From ca4f3b5ba77866f41f38147778c912ab731d92db Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 9 Aug 2024 17:38:09 +0200
Subject: [PATCH] libsepol-3.7-2

- sepol_compute_sid: Do not destroy uninitialized context

Resolves: RHEL-34808
---
 ...ompute_sid-Do-not-destroy-uninitiali.patch | 51 +++++++++++++++++++
 libsepol.spec                                 |  6 ++-
 2 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 0001-libsepol-sepol_compute_sid-Do-not-destroy-uninitiali.patch

diff --git a/0001-libsepol-sepol_compute_sid-Do-not-destroy-uninitiali.patch b/0001-libsepol-sepol_compute_sid-Do-not-destroy-uninitiali.patch
new file mode 100644
index 0000000..6d5d41c
--- /dev/null
+++ b/0001-libsepol-sepol_compute_sid-Do-not-destroy-uninitiali.patch
@@ -0,0 +1,51 @@
+From 453d54da10a96e1494ef8aea867f6c9eb8751677 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Fri, 19 Jul 2024 18:17:13 +0200
+Subject: [PATCH] libsepol/sepol_compute_sid: Do not destroy uninitialized
+ context
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Avoid context_destroy() on "newcontext" before context_init() is called.
+
+Fixes:
+  libsepol-3.6/src/services.c:1335: var_decl: Declaring variable "newcontext" without initializer.
+  libsepol-3.6/src/services.c:1462: uninit_use_in_call: Using uninitialized value "newcontext.range.level[0].cat.node" when calling "context_destroy".
+  \# 1460|   	rc = sepol_sidtab_context_to_sid(sidtab, &newcontext, out_sid);
+  \# 1461|         out:
+  \# 1462|-> 	context_destroy(&newcontext);
+  \# 1463|   	return rc;
+  \# 1464|   }
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Reviewed-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libsepol/src/services.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/libsepol/src/services.c b/libsepol/src/services.c
+index 36e2368f..f3231f17 100644
+--- a/libsepol/src/services.c
++++ b/libsepol/src/services.c
+@@ -1362,14 +1362,12 @@ static int sepol_compute_sid(sepol_security_id_t ssid,
+ 	scontext = sepol_sidtab_search(sidtab, ssid);
+ 	if (!scontext) {
+ 		ERR(NULL, "unrecognized SID %d", ssid);
+-		rc = -EINVAL;
+-		goto out;
++		return -EINVAL;
+ 	}
+ 	tcontext = sepol_sidtab_search(sidtab, tsid);
+ 	if (!tcontext) {
+ 		ERR(NULL, "unrecognized SID %d", tsid);
+-		rc = -EINVAL;
+-		goto out;
++		return -EINVAL;
+ 	}
+ 
+ 	if (tclass && tclass <= policydb->p_classes.nprim)
+-- 
+2.45.2
+
diff --git a/libsepol.spec b/libsepol.spec
index 7fd4e49..471bbf1 100644
--- a/libsepol.spec
+++ b/libsepol.spec
@@ -1,7 +1,7 @@
 Summary: SELinux binary policy manipulation library
 Name: libsepol
 Version: 3.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: LGPL-2.1-or-later
 Source0: https://github.com/SELinuxProject/selinux/releases/download/3.7/libsepol-3.7.tar.gz
 Source1: https://github.com/SELinuxProject/selinux/releases/download/3.7/libsepol-3.7.tar.gz.asc
@@ -12,6 +12,7 @@ URL: https://github.com/SELinuxProject/selinux/wiki
 # $ git format-patch -N libsepol-3.7 -- libsepol
 # $ i=1; for j in 0*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
+Patch0001: 0001-libsepol-sepol_compute_sid-Do-not-destroy-uninitiali.patch
 # Patch list end
 BuildRequires: make
 BuildRequires: gcc
@@ -110,4 +111,7 @@ rm -rf ${RPM_BUILD_ROOT}%{_mandir}/ru/man8
 %{_mandir}/man8/chkcon.8.gz
 
 %changelog
+* Fri Aug 09 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-2
+- sepol_compute_sid: Do not destroy uninitialized context (RHEL-34808)
+
 %autochangelog