diff -Nru libsepol-3.0/debian/changelog libsepol-3.0/debian/changelog
--- libsepol-3.0/debian/changelog	2019-12-10 14:47:14.000000000 +0000
+++ libsepol-3.0/debian/changelog	2022-04-26 09:21:29.000000000 +0000
@@ -1,3 +1,29 @@
+libsepol (3.0-1ubuntu0.1) focal-security; urgency=medium
+
+  * SECURITY UPDATE: use-after-free in __cil_verify_classperms
+    - debian/patches/CVE-2021-36084.patch: alter destruction of
+      classperms list when resetting classpermission by avoiding
+      deleting the inner data in cil/src/cil_reset_ast.c
+    - CVE-2021-36084
+  * SECURITY UPDATE: use-after-free in __cil_verify_classperms
+    - debian/patches/CVE-2021-36085.patch: alter destruction of
+      classperms when resetting a perm by avoiding
+      deleting the inner data in cil/src/cil_reset_ast.c
+    - CVE-2021-36085
+  * SECURITY UPDATE: use-after-free in cil_reset_classpermission
+    - debian/patches/CVE-2021-36086.patch: prevent 
+      cil_reset_classperms_set from resetting classpermission by
+      setting it to NULL in cil/src/cil_reset_ast.c
+    - CVE-2021-36086
+  * SECURITY UPDATE: heap-based buffer over-read in ebitmap_match_any
+    - debian/patches/CVE-2021-36087.patch: check if a tunable
+      declaration, in-statement, block, blockabstract, or macro definition
+      is found within an optional in cil/src/cil_build_ast.c and 
+      cil/src/cil_resolve_ast.c
+    - CVE-2021-36087
+
+ -- David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>  Tue, 26 Apr 2022 11:21:29 +0200
+
 libsepol (3.0-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru libsepol-3.0/debian/control libsepol-3.0/debian/control
--- libsepol-3.0/debian/control	2019-12-10 14:47:14.000000000 +0000
+++ libsepol-3.0/debian/control	2022-04-26 09:21:29.000000000 +0000
@@ -3,7 +3,8 @@
 VCS-Browser: https://salsa.debian.org/selinux-team/libsepol
 Priority: optional
 Section: libs
-Maintainer: Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>
 Uploaders: Laurent Bigonville <bigon@debian.org>, Russell Coker <russell@coker.com.au>
 Standards-Version: 4.4.1
 Build-Depends: debhelper (>= 12), file, flex
diff -Nru libsepol-3.0/debian/patches/CVE-2021-36084.patch libsepol-3.0/debian/patches/CVE-2021-36084.patch
--- libsepol-3.0/debian/patches/CVE-2021-36084.patch	1970-01-01 00:00:00.000000000 +0000
+++ libsepol-3.0/debian/patches/CVE-2021-36084.patch	2022-04-26 09:15:01.000000000 +0000
@@ -0,0 +1,94 @@
+From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:01 -0400
+Subject: [PATCH] cil: Destroy classperms list when resetting
+ classpermission
+
+Nicolas Iooss reports:
+  A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
+  got reported as
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
+  is misleading, or is caused by another issue that conflicts with the
+  one I report in this message). Here is a minimized CIL policy which
+  reproduces the issue:
+
+  (class CLASS (PERM))
+  (classorder (CLASS))
+  (sid SID)
+  (sidorder (SID))
+  (user USER)
+  (role ROLE)
+  (type TYPE)
+  (category CAT)
+  (categoryorder (CAT))
+  (sensitivity SENS)
+  (sensitivityorder (SENS))
+  (sensitivitycategory SENS (CAT))
+  (allow TYPE self (CLASS (PERM)))
+  (roletype ROLE TYPE)
+  (userrole USER ROLE)
+  (userlevel USER (SENS))
+  (userrange USER ((SENS)(SENS (CAT))))
+  (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
+
+  (classpermission CLAPERM)
+
+  (optional OPT
+      (roletype nonexistingrole nonexistingtype)
+      (classpermissionset CLAPERM (CLASS (PERM)))
+  )
+
+  The CIL policy fuzzer (which mimics secilc built with clang Address
+  Sanitizer) reports:
+
+  ==36541==ERROR: AddressSanitizer: heap-use-after-free on address
+  0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
+  0x7ffe2a256588
+  READ of size 8 at 0x603000004f98 thread T0
+      #0 0x56445134c841 in __cil_verify_classperms
+  /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
+      #1 0x56445134a43e in __cil_verify_classpermission
+  /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
+      #2 0x56445134a43e in __cil_pre_verify_helper
+  /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
+      #3 0x5644513225ac in cil_tree_walk_core
+  /selinux/libsepol/src/../cil/src/cil_tree.c:272:9
+      #4 0x564451322ab1 in cil_tree_walk
+  /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+      #5 0x5644513226af in cil_tree_walk_core
+  /selinux/libsepol/src/../cil/src/cil_tree.c:284:9
+      #6 0x564451322ab1 in cil_tree_walk
+  /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+      #7 0x5644512b88fd in cil_pre_verify
+  /selinux/libsepol/src/../cil/src/cil_post.c:2510:7
+      #8 0x5644512b88fd in cil_post_process
+  /selinux/libsepol/src/../cil/src/cil_post.c:2524:7
+      #9 0x5644511856ff in cil_compile
+  /selinux/libsepol/src/../cil/src/cil.c:564:7
+
+The classperms list of a classpermission rule is created and filled
+in when classpermissionset rules are processed, so it doesn't own any
+part of the list and shouldn't retain any of it when it is reset.
