From 1e8181314962c0044a6d4465d2130fcf10cc9ad2 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 2 Nov 2021 06:35:55 -0400 Subject: [PATCH 1/2] import openscap-1.3.4-6.el8_4 --- ...-1.3.6-PR-1779-initialize-crapi-once.patch | 136 ++++++++++++++++++ ...nscap-1.3.6-PR-1788-test-rhbz1959570.patch | 97 +++++++++++++ SPECS/openscap.spec | 7 +- 3 files changed, 239 insertions(+), 1 deletion(-) create mode 100644 SOURCES/openscap-1.3.6-PR-1779-initialize-crapi-once.patch create mode 100644 SOURCES/openscap-1.3.6-PR-1788-test-rhbz1959570.patch diff --git a/SOURCES/openscap-1.3.6-PR-1779-initialize-crapi-once.patch b/SOURCES/openscap-1.3.6-PR-1779-initialize-crapi-once.patch new file mode 100644 index 0000000..94cc375 --- /dev/null +++ b/SOURCES/openscap-1.3.6-PR-1779-initialize-crapi-once.patch @@ -0,0 +1,136 @@ +From 5c422226df442855a7dc9834eb4ff74865394a92 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 8 Jul 2021 14:28:16 +0200 +Subject: [PATCH 1/3] Initialize crypto API only once + +The function `crapi_init` calls `gcry_check_version` which must be +called before any other function from the Libgcrypt library. That might +be violated when multiple threads executing multiple probes are running. +The mitigation proposed in this PR is to call `crapi_init` only once +when the session is initialized which means before any threads are +spawned. + +See also: https://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading + +Resolves: RHBZ#1959570 +--- + src/OVAL/oval_probe_session.c | 5 +++++ + src/OVAL/probes/independent/filehash58_probe.c | 6 ------ + src/OVAL/probes/independent/filehash_probe.c | 6 ------ + src/OVAL/probes/independent/filemd5_probe.c | 6 ------ + 4 files changed, 5 insertions(+), 18 deletions(-) + +diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c +index 435ca148fd..6f6d7ad426 100644 +--- a/src/OVAL/oval_probe_session.c ++++ b/src/OVAL/oval_probe_session.c +@@ -93,6 +93,11 @@ static void oval_probe_session_libinit(void) + SEXP_free((SEXP_t *)exp); + + ncache_libinit(); ++ /* ++ * Initialize crypto API ++ */ ++ if (crapi_init (NULL) != 0) ++ return (NULL); + } + + /** +diff --git a/src/OVAL/probes/independent/filehash58_probe.c b/src/OVAL/probes/independent/filehash58_probe.c +index ff1e065746..32a38562bd 100644 +--- a/src/OVAL/probes/independent/filehash58_probe.c ++++ b/src/OVAL/probes/independent/filehash58_probe.c +@@ -210,12 +210,6 @@ int filehash58_probe_offline_mode_supported() + + void *filehash58_probe_init(void) + { +- /* +- * Initialize crypto API +- */ +- if (crapi_init (NULL) != 0) +- return (NULL); +- + /* + * Initialize mutex. + */ +diff --git a/src/OVAL/probes/independent/filehash_probe.c b/src/OVAL/probes/independent/filehash_probe.c +index 522d976512..6d8780dc95 100644 +--- a/src/OVAL/probes/independent/filehash_probe.c ++++ b/src/OVAL/probes/independent/filehash_probe.c +@@ -190,12 +190,6 @@ int filehash_probe_offline_mode_supported() + + void *filehash_probe_init(void) + { +- /* +- * Initialize crypto API +- */ +- if (crapi_init (NULL) != 0) +- return (NULL); +- + /* + * Initialize mutex. + */ +diff --git a/src/OVAL/probes/independent/filemd5_probe.c b/src/OVAL/probes/independent/filemd5_probe.c +index d0de402d8b..99913581f0 100644 +--- a/src/OVAL/probes/independent/filemd5_probe.c ++++ b/src/OVAL/probes/independent/filemd5_probe.c +@@ -163,12 +163,6 @@ int probe_offline_mode_supported() + + void *probe_init (void) + { +- /* +- * Initialize crypto API +- */ +- if (crapi_init (NULL) != 0) +- return (NULL); +- + /* + * Initialize mutex. + */ + +From c4c26d99a59205d744befe52be4e81bcf5f55d9c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 13 Jul 2021 13:03:21 +0200 +Subject: [PATCH 2/3] Add a missing include + +--- + src/OVAL/oval_probe_session.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c +index 6f6d7ad426..295782b536 100644 +--- a/src/OVAL/oval_probe_session.c ++++ b/src/OVAL/oval_probe_session.c +@@ -48,6 +48,7 @@ + #include "oval_probe_ext.h" + #include "probe-table.h" + #include "oval_types.h" ++#include "crapi/crapi.h" + + #if defined(OSCAP_THREAD_SAFE) + #include + +From 6241a8835574429a787e0dd48d2c0ac2a71499b8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 15 Jul 2021 14:21:00 +0200 +Subject: [PATCH 3/3] Don't initialize crypto on Windows + +--- + src/OVAL/oval_probe_session.