From be175c33f3009a8d73647debb1a693842e0cd26d Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 29 Sep 2021 20:13:44 +0200
Subject: [PATCH] SELinux userspace 3.3-rc2 release

---
 .gitignore                                    |  1 +
 ...OURCE_LEAK-and-USE_AFTER_FREE-coveri.patch |  2 +-
 ...ans-silence-Wextra-semi-stmt-warning.patch | 52 ---------------
 ...mcstrans-Fix-USER_AFTER_FREE-problem.patch |  2 +-
 ...ns-Do-not-accept-incomplete-contexts.patch |  2 +-
 0004-mcstrans-fix-RESOURCE_LEAK-CWE-772.patch | 63 +++++++++++++++++++
 mcstrans.spec                                 | 21 ++++---
 sources                                       |  2 +-
 8 files changed, 80 insertions(+), 65 deletions(-)
 rename 0002-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch => 0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch (98%)
 delete mode 100644 0001-mcstrans-silence-Wextra-semi-stmt-warning.patch
 rename 0003-mcstrans-Fix-USER_AFTER_FREE-problem.patch => 0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch (91%)
 rename 0004-mcstrans-Do-not-accept-incomplete-contexts.patch => 0003-mcstrans-Do-not-accept-incomplete-contexts.patch (97%)
 create mode 100644 0004-mcstrans-fix-RESOURCE_LEAK-CWE-772.patch

