+Fixes:
+  Error: OVERRUN (CWE-119):
+  libsepol-3.6/cil/src/cil_resolve_ast.c:3157: assignment: Assigning: "sym_index" = "CIL_SYM_UNKNOWN".
+  libsepol-3.6/cil/src/cil_resolve_ast.c:3189: overrun-call: Overrunning callee's array of size 19 by passing argument "sym_index" (which evaluates to 20) in call to "cil_resolve_name".
+  \# 3187|                   switch (curr->flavor) {
+  \# 3188|                   case CIL_STRING:
+  \# 3189|->                         rc = cil_resolve_name(parent, curr->data, sym_index, db, &res_datum);
+  \# 3190|                           if (rc != SEPOL_OK) {
+  \# 3191|                                   goto exit;
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_resolve_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
+index 427a320c..da8863c4 100644
+--- a/libsepol/cil/src/cil_resolve_ast.c
++++ b/libsepol/cil/src/cil_resolve_ast.c
+@@ -4291,7 +4291,7 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
+ 	int rc = SEPOL_ERR;
+ 	struct cil_tree_node *node = NULL;
+ 
+-	if (name == NULL) {
++	if (name == NULL || sym_index >= CIL_SYM_NUM) {
+ 		cil_log(CIL_ERR, "Invalid call to cil_resolve_name\n");
+ 		goto exit;
+ 	}
+-- 
+2.47.0
+

SOURCES/0003-libsepol-cil-Initialize-avtab_datum-on-declaration.patch

@@ -0,0 +1,81 @@
+From b332edfc248f7c5bcf651be033e2f06aa5959776 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:15 +0200
+Subject: [PATCH] libsepol/cil: Initialize avtab_datum on declaration
+
+avtab_datum.xperms was not always initialized before being used.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/cil/src/cil_binary.c:977:2: var_decl: Declaring variable "avtab_datum" without initializer.
+libsepol-3.7/cil/src/cil_binary.c:1059:3: uninit_use_in_call: Using uninitialized value "avtab_datum". Field "avtab_datum.xperms" is uninitialized when calling "__cil_cond_insert_rule".
+ \# 1057|   			}
+ \# 1058|   		}
+ \# 1059|-> 		rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor);
+ \# 1060|   	}
+
+Error: UNINIT (CWE-457):
+libsepol-3.7/cil/src/cil_binary.c:1348:2: var_decl: Declaring variable "avtab_datum" without initializer.
+libsepol-3.7/cil/src/cil_binary.c:1384:3: uninit_use_in_call: Using uninitialized value "avtab_datum". Field "avtab_datum.xperms" is uninitialized when calling "__cil_cond_insert_rule".
+ \# 1382|   	} else {
+ \# 1383|   		avtab_datum.data = data;
+ \# 1384|-> 		rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor);
+ \# 1385|   	}
+ \# 1386|
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_binary.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
+index c8144a5a..66c461eb 100644
+--- a/libsepol/cil/src/cil_binary.c
++++ b/libsepol/cil/src/cil_binary.c
+@@ -974,7 +974,7 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
+ {
+ 	int rc = SEPOL_OK;
+ 	avtab_key_t avtab_key;
+-	avtab_datum_t avtab_datum;
++	avtab_datum_t avtab_datum = { .data = res, .xperms = NULL };
+ 	avtab_ptr_t existing;	
+ 
+ 	avtab_key.source_type = src;
+@@ -996,8 +996,6 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
+ 		goto exit;
+ 	}
+ 
+-	avtab_datum.data = res;
+-	
+ 	existing = avtab_search_node(&pdb->te_avtab, &avtab_key);
+ 	if (existing) {
+ 		/* Don't add duplicate type rule and warn if they conflict.
+@@ -1345,7 +1343,7 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin
+ {
+ 	int rc = SEPOL_OK;
+ 	avtab_key_t avtab_key;
+-	avtab_datum_t avtab_datum;
++	avtab_datum_t avtab_datum = { .data = data, .xperms = NULL };
+ 	avtab_datum_t *avtab_dup = NULL;
+ 
+ 	avtab_key.source_type = src;
+@@ -1371,7 +1369,6 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin
+ 	if (!cond_node) {
+ 		avtab_dup = avtab_search(&pdb->te_avtab, &avtab_key);
+ 		if (!avtab_dup) {
+-			avtab_datum.data = data;
+ 			rc = avtab_insert(&pdb->te_avtab, &avtab_key, &avtab_datum);
+ 		} else {
+ 			if (kind == CIL_AVRULE_DONTAUDIT)
+@@ -1380,7 +1377,6 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin
+ 				avtab_dup->data |= data;
+ 		}
+ 	} else {
+-		avtab_datum.data = data;
+ 		rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor);
+ 	}
+ 
+-- 
+2.47.0
+