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c +index 295782b536..b443cbcc80 100644 +--- a/src/OVAL/oval_probe_session.c ++++ b/src/OVAL/oval_probe_session.c +@@ -97,8 +97,10 @@ static void oval_probe_session_libinit(void) + /* + * Initialize crypto API + */ ++#ifndef OS_WINDOWS + if (crapi_init (NULL) != 0) + return (NULL); ++#endif + } + + /** diff --git a/SOURCES/openscap-1.3.6-PR-1788-test-rhbz1959570.patch b/SOURCES/openscap-1.3.6-PR-1788-test-rhbz1959570.patch new file mode 100644 index 0000000..2c175b8 --- /dev/null +++ b/SOURCES/openscap-1.3.6-PR-1788-test-rhbz1959570.patch @@ -0,0 +1,97 @@ +From 05faede8f6602b7b71d71fd965276225a986fb1f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 28 Jul 2021 13:06:25 +0200 +Subject: [PATCH] Add a regression test for rhbz#1959570 + +The bug was a segmentation fault in filehash58 probe which happened +in openscap-1.3.3-6.el8_3. + +The bug was fixed by https://github.com/OpenSCAP/openscap/pull/1779 +and this patch adds a very small test. +--- + tests/probes/filehash58/CMakeLists.txt | 1 + + .../probes/filehash58/rhbz1959570_segfault.sh | 19 +++++++++ + .../rhbz1959570_segfault_reproducer.xml | 39 +++++++++++++++++++ + 3 files changed, 59 insertions(+) + create mode 100755 tests/probes/filehash58/rhbz1959570_segfault.sh + create mode 100644 tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml + +diff --git a/tests/probes/filehash58/CMakeLists.txt b/tests/probes/filehash58/CMakeLists.txt +index b26d8171fb..cdec0792eb 100644 +--- a/tests/probes/filehash58/CMakeLists.txt ++++ b/tests/probes/filehash58/CMakeLists.txt +@@ -1,3 +1,4 @@ + if(ENABLE_PROBES_INDEPENDENT) + add_oscap_test("test_probes_filehash58.sh") ++ add_oscap_test("rhbz1959570_segfault.sh") + endif() +diff --git a/tests/probes/filehash58/rhbz1959570_segfault.sh b/tests/probes/filehash58/rhbz1959570_segfault.sh +new file mode 100755 +index 0000000000..0c32cc79f1 +--- /dev/null ++++ b/tests/probes/filehash58/rhbz1959570_segfault.sh +@@ -0,0 +1,19 @@ ++#!/usr/bin/env bash ++ ++# Copyright 2021 Red Hat Inc., Durham, North Carolina. ++# All Rights Reserved. ++# ++# OpenSCAP Probes Test Suite. ++# ++# Authors: ++# Jan Černý, ++ ++set -e -o pipefail ++. $builddir/tests/test_common.sh ++ ++# Test Cases ++ ++stderr="$(mktemp)" ++$OSCAP oval eval --id oval:x:def:1 "$srcdir/rhbz1959570_segfault_reproducer.xml" 2> "$stderr" ++[ ! -s "$stderr" ] ++rm "$stderr" +diff --git a/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml +new file mode 100644 +index 0000000000..4b3fc4863a +--- /dev/null ++++ b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml +@@ -0,0 +1,39 @@ ++ ++ ++ ++ jcerny ++ 1 ++ 5.11 ++ 2021-07-28T07:40:55 ++ ++ ++ ++ ++ title ++ description ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/os-release ++ SHA-256 ++ ++ ++ ++ ++ /etc/os-release ++ SHA-256 ++ 6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af ++ ++ ++ diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index 479007b..b91188d 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -1,6 +1,6 @@ Name: openscap Version: 1.3.4 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ @@ -13,6 +13,8 @@ Patch4: openscap-1.3.5-yamlfilecontent-fix-field-names-PR_1619.patch Patch5: openscap-1.3.5-memory-PR_1627.patch Patch6: openscap-1.3.5-use-MALLOC_CHECK-in-tests-PR_1635.patch Patch7: openscap-1.3.5-test-non-local-gpfs-PR_1653.patch +Patch8: openscap-1.3.6-PR-1779-initialize-crapi-once.patch +Patch9: openscap-1.3.6-PR-1788-test-rhbz1959570.patch BuildRequires: cmake >= 2.6 BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser BuildRequires: rpm-devel @@ -219,6 +221,9 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/oscap-run-sce-script %changelog +* Mon Aug 30 2021 Jan Černý - 1.3.4-6 +- Initialize crypto API only once (rhbz#1998045) + * Wed Nov 25 2020 Evgenii Kolesnikov - 1.3.4-5 - Add check for non-local GPFS file system into Test Suite (RHBZ#1840578) From d071d5ddcae5ed29ece5b3bceac6a5a314dff427 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 9 Nov 2021 04:53:30 -0500 Subject: [PATCH 2/2] import openscap-1.3.5-6.el8 --- .gitignore | 2 +- .openscap.metadata | 2 +- .../openscap-1.3.5-coverity1-PR_1617.patch | 162 ------------------ .../openscap-1.3.5-coverity2-PR_1620.patch | 147 ---------------- SOURCES/openscap-1.3.5-memory-PR_1627.patch | 84 --------- ...nscap-1.3.5-plug-memory-leak-PR_1616.patch | 71 -------- ...ap-1.3.5-test-non-local-gpfs-PR_1653.patch | 9 - ....5-use-MALLOC_CHECK-in-tests-PR_1635.patch | 13 -- ...lfilecontent-fix-field-names-PR_1619.patch | 67 -------- ...enscap-1.3.6-PR-1745-waive-hugepages.patch | 43 +++++ SOURCES/openscap-1.3.6-PR-1748-covscan.patch | 52 ++++++ ...openscap-1.3.6-PR-1749-blueprint-fix.patch | 64 +++++++ SOURCES/openscap-1.3.6-PR-1753-getlogin.patch | 36 ++++ .../openscap-1.3.6-PR-1756-yaml-nulls.patch | 150 ++++++++++++++++ SPECS/openscap.spec | 48 ++++-- 15 files changed, 383 insertions(+), 567 deletions(-) delete mode 100644 SOURCES/openscap-1.3.5-coverity1-PR_1617.patch delete