diff --git a/.gitignore b/.gitignore
index 08a862c..3c2a72c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,3 +33,4 @@ mcstrans-0.3.1.tgz
 /mcstrans-3.2-rc1.tar.gz
 /mcstrans-3.2-rc2.tar.gz
 /mcstrans-3.2.tar.gz
+/mcstrans-3.3-rc2.tar.gz
diff --git a/0002-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch b/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch
similarity index 98%
rename from 0002-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch
rename to 0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch
index c839b53..632e628 100644
--- a/0002-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch
+++ b/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch
@@ -1,4 +1,4 @@
-From e2287da319948bb985f7b776d7bdb1d9b8c8e353 Mon Sep 17 00:00:00 2001
+From 58a11e55120de4700d4e874dee0d8c36d13caedd Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Wed, 28 Nov 2018 18:28:05 +0100
 Subject: [PATCH] mcstrans: Fir RESOURCE_LEAK and USE_AFTER_FREE coverity scan
diff --git a/0001-mcstrans-silence-Wextra-semi-stmt-warning.patch b/0001-mcstrans-silence-Wextra-semi-stmt-warning.patch
deleted file mode 100644
index 3e4df74..0000000
--- a/0001-mcstrans-silence-Wextra-semi-stmt-warning.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From e293718f0edf553593b2f0687ea9c1294199f764 Mon Sep 17 00:00:00 2001
-From: Nicolas Iooss <nicolas.iooss@m4x.org>
-Date: Sat, 3 Jul 2021 16:31:22 +0200
-Subject: [PATCH] mcstrans: silence -Wextra-semi-stmt warning
-
-On Ubuntu 20.04, when building with clang -Werror -Wextra-semi-stmt
-(which is not the default build configuration), the compiler reports:
-
-      mcstransd.c:72:35: error: empty expression statement has no effect;
-      remove unnecessary ';' to silence this warning
-      [-Werror,-Wextra-semi-stmt]
-              log_debug("%s\n", "cleanup_exit");
-                                               ^
-
-Replace the empty log_debug substitution with a do { ... } while (0)
-construction to silence this warning.
-
-Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
----
- mcstrans/src/mcstrans.c  | 2 +-
- mcstrans/src/mcstransd.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c
-index c0fc14e40d2f..e92dfddb0d20 100644
---- a/mcstrans/src/mcstrans.c
-+++ b/mcstrans/src/mcstrans.c
-@@ -43,7 +43,7 @@
- #ifdef DEBUG
- #define log_debug(fmt, ...) fprintf(stderr, fmt, __VA_ARGS__)
- #else
--#define log_debug(fmt, ...) ;
-+#define log_debug(fmt, ...) do {} while (0)
- #endif
- 
- static unsigned int maxbit=0;
-diff --git a/mcstrans/src/mcstransd.c b/mcstrans/src/mcstransd.c
-index 07c052fd4998..59c152e73be1 100644
---- a/mcstrans/src/mcstransd.c
-+++ b/mcstrans/src/mcstransd.c
-@@ -40,7 +40,7 @@
- //#define log_debug(fmt, ...) syslog(LOG_DEBUG, fmt, __VA_ARGS__)
- #define log_debug(fmt, ...) fprintf(stderr, fmt, __VA_ARGS__)
- #else
--#define log_debug(fmt, ...) ;
-+#define log_debug(fmt, ...) do {} while (0)
- #endif
- 
- extern int init_translations(void);
--- 
-2.32.0
-
diff --git a/0003-mcstrans-Fix-USER_AFTER_FREE-problem.patch b/0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch
similarity index 91%
rename from 0003-mcstrans-Fix-USER_AFTER_FREE-problem.patch
rename to 0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch
index 4065974..5ec7917 100644
--- a/0003-mcstrans-Fix-USER_AFTER_FREE-problem.patch
+++ b/0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch
@@ -1,4 +1,4 @@
-From 34a28d3bd6a491bffc91957b3f75c8dbf04b5e89 Mon Sep 17 00:00:00 2001
+From 7a170534163ab9d9159dddfadb996587d98fe30e Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 9 May 2019 16:44:43 +0200
 Subject: [PATCH] mcstrans: Fix USER_AFTER_FREE problem
diff --git a/0004-mcstrans-Do-not-accept-incomplete-contexts.patch b/0003-mcstrans-Do-not-accept-incomplete-contexts.patch
similarity index 97%
rename from 0004-mcstrans-Do-not-accept-incomplete-contexts.patch
rename to 0003-mcstrans-Do-not-accept-incomplete-contexts.patch
index 405a348..d86d83c 100644
--- a/0004-mcstrans-Do-not-accept-incomplete-contexts.patch
+++ b/0003-mcstrans-Do-not-accept-incomplete-contexts.patch
@@ -1,4 +1,4 @@
-From ca921fdca835cf24969c656a18180112ff81bf18 Mon Sep 17 00:00:00 2001
+From a6e2b2287254b2880e8697707f10bd303ffcc06a Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 15 Apr 2019 15:22:51 +0200
 Subject: [PATCH] mcstrans: Do not accept incomplete contexts
diff --git a/0004-mcstrans-fix-RESOURCE_LEAK-CWE-772.patch b/0004-mcstrans-fix-RESOURCE_LEAK-CWE-772.patch
new file mode 100644
index 0000000..59a0918
--- /dev/null
+++ b/0004-mcstrans-fix-RESOURCE_LEAK-CWE-772.patch
@@ -0,0 +1,63 @@
+From a98f2f8f2f1c14646ec9c80faecf14e9bf4bbd2c Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 5 Aug 2021 16:26:44 +0200