SOURCES/0004-libsepol-mls-Do-not-destroy-context-on-memory-error.patch

@@ -0,0 +1,74 @@
+From a67e7419e09e8954dd8d96baaab9ee663a00990c Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:16 +0200
+Subject: [PATCH] libsepol/mls: Do not destroy context on memory error
+
+In case of malloc error, ctx1, or ctx2 may be pointing to uninitialized
+space and context_destroy should not be used on it.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/mls.c:673:2: alloc_fn: Calling "malloc" which returns uninitialized memory.
+libsepol-3.7/src/mls.c:673:2: assign: Assigning: "ctx1" = "malloc(64UL)", which points to uninitialized data.
+libsepol-3.7/src/mls.c:699:2: uninit_use_in_call: Using uninitialized value "ctx1->range.level[0].cat.node" when calling "context_destroy".
+ \#  697|   	ERR(handle, "could not check if mls context %s contains %s",
+ \#  698|   	    mls1, mls2);
+ \#  699|-> 	context_destroy(ctx1);
+ \#  700|   	context_destroy(ctx2);
+ \#  701|   	free(ctx1);
+
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/mls.c:674:2: alloc_fn: Calling "malloc" which returns uninitialized memory.
+libsepol-3.7/src/mls.c:674:2: assign: Assigning: "ctx2" = "malloc(64UL)", which points to uninitialized data.
+libsepol-3.7/src/mls.c:700:2: uninit_use_in_call: Using uninitialized value "ctx2->range.level[0].cat.node" when calling "context_destroy".
+ \#  698|   	    mls1, mls2);
+ \#  699|   	context_destroy(ctx1);
+ \#  700|-> 	context_destroy(ctx2);
+ \#  701|   	free(ctx1);
+ \#  702|   	free(ctx2);
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/mls.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/libsepol/src/mls.c b/libsepol/src/mls.c
+index 45db8920..a37405d1 100644
+--- a/libsepol/src/mls.c
++++ b/libsepol/src/mls.c
+@@ -672,8 +672,10 @@ int sepol_mls_contains(sepol_handle_t * handle,
+ 	context_struct_t *ctx1 = NULL, *ctx2 = NULL;
+ 	ctx1 = malloc(sizeof(context_struct_t));
+ 	ctx2 = malloc(sizeof(context_struct_t));
+-	if (ctx1 == NULL || ctx2 == NULL)
++	if (ctx1 == NULL || ctx2 == NULL){
++		ERR(handle, "out of memory");
+ 		goto omem;
++	}
+ 	context_init(ctx1);
+ 	context_init(ctx2);
+ 
+@@ -690,16 +692,14 @@ int sepol_mls_contains(sepol_handle_t * handle,
+ 	free(ctx2);
+ 	return STATUS_SUCCESS;
+ 
+-      omem:
+-	ERR(handle, "out of memory");
+-
+       err:
+-	ERR(handle, "could not check if mls context %s contains %s",
+-	    mls1, mls2);
+ 	context_destroy(ctx1);
+ 	context_destroy(ctx2);
++      omem:
+ 	free(ctx1);
+ 	free(ctx2);
++	ERR(handle, "could not check if mls context %s contains %s",
++	    mls1, mls2);
+ 	return STATUS_ERR;
+ }
+ 
+-- 
+2.47.0
+

SOURCES/0005-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch

@@ -0,0 +1,40 @@
+From 77e225361129f02d379e930859406a61420836d7 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:17 +0200
+Subject: [PATCH] libsepol/cil/cil_post: Initialize tmp on declaration
+
+tmp.node was not always initialized before being used by
+ebitmap_destroy.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/cil/src/cil_post.c:1309:2: var_decl: Declaring variable "tmp" without initializer.
+libsepol-3.7/cil/src/cil_post.c:1382:6: uninit_use_in_call: Using uninitialized value "tmp.node" when calling "ebitmap_destroy".
+ \# 1380|   				if (rc != SEPOL_OK) {
+ \# 1381|   					cil_log(CIL_INFO, "Failed to apply operator to bitmaps\n");
+ \# 1382|-> 					ebitmap_destroy(&tmp);
+ \# 1383|   					goto exit;
+ \# 1384|   				}
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_post.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
+index ac99997f..d63a5496 100644
+--- a/libsepol/cil/src/cil_post.c
++++ b/libsepol/cil/src/cil_post.c
+@@ -1315,6 +1315,8 @@ static int __cil_expr_to_bitmap(struct cil_list *expr, ebitmap_t *out, int max,
+ 	curr = expr->head;
+ 	flavor = expr->flavor;
+ 
++	ebitmap_init(&tmp);
++
+ 	if (curr->flavor == CIL_OP) {
+ 		enum cil_flavor op = (enum cil_flavor)(uintptr_t)curr->data;
+ 
+-- 
+2.47.0
+