mode 100644 SOURCES/openscap-1.3.5-coverity2-PR_1620.patch delete mode 100644 SOURCES/openscap-1.3.5-memory-PR_1627.patch delete mode 100644 SOURCES/openscap-1.3.5-plug-memory-leak-PR_1616.patch delete mode 100644 SOURCES/openscap-1.3.5-test-non-local-gpfs-PR_1653.patch delete mode 100644 SOURCES/openscap-1.3.5-use-MALLOC_CHECK-in-tests-PR_1635.patch delete mode 100644 SOURCES/openscap-1.3.5-yamlfilecontent-fix-field-names-PR_1619.patch create mode 100644 SOURCES/openscap-1.3.6-PR-1745-waive-hugepages.patch create mode 100644 SOURCES/openscap-1.3.6-PR-1748-covscan.patch create mode 100644 SOURCES/openscap-1.3.6-PR-1749-blueprint-fix.patch create mode 100644 SOURCES/openscap-1.3.6-PR-1753-getlogin.patch create mode 100644 SOURCES/openscap-1.3.6-PR-1756-yaml-nulls.patch diff --git a/.gitignore b/.gitignore index c00197a..0223773 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openscap-1.3.4.tar.gz +SOURCES/openscap-1.3.5.tar.gz diff --git a/.openscap.metadata b/.openscap.metadata index e3596ca..38345b6 100644 --- a/.openscap.metadata +++ b/.openscap.metadata @@ -1 +1 @@ -3e303f06aa00e5c2616db606b980389ee0b73883 SOURCES/openscap-1.3.4.tar.gz +77494383980082f8bc625a6e196a6760d30a5107 SOURCES/openscap-1.3.5.tar.gz diff --git a/SOURCES/openscap-1.3.5-coverity1-PR_1617.patch b/SOURCES/openscap-1.3.5-coverity1-PR_1617.patch deleted file mode 100644 index ea7edcb..0000000 --- a/SOURCES/openscap-1.3.5-coverity1-PR_1617.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 0311ac9d8368acd5baac8b7fc6f753bd895ea3fc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 6 Oct 2020 13:32:19 +0200 -Subject: [PATCH 1/2] Fix Coverity warnings - -Addressing multiple Coverity defects similar to this one: -Defect type: CHECKED_RETURN -check_return: Calling "curl_easy_setopt(curl, _curl_opt, _curl_trace)" -without checking return value. This library function may fail and return -an error code. ---- - src/common/oscap_acquire.c | 65 +++++++++++++++++++++++++++++++------- - 1 file changed, 53 insertions(+), 12 deletions(-) - -diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c -index 666f4f5c9..34a92fa19 100644 ---- a/src/common/oscap_acquire.c -+++ b/src/common/oscap_acquire.c -@@ -326,18 +326,59 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size) - return NULL; - } - -- struct oscap_buffer* buffer = oscap_buffer_new(); -- -- curl_easy_setopt(curl, CURLOPT_URL, url); -- curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback); -- curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer); -- curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); -- curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true); -- curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true); -- curl_easy_setopt(curl, CURLOPT_VERBOSE, true); -- curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace); -- -- CURLcode res = curl_easy_perform(curl); -+ CURLcode res; -+ -+ res = curl_easy_setopt(curl, CURLOPT_URL, url); -+ if (res != 0) { -+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_URL to '%s': %s", url, curl_easy_strerror(res)); -+ return NULL; -+ } -+ -+ res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback); -+ if (res != 0) { -+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_WRITEFUNCTION to write_to_memory_callback: %s", curl_easy_strerror(res)); -+ return NULL; -+ } -+ -+ res = curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); -+ if (res != 0) { -+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_ACCEPT_ENCODING to an empty string: %s", curl_easy_strerror(res)); -+ return NULL; -+ } -+ -+ res = curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true); -+ if (res != 0) { -+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_TRANSFER_ENCODING to true: %s", curl_easy_strerror(res)); -+ return NULL; -+ } -+ -+ res = curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true); -+ if (res != 0) { -+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_FOLLOWLOCATION to true: %s", curl_easy_strerror(res)); -+ return NULL; -+ } -+ -+ res = curl_easy_setopt(curl, CURLOPT_VERBOSE, true); -+ if (res != 0) { -+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_VERBOSE to true: %s", curl_easy_strerror(res)); -+ return NULL; -+ } -+ -+ res = curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace); -+ if (res != 0) { -+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_DEBUGFUNCTION to _curl_trace: %s", curl_easy_strerror(res)); -+ return NULL; -+ } -+ -+ struct oscap_buffer *buffer = oscap_buffer_new(); -+ res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer); -+ if (res != 0) { -+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_WRITEDATA as buffer: %s", curl_easy_strerror(res)); -+ oscap_buffer_free(buffer); -+ return NULL; -+ } -+ -+ res = curl_easy_perform(curl); - curl_easy_cleanup(curl); - - if (res != 0) { - -From 34af1348b6ff6e4710aeb6e383b1a50c4751c16e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 26 Oct 2020 11:12:04 +0100 -Subject: [PATCH 2/2] Add curl_easy_cleanup everywhere - ---- - src/common/oscap_acquire.