+Subject: [PATCH] mcstrans: fix RESOURCE_LEAK (CWE-772)
+
+Fixes:
+    Error: RESOURCE_LEAK (CWE-772): [#def1]
+    mcstrans-3.2/src/mcstrans.c:1527: alloc_fn: Storage is returned from allocation function "compute_trans_from_raw".
+    mcstrans-3.2/src/mcstrans.c:1527: var_assign: Assigning: "trans" = storage returned from "compute_trans_from_raw(range, domain)".
+    mcstrans-3.2/src/mcstrans.c:1529: noescape: Resource "trans" is not freed or pointed-to in "add_cache".
+    mcstrans-3.2/src/mcstrans.c:1515: overwrite_var: Overwriting "trans" in "trans = find_in_hashtable(range, domain, domain->raw_to_trans)" leaks the storage that "trans" points to.
+    # 1513|   	domain_t *domain = domains;
+    # 1514|   	for (;domain; domain = domain->next) {
+    # 1515|-> 		trans = find_in_hashtable(range, domain, domain->raw_to_trans);
+    # 1516|   		if (trans) break;
+    # 1517|
+
+    Error: RESOURCE_LEAK (CWE-772): [#def2]
+    mcstrans-3.2/src/mcstrans.c:1654: alloc_fn: Storage is returned from allocation function "compute_raw_from_trans".
+    mcstrans-3.2/src/mcstrans.c:1654: var_assign: Assigning: "raw" = storage returned from "compute_raw_from_trans(range, domain)".
+    mcstrans-3.2/src/mcstrans.c:1656: noescape: Resource "raw" is not freed or pointed-to in "find_in_hashtable".
+    mcstrans-3.2/src/mcstrans.c:1669: noescape: Resource "raw" is not freed or pointed-to in "add_cache".
+    mcstrans-3.2/src/mcstrans.c:1642: overwrite_var: Overwriting "raw" in "raw = find_in_hashtable(range, domain, domain->trans_to_raw)" leaks the storage that "raw" points to.
+    # 1640|   	domain_t *domain = domains;
+    # 1641|   	for (;domain; domain = domain->next) {
+    # 1642|-> 		raw = find_in_hashtable(range, domain, domain->trans_to_raw);
+    # 1643|   		if (raw) break;
+    # 1644|
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ mcstrans/src/mcstrans.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c
+index 8678418a1570..4e110e02f73a 100644
+--- a/mcstrans/src/mcstrans.c
++++ b/mcstrans/src/mcstrans.c
+@@ -1598,6 +1598,10 @@ trans_context(const char *incon, char **rcon) {
+ 		}
+ 		if (dashp)
+ 			*dashp = '-';
++		if (trans) {
++			free(trans);
++			trans = NULL;
++		}
+ 	}
+ 
+ 	if (trans) {
+@@ -1769,6 +1773,10 @@ untrans_context(const char *incon, char **rcon) {
+ 		}
+ 		if (dashp)
+ 			*dashp = '-';
++		if (raw) {
++			free(raw);
++			raw = NULL;
++		}
+ 	}
+ 
+ 	if (raw) {
+-- 
+2.32.0
+
diff --git a/mcstrans.spec b/mcstrans.spec
index 89f8b8a..3b4cc67 100644
--- a/mcstrans.spec
+++ b/mcstrans.spec
@@ -1,18 +1,18 @@
 Summary: SELinux Translation Daemon
 Name: mcstrans
-Version: 3.2
-Release: 3%{?dist}
+Version: 3.3
+Release: 0.rc2.1%{?dist}
 License: GPL+
 Url: https://github.com/SELinuxProject/selinux/wiki
-Source: https://github.com/SELinuxProject/selinux/releases/download/3.2/mcstrans-3.2.tar.gz
+Source: https://github.com/SELinuxProject/selinux/releases/download/3.3-rc2/mcstrans-3.3-rc2.tar.gz
 Source2: secolor.conf.8
-# fedora-selinux/selinux: git format-patch -N 3.2 -- mcstrans
+# fedora-selinux/selinux: git format-patch -N 3.3-rc2 -- mcstrans
 # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
-Patch0001: 0001-mcstrans-silence-Wextra-semi-stmt-warning.patch
-Patch0002: 0002-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch
-Patch0003: 0003-mcstrans-Fix-USER_AFTER_FREE-problem.patch
-Patch0004: 0004-mcstrans-Do-not-accept-incomplete-contexts.patch
+Patch0001: 0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch
+Patch0002: 0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch
+Patch0003: 0003-mcstrans-Do-not-accept-incomplete-contexts.patch
+Patch0004: 0004-mcstrans-fix-RESOURCE_LEAK-CWE-772.patch
 # Patch list end
 BuildRequires: gcc
 BuildRequires: make
@@ -39,7 +39,7 @@ mcstrans provides an translation daemon to translate SELinux categories
 from internal representations to user defined representation.
 
 %prep
-%autosetup -p 2 -n mcstrans-%{version}
+%autosetup -p 2 -n mcstrans-%{version}-rc2
 
 %build
 %set_build_flags
@@ -95,6 +95,9 @@ install -m644 %{SOURCE2} %{buildroot}%{_mandir}/man8/
 %{_usr}/share/mcstrans/util/*
 
 %changelog
+* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
+- SELinux userspace 3.3-rc2 release
+
 * Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-3
 - Rebase on upstream commit 32611aea6543
 
diff --git a/sources b/sources
index 275f4f0..ba6d43f 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (mcstrans-3.2.tar.gz) = edc7d4c255056d823c67d69d0c0bb49e8da8cf1b69d94b65e1c2cb5f4944dcc0bd26ed795d76cbe310d9c98b98ca69a49eb7e39ed4cd7df3f6ed8bd1b68da6b1
+SHA512 (mcstrans-3.3-rc2.tar.gz) = 22e0277bb76411128e67a670c7e494c4434a154cfd9d726cc02f35c6cbe07bd1f956395564ef530b3299c9bfcc97d2932fac3f683321a38b77caf4aed80ed093