+
+Destroy the classperms list (without destroying the data in it)  when
+resetting a classpermission rule.
+
+Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
++++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -52,7 +52,7 @@ static void cil_reset_classpermission(st
+ 		return;
+ 	}
+ 
+-	cil_reset_classperms_list(cp->classperms);
++	cil_list_destroy(&cp->classperms, CIL_FALSE);
+ }
+ 
+ static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
diff -Nru libsepol-3.0/debian/patches/CVE-2021-36085.patch libsepol-3.0/debian/patches/CVE-2021-36085.patch
--- libsepol-3.0/debian/patches/CVE-2021-36085.patch	1970-01-01 00:00:00.000000000 +0000
+++ libsepol-3.0/debian/patches/CVE-2021-36085.patch	2022-04-26 09:15:13.000000000 +0000
@@ -0,0 +1,33 @@
+From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:04 -0400
+Subject: [PATCH] cil: Destroy classperm list when resetting map perms
+
+Map perms share the same struct as regular perms, but only the
+map perms use the classperms field. This field is a pointer to a
+list of classperms that is created and added to when resolving
+classmapping rules, so the map permission doesn't own any of the
+data in the list and this list should be destroyed when the AST is
+reset.
+
+When resetting a perm, destroy the classperms list without destroying
+the data in the list.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
++++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_c
+ 
+ static void cil_reset_perm(struct cil_perm *perm)
+ {
+-	cil_reset_classperms_list(perm->classperms);
++	cil_list_destroy(&perm->classperms, CIL_FALSE);
+ }
+ 
+ static inline void cil_reset_classperms(struct cil_classperms *cp)
diff -Nru libsepol-3.0/debian/patches/CVE-2021-36086.patch libsepol-3.0/debian/patches/CVE-2021-36086.patch
--- libsepol-3.0/debian/patches/CVE-2021-36086.patch	1970-01-01 00:00:00.000000000 +0000
+++ libsepol-3.0/debian/patches/CVE-2021-36086.patch	2022-04-26 09:15:24.000000000 +0000
@@ -0,0 +1,36 @@
+From c49a8ea09501ad66e799ea41b8154b6770fec2c8 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:06 -0400
+Subject: [PATCH] cil: cil_reset_classperms_set() should not reset
+ classpermission
+
+In struct cil_classperms_set, the set field is a pointer to a
+struct cil_classpermission which is looked up in the symbol table.
+Since the cil_classperms_set does not create the cil_classpermission,
+it should not reset it.