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c -index 34a92fa19..cd9bfc36f 100644 ---- a/src/common/oscap_acquire.c -+++ b/src/common/oscap_acquire.c -@@ -330,42 +330,49 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size) - - res = curl_easy_setopt(curl, CURLOPT_URL, url); - if (res != 0) { -+ curl_easy_cleanup(curl); - oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_URL to '%s': %s", url, curl_easy_strerror(res)); - return NULL; - } - - res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback); - if (res != 0) { -+ curl_easy_cleanup(curl); - oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_WRITEFUNCTION to write_to_memory_callback: %s", curl_easy_strerror(res)); - return NULL; - } - - res = curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); - if (res != 0) { -+ curl_easy_cleanup(curl); - oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_ACCEPT_ENCODING to an empty string: %s", curl_easy_strerror(res)); - return NULL; - } - - res = curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true); - if (res != 0) { -+ curl_easy_cleanup(curl); - oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_TRANSFER_ENCODING to true: %s", curl_easy_strerror(res)); - return NULL; - } - - res = curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true); - if (res != 0) { -+ curl_easy_cleanup(curl); - oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_FOLLOWLOCATION to true: %s", curl_easy_strerror(res)); - return NULL; - } - - res = curl_easy_setopt(curl, CURLOPT_VERBOSE, true); - if (res != 0) { -+ curl_easy_cleanup(curl); - oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_VERBOSE to true: %s", curl_easy_strerror(res)); - return NULL; - } - - res = curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace); - if (res != 0) { -+ curl_easy_cleanup(curl); - oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_DEBUGFUNCTION to _curl_trace: %s", curl_easy_strerror(res)); - return NULL; - } -@@ -373,6 +380,7 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size) - struct oscap_buffer *buffer = oscap_buffer_new(); - res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer); - if (res != 0) { -+ curl_easy_cleanup(curl); - oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_WRITEDATA as buffer: %s", curl_easy_strerror(res)); - oscap_buffer_free(buffer); - return NULL; diff --git a/SOURCES/openscap-1.3.5-coverity2-PR_1620.patch b/SOURCES/openscap-1.3.5-coverity2-PR_1620.patch deleted file mode 100644 index 404ff9c..0000000 --- a/SOURCES/openscap-1.3.5-coverity2-PR_1620.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 538c70780b49a36a4d2420ef93b87b78817dc14c Mon Sep 17 00:00:00 2001 -From: Evgeny Kolesnikov -Date: Mon, 26 Oct 2020 08:31:53 +0100 -Subject: [PATCH] Covscan fixes - ---- - src/OVAL/probes/fsdev.c | 2 +- - src/OVAL/probes/independent/yamlfilecontent_probe.c | 5 +++-- - src/OVAL/probes/unix/fileextendedattribute_probe.c | 2 +- - src/OVAL/probes/unix/linux/partition_probe.c | 2 +- - src/OVAL/probes/unix/xinetd_probe.c | 7 ++++++- - src/XCCDF/xccdf_session.c | 4 ++-- - utils/oscap-tool.c | 6 +++++- - utils/oscap-xccdf.c | 3 +-- - 8 files changed, 20 insertions(+), 11 deletions(-) - -diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c -index b2b984441..c82ab620b 100644 ---- a/src/OVAL/probes/fsdev.c -+++ b/src/OVAL/probes/fsdev.c -@@ -219,7 +219,7 @@ static fsdev_t *__fsdev_init(fsdev_t *lfs) - endmntent(fp); - - void *new_ids = realloc(lfs->ids, sizeof(dev_t) * i); -- if (new_ids == NULL) { -+ if (new_ids == NULL && i > 0) { - e = errno; - free(lfs->ids); - free(lfs); -diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c -index 6f18abf83..e7e6cb3f5 100644 ---- a/src/OVAL/probes/independent/yamlfilecontent_probe.c -+++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c -@@ -216,12 +216,13 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str - result_error("YAML parser error: %s", parser.problem); - goto cleanup; - } -+ -+ event_type = event.type; -+ - if (yaml_path_filter_event(yaml_path, &parser, &event) == YAML_PATH_FILTER_RESULT_OUT) { - goto next; - } - -- event_type = event.type; -- - if (sequence) { - if (event_type == YAML_SEQUENCE_END_EVENT) { - sequence = false; -diff --git a/src/OVAL/probes/unix/fileextendedattribute_probe.c