SOURCES/0006-libsepol-Initialize-strs-on-declaration.patch

@@ -0,0 +1,63 @@
+From 49926e313ca995ae72d5b6bd82f3f5bbbe5ba0df Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:18 +0200
+Subject: [PATCH] libsepol: Initialize "strs" on declaration
+
+The value of "strs" was not always initialized before being used by
+strs_destroy.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/kernel_to_cil.c:1439:2: var_decl: Declaring variable "strs" without initializer.
+libsepol-3.7/src/kernel_to_cil.c:1487:2: uninit_use_in_call: Using uninitialized value "strs" when calling "strs_destroy".
+ \# 1485|
+ \# 1486|   exit:
+ \# 1487|-> 	strs_destroy(&strs);
+ \# 1488|
+ \# 1489|   	if (rc != 0) {
+
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/kernel_to_conf.c:1422:2: var_decl: Declaring variable "strs" without initializer.
+libsepol-3.7/src/kernel_to_conf.c:1461:2: uninit_use_in_call: Using uninitialized value "strs" when calling "strs_destroy".
+ \# 1459|
+ \# 1460|   exit:
+ \# 1461|-> 	strs_destroy(&strs);
+ \# 1462|
+ \# 1463|   	if (rc != 0) {
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/kernel_to_cil.c  | 2 +-
+ libsepol/src/kernel_to_conf.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
+index f94cb245..9c2690be 100644
+--- a/libsepol/src/kernel_to_cil.c
++++ b/libsepol/src/kernel_to_cil.c
+@@ -1436,7 +1436,7 @@ static int map_type_aliases_to_strs(char *key, void *data, void *args)
+ static int write_type_alias_rules_to_cil(FILE *out, struct policydb *pdb)
+ {
+ 	type_datum_t *alias;
+-	struct strs *strs;
++	struct strs *strs = NULL;
+ 	char *name;
+ 	char *type;
+ 	unsigned i, num = 0;
+diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
+index ca91ffae..661546af 100644
+--- a/libsepol/src/kernel_to_conf.c
++++ b/libsepol/src/kernel_to_conf.c
+@@ -1419,7 +1419,7 @@ static int map_type_aliases_to_strs(char *key, void *data, void *args)
+ static int write_type_alias_rules_to_conf(FILE *out, struct policydb *pdb)
+ {
+ 	type_datum_t *alias;
+-	struct strs *strs;
++	struct strs *strs = NULL;
+ 	char *name;
+ 	char *type;
+ 	unsigned i, num = 0;
+-- 
+2.47.0
+

SPECS/libsepol.spec

@@ -6,7 +6,7 @@
 Summary: SELinux binary policy manipulation library
 Name: libsepol
 Version: 3.7
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: LGPL-2.1-or-later
 Source0: https://github.com/SELinuxProject/selinux/releases/download/3.7/libsepol-3.7.tar.gz
 Source1: https://github.com/SELinuxProject/selinux/releases/download/3.7/libsepol-3.7.tar.gz.asc
@@ -18,6 +18,11 @@ URL: https://github.com/SELinuxProject/selinux/wiki
 # $ i=1; for j in 0*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
 Patch0001: 0001-libsepol-sepol_compute_sid-Do-not-destroy-uninitiali.patch
+Patch0002: 0002-libsepol-cil-Check-that-sym_index-is-within-bounds.patch
+Patch0003: 0003-libsepol-cil-Initialize-avtab_datum-on-declaration.patch
+Patch0004: 0004-libsepol-mls-Do-not-destroy-context-on-memory-error.patch
+Patch0005: 0005-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch
+Patch0006: 0006-libsepol-Initialize-strs-on-declaration.patch
 # Patch list end
 BuildRequires: make
 BuildRequires: gcc
@@ -117,15 +122,21 @@ rm -rf ${RPM_BUILD_ROOT}%{_mandir}/ru/man8
 
 %changelog
 ## START: Generated by rpmautospec
-* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.7-5
+* Tue Nov 12 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-4
-- Bump release for October 2024 mass rebuild:
+- cil: Check that sym_index is within bounds (RHEL-34823)
+- cil: Initialize avtab_datum on declaration (RHEL-34810)
+- mls: Do not destroy context on memory error (RHEL-34810)
+- cil/cil_post: Initialize tmp on declaration (RHEL-34810)
+- Initialize "strs" on declaration (RHEL-34810)
 
-* Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 3.7-4
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.7-3
+- Bump release for October 2024 mass rebuild (RHEL-64018)
+
+* Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 3.7-2 
 - Rebuilt for MSVSphere 10
 
-* Fri Aug 09 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-4
+* Fri Aug 09 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-2 
-- libsepol-3.7-2
+- sepol_compute_sid: Do not destroy uninitialized context (RHEL-34808)
-- sepol_compute_sid: Do not destroy uninitialized context
 
 * Thu Jun 27 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-1
 - SELinux userspace 3.7 release