2 files changed, 39 insertions, 0 deletions
diff --git a/recipes-security/selinux/libsepol/CVE-2021-36085.patch b/recipes-security/selinux/libsepol/CVE-2021-36085.patch
new file mode 100644
index 0000000..4bd05eb
--- /dev/null
+++ b/recipes-security/selinux/libsepol/CVE-2021-36085.patch
@@ -0,0 +1,38 @@
+From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:04 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
+Map perms share the same struct as regular perms, but only the
+map perms use the classperms field. This field is a pointer to a
+list of classperms that is created and added to when resolving
+classmapping rules, so the map permission doesn't own any of the
+data in the list and this list should be destroyed when the AST is
+reset.
+When resetting a perm, destroy the classperms list without destroying
+the data in the list.
+Signed-off-by: James Carter <jwcart2@gmail.com>
+Upstream-Status: Backport
+CVE: CVE-2021-36085
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
+++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_c
+ 
+ static void cil_reset_perm(struct cil_perm *perm)
+ {
+-       cil_reset_classperms_list(perm->classperms);
+       cil_list_destroy(&perm->classperms, CIL_FALSE);
+ }
+ 
+ static inline void cil_reset_classperms(struct cil_classperms *cp)
diff --git a/recipes-security/selinux/libsepol_3.0.bb b/recipes-security/selinux/libsepol_3.0.bb
index 537377b..b7a7071 100644
--- a/recipes-security/selinux/libsepol_3.0.bb
+++ b/recipes-security/selinux/libsepol_3.0.bb
@@ -10,4 +10,5 @@ SRC_URI += "\
        file://0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch \
        file://0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch \
        file://CVE-2021-36084.patch \
+        file://CVE-2021-36085.patch \
        "

diff --git a/recipes-security/selinux/libsepol/CVE-2021-36085.patch b/recipes-security/selinux/libsepol/CVE-2021-36085.patch new file mode 100644 index 0000000..4bd05eb --- /dev/null +++ b/recipes-security/selinux/libsepol/CVE-2021-36085.patch
@@ -0,0 +1,38 @@
		1	From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
		2	From: James Carter <jwcart2@gmail.com>
		3	Date: Thu, 8 Apr 2021 13:32:04 -0400
		4	Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
		5
		6	Map perms share the same struct as regular perms, but only the
		7	map perms use the classperms field. This field is a pointer to a
		8	list of classperms that is created and added to when resolving
		9	classmapping rules, so the map permission doesn't own any of the
		10	data in the list and this list should be destroyed when the AST is
		11	reset.
		12
		13	When resetting a perm, destroy the classperms list without destroying
		14	the data in the list.
		15
		16	Signed-off-by: James Carter <jwcart2@gmail.com>
		17
		18	Upstream-Status: Backport
		19	CVE: CVE-2021-36085
		20	Signed-off-by: Armin Kuster <akuster@mvista.com>
		21
		22	---
		23	libsepol/cil/src/cil_reset_ast.c \| 2 +-
		24	1 file changed, 1 insertion(+), 1 deletion(-)
		25
		26	Index: libsepol-3.0/cil/src/cil_reset_ast.c
		27	===================================================================
		28	--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
		29	+++ libsepol-3.0/cil/src/cil_reset_ast.c
		30	@@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_c
		31
		32	static void cil_reset_perm(struct cil_perm *perm)
		33	{
		34	- cil_reset_classperms_list(perm->classperms);
		35	+ cil_list_destroy(&perm->classperms, CIL_FALSE);
		36	}
		37
		38	static inline void cil_reset_classperms(struct cil_classperms *cp)


diff --git a/recipes-security/selinux/libsepol_3.0.bb b/recipes-security/selinux/libsepol_3.0.bb index 537377b..b7a7071 100644 --- a/recipes-security/selinux/libsepol_3.0.bb +++ b/recipes-security/selinux/libsepol_3.0.bb
@@ -10,4 +10,5 @@ SRC_URI += "\
10	file://0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch \	10	file://0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch \
11	file://0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch \	11	file://0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch \
12	file://CVE-2021-36084.patch \	12	file://CVE-2021-36084.patch \
		13	file://CVE-2021-36085.patch \
13	"	14	"