b/src/OVAL/probes/unix/fileextendedattribute_probe.c -index b442ea540..ee853886a 100644 ---- a/src/OVAL/probes/unix/fileextendedattribute_probe.c -+++ b/src/OVAL/probes/unix/fileextendedattribute_probe.c -@@ -298,7 +298,7 @@ static int file_cb(const char *prefix, const char *p, const char *f, void *ptr, - - // Allocate buffer, '+1' is for trailing '\0' - void *new_xattr_val = realloc(xattr_val, sizeof(char) * (xattr_vallen + 1)); -- if (xattr_val == NULL) { -+ if (new_xattr_val == NULL) { - dE("Failed to allocate memory for xattr_val"); - free(xattr_val); - goto exit; -diff --git a/src/OVAL/probes/unix/linux/partition_probe.c b/src/OVAL/probes/unix/linux/partition_probe.c -index a74c0323a..adb244b04 100644 ---- a/src/OVAL/probes/unix/linux/partition_probe.c -+++ b/src/OVAL/probes/unix/linux/partition_probe.c -@@ -207,7 +207,7 @@ static int collect_item(probe_ctx *ctx, oval_schema_version_t over, struct mnten - mnt_ocnt = add_mnt_opt(&mnt_opts, mnt_ocnt, "move"); - } - -- dD("mnt_ocnt = %d, mnt_opts[mnt_ocnt]=%p", mnt_ocnt, mnt_opts[mnt_ocnt]); -+ dD("mnt_ocnt = %d, mnt_opts[mnt_ocnt]=%p", mnt_ocnt, mnt_opts == NULL ? NULL : mnt_opts[mnt_ocnt]); - - /* - * "Correct" the type (this won't be (hopefully) needed in a later version -diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c -index 75b12f95b..d61c7d547 100644 ---- a/src/OVAL/probes/unix/xinetd_probe.c -+++ b/src/OVAL/probes/unix/xinetd_probe.c -@@ -566,7 +566,12 @@ static int xiconf_add_cfile(xiconf_t *xiconf, const char *path, int depth) - } - - xifile->depth = depth; -- xiconf->cfile = realloc(xiconf->cfile, sizeof(xiconf_file_t *) * ++xiconf->count); -+ void *cfile = realloc(xiconf->cfile, sizeof(xiconf_file_t *) * ++xiconf->count); -+ if (cfile == NULL) { -+ dE("Failed re-allocate memory for cfile"); -+ return (-1); -+ } -+ xiconf->cfile = cfile; - xiconf->cfile[xiconf->count - 1] = xifile; - - dD("Added new file to the cfile queue: %s; fi=%zu", path, xiconf->count - 1); -diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c -index 8bd394e2f..f1b837959 100644 ---- a/src/XCCDF/xccdf_session.c -+++ b/src/XCCDF/xccdf_session.c -@@ -286,9 +286,9 @@ static struct oscap_source *xccdf_session_extract_arf_source(struct xccdf_sessio - } - struct tm *tm_mtime = malloc(sizeof(struct tm)); - #ifdef OS_WINDOWS -- tm_mtime = localtime_s(tm_mtime, &file_stat.st_mtime); -+ localtime_s(tm_mtime, &file_stat.st_mtime); - #else -- tm_mtime = localtime_r(&file_stat.st_mtime, tm_mtime); -+ localtime_r(&file_stat.st_mtime, tm_mtime); - #endif - strftime(tailoring_doc_timestamp, max_timestamp_len, - "%Y-%m-%dT%H:%M:%S", tm_mtime); -diff --git a/utils/oscap-tool.c b/utils/oscap-tool.c -index 9bfe52697..660a19047 100644 ---- a/utils/oscap-tool.c -+++ b/utils/oscap-tool.c -@@ -315,7 +315,10 @@ static void getopt_parse_env(struct oscap_module *module, int *argc, char ***arg - opt = oscap_strtok_r(opts, delim, &state); - while (opt != NULL) { - eargc++; -- eargv = realloc(eargv, eargc * sizeof(char *)); -+ void *new_eargv = realloc(eargv, eargc * sizeof(char *)); -+ if (new_eargv == NULL) -+ goto exit; -+ eargv = new_eargv; - eargv[eargc - 1] = strdup(opt); - opt = oscap_strtok_r(NULL, delim, &state); - } -@@ -334,6 +337,7 @@ static void getopt_parse_env(struct oscap_module *module, int *argc, char ***arg - - *argc = nargc; - *argv = nargv; -+exit: - free(opts); - free(eargv); - } -diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c -index af337b844..0a9ae5270 100644 ---- a/utils/oscap-xccdf.c -+++ b/utils/oscap-xccdf.c -@@ -610,8 +610,7 @@ int app_evaluate_xccdf(const struct oscap_action *action) - - /* syslog message */ - #if defined(HAVE_SYSLOG_H) -- syslog(priority, "Evaluation finished. Return code: %d, Base score %f.", evaluation_result, -- session == NULL ? 0 : xccdf_session_get_base_score(session)); -+ syslog(priority, "Evaluation finished. Return code: %d, Base score %f.", evaluation_result, xccdf_session_get_base_score(session)); - #endif - - xccdf_session_set_xccdf_export(session, action->f_results); diff --git a/SOURCES/openscap-1.3.5-memory-PR_1627.patch b/SOURCES/openscap-1.3.5-memory-PR_1627.patch deleted file mode 100644 index 1b60ca6..0000000 --- a/SOURCES/openscap-1.3.5-memory-PR_1627.