+
+Set the set field to NULL instead of resetting the classpermission
+that it points to.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ cil/src/cil_reset_ast.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
++++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -57,7 +57,11 @@ static void cil_reset_classpermission(st
+ 
+ static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
+ {
+-	cil_reset_classpermission(cp_set->set);
++	if (cp_set == NULL) {
++		return;
++	}
++
++	cp_set->set = NULL;
+ }
+ 
+ static inline void cil_reset_classperms_list(struct cil_list *cp_list)
diff -Nru libsepol-3.0/debian/patches/CVE-2021-36087.patch libsepol-3.0/debian/patches/CVE-2021-36087.patch
--- libsepol-3.0/debian/patches/CVE-2021-36087.patch	1970-01-01 00:00:00.000000000 +0000
+++ libsepol-3.0/debian/patches/CVE-2021-36087.patch	2022-04-26 09:21:29.000000000 +0000
@@ -0,0 +1,99 @@
+Backport of: c49a8ea09501ad66e799ea41b8154b6770fec2c8 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:06 -0400
+Subject: PATCH] libsepol/cil: Check for statements not allowed in optional
+ blocks
+
+Index: libsepol-3.0/cil/src/cil_build_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_build_ast.c
++++ libsepol-3.0/cil/src/cil_build_ast.c
+@@ -50,6 +50,7 @@ struct cil_args_build {
+ 	struct cil_tree_node *ast;
+ 	struct cil_db *db;
+ 	struct cil_tree_node *macro;
++	struct cil_tree_node *optional;
+ 	struct cil_tree_node *boolif;
+ 	struct cil_tree_node *tunif;
+ 	struct cil_tree_node *in;
+@@ -6103,6 +6104,7 @@ int __cil_build_ast_node_helper(struct c
+ 	struct cil_db *db = NULL;
+ 	struct cil_tree_node *ast_node = NULL;
+ 	struct cil_tree_node *macro = NULL;
++	struct cil_tree_node *optional = NULL;
+ 	struct cil_tree_node *boolif = NULL;
+ 	struct cil_tree_node *tunif = NULL;
+ 	struct cil_tree_node *in = NULL;
+@@ -6117,6 +6119,7 @@ int __cil_build_ast_node_helper(struct c
+ 	db = args->db;
+ 	macro = args->macro;
+ 	boolif = args->boolif;
++	optional = args->optional;
+ 	tunif = args->tunif;
+ 	in = args->in;
+ 
+@@ -6148,6 +6151,18 @@ int __cil_build_ast_node_helper(struct c
+ 		}
+ 	}
+ 
++	if (optional != NULL) {
++		if (parse_current->data == CIL_KEY_TUNABLE ||
++			parse_current->data == CIL_KEY_IN ||
++			parse_current->data == CIL_KEY_BLOCK ||
++			parse_current->data == CIL_KEY_BLOCKABSTRACT ||
++			parse_current->data == CIL_KEY_MACRO) {
++			rc = SEPOL_ERR;
++			cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in optionals", (char *)parse_current->data);
++			goto exit;
++		}
++	}
++
+ 	if (boolif != NULL) {
+ 		if (parse_current->data != CIL_KEY_CONDTRUE &&
+ 			parse_current->data != CIL_KEY_CONDFALSE &&
+@@ -6533,6 +6548,19 @@ int __cil_build_ast_last_child_helper(st
+ 		args->boolif = NULL;
+ 	}
+ 
++	if (ast->flavor == CIL_OPTIONAL) {
++		struct cil_tree_node *n = ast->parent;
++		args->optional = NULL;
++		/* Optionals can be nested */
++		while (n && n->flavor != CIL_ROOT) {
++			if (n->flavor == CIL_OPTIONAL) {
++				args->optional = n;
++				break;
++			}
++			n = n->parent;
++		}
++	}
++
+ 	if (ast->flavor == CIL_TUNABLEIF) {
+ 		args->tunif = NULL;
+ 	}
+@@ -6566,6 +6594,7 @@ int cil_build_ast(struct cil_db *db, str
+ 	extra_args.ast = ast;
+ 	extra_args.db = db;
+ 	extra_args.macro = NULL;
++	extra_args.optional = NULL;
+ 	extra_args.boolif = NULL;
+ 	extra_args.tunif = NULL;
+ 	extra_args.in = NULL;
+Index: libsepol-3.0/cil/src/cil_resolve_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_resolve_ast.c
++++ libsepol-3.0/cil/src/cil_resolve_ast.c
+@@ -3698,8 +3698,11 @@ int __cil_resolve_ast_node_helper(struct
+ 	}
+ 
+ 	if (optstack != NULL) {
+-		if (node->flavor == CIL_TUNABLE || node->flavor == CIL_MACRO) {
+-			/* tuanbles and macros are not allowed in optionals*/
++		if (node->flavor == CIL_TUNABLE ||
++			node->flavor == CIL_IN ||
++			node->flavor == CIL_BLOCK ||
++			node->flavor == CIL_BLOCKABSTRACT ||
++			node->flavor == CIL_MACRO) {
+ 			cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node));
+ 			rc = SEPOL_ERR;
+ 			goto exit;
diff -Nru libsepol-3.0/debian/patches/series libsepol-3.0/debian/patches/series
--- libsepol-3.0/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libsepol-3.0/debian/patches/series	2022-04-26 09:15:46.000000000 +0000
@@ -0,0 +1,4 @@
+CVE-2021-36084.patch
+CVE-2021-36085.patch
+CVE-2021-36086.patch
+CVE-2021-36087.patch