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 5eea79eaf426ac3e51a09d3f3fe72c2b385abc89 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 10 Nov 2020 11:16:00 +0100 -Subject: [PATCH] Fix memory allocation - -We can't assume that size of a structure is a sum of sizes of its -members because padding and alignment can be involved. In fact, -we need to allocate more bytes for the structure than the -sum of sizes of its members. - -The wrong assumption caused invalid writes and invalid reads -which can be discovered by valgrind. Moreover, when run with -MALLOC_CHECK_ environment variable set to non-zero value, the -program aborted. - -The memory issue happened only when NDEBUG is defined, eg. when cmake --DCMAKE_BUILD_TYPE=RelWithDebInfo or Release, it doesn't happen if cmake --DCMAKE_BUILD_TYPE=Debug which we usually use in Jenkins CI. This is -most likely because in debug mode the struct SEXP contains 2 additional -members which are the magic canaries and therefore is bigger. - -This commit wants to fix the problem by 2 step allocation in which -first the size of the struct SEXP_val_lblk is used and then the -array of SEXPs is allocated separately. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1891770 ---- - src/OVAL/probes/SEAP/_sexp-value.h | 2 +- - src/OVAL/probes/SEAP/sexp-value.c | 12 ++++++------ - 2 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/src/OVAL/probes/SEAP/_sexp-value.h b/src/OVAL/probes/SEAP/_sexp-value.h -index 426cd2c3d..e66777ef9 100644 ---- a/src/OVAL/probes/SEAP/_sexp-value.h -+++ b/src/OVAL/probes/SEAP/_sexp-value.h -@@ -94,7 +94,7 @@ struct SEXP_val_lblk { - uintptr_t nxsz; - uint16_t real; - uint16_t refs; -- SEXP_t memb[]; -+ SEXP_t *memb; - }; - - size_t SEXP_rawval_list_length (struct SEXP_val_list *list); -diff --git a/src/OVAL/probes/SEAP/sexp-value.c b/src/OVAL/probes/SEAP/sexp-value.c -index a11cbc70c..b8b3ed609 100644 ---- a/src/OVAL/probes/SEAP/sexp-value.c -+++ b/src/OVAL/probes/SEAP/sexp-value.c -@@ -106,10 +106,8 @@ uintptr_t SEXP_rawval_lblk_new (uint8_t sz) - { - _A(sz < 16); - -- struct SEXP_val_lblk *lblk = oscap_aligned_malloc( -- sizeof(uintptr_t) + (2 * sizeof(uint16_t)) + (sizeof(SEXP_t) * (1 << sz)), -- SEXP_LBLK_ALIGN -- ); -+ struct SEXP_val_lblk *lblk = malloc(sizeof(struct SEXP_val_lblk)); -+ lblk->memb = malloc(sizeof(SEXP_t) * (1 << sz)); - - lblk->nxsz = ((uintptr_t)(NULL) & SEXP_LBLKP_MASK) | ((uintptr_t)sz & SEXP_LBLKS_MASK); - lblk->refs = 1; -@@ -519,7 +517,8 @@ void SEXP_rawval_lblk_free (uintptr_t lblkp, void (*func) (SEXP_t *)) - func (lblk->memb + lblk->real); - } - -- oscap_aligned_free(lblk); -+ free(lblk->memb); -+ free(lblk); - - if (next != NULL) - SEXP_rawval_lblk_free ((uintptr_t)next, func); -@@ -540,7 +539,8 @@ void SEXP_rawval_lblk_free1 (uintptr_t lblkp, void (*func) (SEXP_t *)) - func (lblk->memb + lblk->real); - } - -- oscap_aligned_free(lblk); -+ free(lblk->memb); -+ free(lblk); - } - - return; --- -2.26.2 - diff --git a/SOURCES/openscap-1.3.5-plug-memory-leak-PR_1616.patch b/SOURCES/openscap-1.3.5-plug-memory-leak-PR_1616.patch deleted file mode 100644 index 8c8f4cf..0000000 --- a/SOURCES/openscap-1.3.5-plug-memory-leak-PR_1616.patch +++ /dev/null @@ -1,71 +0,0 @@ -From d5518f3f4c32ac19fcf3427602d5b2978b7ef1b4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 5 Oct 2020 16:02:29 +0200 -Subject: [PATCH] Plug a memory leak - -Addressing: - -8 bytes in 1 blocks are indirectly lost in loss record 7 of 235 - at 0x483A809: malloc (vg_replace_malloc.c:307) - by 0x48F15CA: oval_collection_new (oval_collection.c:64) - by 0x48F4FCC: oval_result_criteria_node_new (oval_resultCriteriaNode.c:106) - by 0x48F5580: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:249) - by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130) - by 0x48F7F41: oval_result_system_get_new_definition_with_check (oval_resultSystem.c:217) - by 0x48F5686: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:279) - by 0x48F55BD: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:260) - by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130) - by 0x48F8794: oval_result_system_prepare_definition (oval_resultSystem.c:395) - by 0x48F86A6: oval_result_system_eval_definition (oval_resultSystem.c:369) - by 0x48C23FD: oval_agent_eval_definition (oval_agent.c:181) - -8 bytes in 1 blocks are definitely lost in loss record 8 of 235 - at 0x483A809: malloc (vg_replace_malloc.c:307) - by 0x48F1799: oval_collection_iterator (oval_collection.c:120) - by 0x48CCE4C: oval_criteria_node_get_subnodes (oval_criteriaNode.c:161) - by 0x48F5590: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:255) - by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130) - by 0x48F7F41: oval_result_system_get_new_definition_with_check (oval_resultSystem.c:217) - by 0x48F5686: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:279) - by 0x48F55BD: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:260) - by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130) - by 0x48F8794: oval_result_system_prepare_definition (oval_resultSystem.c:395) - by 0x48F86A6: oval_result_system_eval_definition (oval_resultSystem.c:369) - by 0x48C23FD: oval_agent_eval_definition (oval_agent.c:181) - -48 (40 direct, 8 indirect) bytes in 1 blocks are definitely lost in loss record 125 of 235 - at 0x483A809: malloc (vg_replace_malloc.c:307) - by 0x48F4F50: oval_result_criteria_node_new (oval_resultCriteriaNode.c:98) - by 0x48F5580: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:249) - by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130) - by 0x48F7F41: oval_result_system_get_new_definition_with_check (oval_resultSystem.c:217) - by 0x48F5686: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:279) - by 0x48F55BD: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:260) - by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130) - by 0x48F8794: oval_result_system_prepare_definition (oval_resultSystem.c:395) - by 0x48F86A6: oval_result_system_eval_definition (oval_resultSystem.c:369) - by 0x48C23FD: oval_agent_eval_definition (oval_agent.c:181) - by 0x48C2671: oval_agent_eval_system (oval_agent.c:286) - -This leak has been created by #1610. ---- - src/OVAL/results/oval_resultCriteriaNode.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/OVAL/results/oval_resultCriteriaNode.c b/src/OVAL/results/oval_resultCriteriaNode.c -index 807283206..f6e980861 100644 ---- a/src/OVAL/results/oval_resultCriteriaNode.c -+++ b/src/OVAL/results/oval_resultCriteriaNode.c -@@ -258,8 +258,11 @@ struct oval_result_criteria_node *make_result_criteria_node_from_oval_criteria_n - = oval_criteria_node_iterator_next(oval_subnodes); - struct oval_result_criteria_node *rslt_subnode - = make_result_criteria_node_from_oval_criteria_node(sys, oval_subnode, visited_definitions, variable_instance); -- if (rslt_subnode == NULL) -+ if (rslt_subnode == NULL) { -+ oval_criteria_node_iterator_free(oval_subnodes); -+ oval_result_criteria_node_free(rslt_node); - return NULL; -+ } - oval_result_criteria_node_add_subnode(rslt_node, rslt_subnode); - } - oval_criteria_node_iterator_free(oval_subnodes); diff --git a/SOURCES/openscap-1.3.5-test-non-local-gpfs-PR_1653.patch b/SOURCES/openscap-1.3.5-test-non-local-gpfs-PR_1653.patch deleted file mode 100644 index 7b2a2c2..0000000 --- a/SOURCES/openscap-1.3.5-test-non-local-gpfs-PR_1653.patch +++ /dev/null @@ -1,9 +0,0 @@ -diff --git a/tests/API/probes/fake_mtab b/tests/API/probes/fake_mtab -index 94b1fe295..32c516b7d 100644 ---- a/tests/API/probes/fake_mtab -+++ b/tests/API/probes/fake_mtab -@@ -5,3 +5,4 @@ tmpfs /tmp tmpfs rw,seclabel,nosuid,nodev 0 0 - /dev/mapper/fedora-home /home ext4 rw,seclabel,relatime 0 0 - proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 - //192.168.0.5/storage /media/movies cifs guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm 0 0 -+/dev/gpfsdev /gpfs gpfs rw,relatime 0 0 diff --git a/SOURCES/openscap-1.3.5-use-MALLOC_CHECK-in-tests-PR_1635.patch b/SOURCES/openscap-1.3.5-use-MALLOC_CHECK-in-tests-PR_1635.patch deleted file mode 100644 index 687812a..0000000 --- a/SOURCES/openscap-1.3.5-use-MALLOC_CHECK-in-tests-PR_1635.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/tests/test_common.sh.in b/tests/test_common.sh.in -index 6b54ad015..5b6126dbf 100755 ---- a/tests/test_common.sh.in -+++ b/tests/test_common.sh.in -@@ -17,6 +17,9 @@ PREFERRED_PYTHON=@PREFERRED_PYTHON_PATH@ - LC_ALL=C - export LC_ALL - -+MALLOC_CHECK_=3 -+export MALLOC_CHECK_ -+ - OSCAP_FULL_VALIDATION=1 - export OSCAP_FULL_VALIDATION diff --git a/SOURCES/openscap-1.3.5-yamlfilecontent-fix-field-names-PR_1619.patch b/SOURCES/openscap-1.3.5-yamlfilecontent-fix-field-names-PR_1619.patch deleted file mode 100644 index 7d39e31..0000000 --- a/SOURCES/openscap-1.3.5-yamlfilecontent-fix-field-names-PR_1619.patch +++ /dev/null @@ -1,67 +0,0 @@ -diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c -index 6f18abf83..17741a240 100644 ---- a/src/OVAL/probes/independent/yamlfilecontent_probe.c -+++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c -@@ -206,6 +206,7 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str - yaml_event_type_t event_type; - bool sequence = false; - bool mapping = false; -+ bool fake_mapping = false; - int index = 0; - char *key = strdup("#"); - -@@ -224,21 +225,39 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str - - if (sequence) { - if (event_type == YAML_SEQUENCE_END_EVENT) { -- sequence = false; -+ if (fake_mapping) { -+ fake_mapping = false; -+ if (record && record->itemcount > 0) { -+ oscap_list_add(values, record); -+ } else { -+ // Do not collect empty records -+ oscap_htable_free0(record); -+ } -+ record = NULL; -+ } else { -+ sequence = false; -+ } - } else if (event_type == YAML_SEQUENCE_START_EVENT) { -- result_error("YAML path '%s' points to a multi-dimensional structure (sequence containing another sequence)", yaml_path_cstr); -- goto cleanup; -+ if (mapping || fake_mapping) { -+ result_error("YAML path '%s' points to a multi-dimensional structure (a map or a sequence containing other sequences)", yaml_path_cstr); -+ goto cleanup; -+ } else { -+ fake_mapping = true; -+ record = oscap_htable_new(); -+ } - } - } else { - if (event_type == YAML_SEQUENCE_START_EVENT) { - sequence = true; -+ if (mapping) -+ index++; - } - } - - if (mapping) { - if (event_type == YAML_MAPPING_END_EVENT) { - mapping = false; -- if (record->itemcount > 0) { -+ if (record && record->itemcount > 0) { - oscap_list_add(values, record); - } else { - // Do not collect empty records -@@ -255,6 +274,10 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str - result_error("YAML path '%s' points to an invalid structure (map containing another map)", yaml_path_cstr); - goto cleanup; - } -+ if (fake_mapping) { -+ result_error("YAML path '%s' points to a multi-dimensional structure (two-dimensional sequence containing a map)", yaml_path_cstr); -+ goto cleanup; -+ } - mapping = true; - sequence = false; - index = 0; diff --git a/SOURCES/openscap-1.3.6-PR-1745-waive-hugepages.patch b/SOURCES/openscap-1.3.6-PR-1745-waive-hugepages.patch new file mode 100644 index 0000000..4272a78 --- /dev/null +++ b/SOURCES/openscap-1.3.6-PR-1745-waive-hugepages.patch @@ -0,0 +1,43 @@ +From 192f908562779fe4c9b7e5cc7605840976a06c85 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 26 Apr 2021 13:13:26 +0200 +Subject: [PATCH] Waive the known issue with hugepages on ppc64/ppc64le + +The known issue has been reported in +https://bugzilla.redhat.com/show_bug.cgi?id=1642995 + +This modification is currently applied as a patch applied during setup +phase of Sanity/smoke-test in Fedora CI gating. +https://src.fedoraproject.org/tests/openscap/blob/main/f/Sanity/smoke-test +The patched file got changed recetly so the patch doesn't apply anymore +which causes the Rawhide gating to fail. +We have decided to propose the change to upstream to avoid the need +for modifying the patch in the tests and to prevent similar problems +in the future. +--- + tests/probes/sysctl/test_sysctl_probe_all.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh +index 2280ff7ae..c79d7ed18 100755 +--- a/tests/probes/sysctl/test_sysctl_probe_all.sh ++++ b/tests/probes/sysctl/test_sysctl_probe_all.sh +@@ -73,6 +73,10 @@ if [ "$procps_ver" != "$lowest_ver" ]; then + sed -i '/.*vm.stat_refresh/d' "$sysctlNames" + fi + ++if ! grep -q "hugepages" "$ourNames"; then ++ sed -i "/^.*hugepages.*$/d" "$sysctlNames" ++fi ++ + echo "Diff (sysctlNames / ourNames): ------" + diff "$sysctlNames" "$ourNames" + echo "-------------------------------------" +@@ -84,6 +88,7 @@ sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr" + # that can't fit into 8K buffer and result in errno 14 + # (for example /proc/sys/kernel/spl/hostid could be the case) + sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr" ++sed -i "/^.*hugepages.*$/d" "$stderr" + + echo "Errors (without messages related to permissions):" + cat "$stderr" diff --git a/SOURCES/openscap-1.3.6-PR-1748-covscan.patch b/SOURCES/openscap-1.3.6-PR-1748-covscan.patch new file mode 100644 index 0000000..9d5661a --- /dev/null +++ b/SOURCES/openscap-1.3.6-PR-1748-covscan.patch @@ -0,0 +1,52 @@ +From 378ef5e438a2f5af7a50374d2bd23bdd3403201f Mon Sep 17 00:00:00 2001 +From: Evgeny Kolesnikov +Date: Tue, 4 May 2021 08:41:06 +0200 +Subject: [PATCH] Fix covscan-reported issues in yamlfilecontent probe and + schematron + +Error: FORWARD_NULL (CWE-476): [#def1] +/OVAL/probes/independent/yamlfilecontent_probe.c:392: var_compare_op: Comparing "yaml_file" to null implies that "yaml_file" might be null. +/OVAL/probes/independent/yamlfilecontent_probe.c:417: var_deref_model: Passing null pointer "yaml_file" to "fclose", which dereferences it. +# 416| cleanup: +# 417|-> fclose(yaml_file); +# 418| yaml_parser_delete(&parser); + +Error: RESOURCE_LEAK (CWE-772): [#def2] [important] +/source/schematron.c:549: alloc_fn: Storage is returned from allocation function "xmlXPathNodeEval". +/source/schematron.c:549: var_assign: Assigning: "component_refs" = storage returned from "xmlXPathNodeEval(data_stream_node, (xmlChar *)"ds:checklists/ds:component-ref", context)". +/source/schematron.c:551: leaked_storage: Variable "component_refs" going out of scope leaks the storage it points to. +# 550| if (component_refs == NULL || component_refs->nodesetval == NULL) { +# 551|-> return res; +# 552| } +--- + src/OVAL/probes/independent/yamlfilecontent_probe.c | 3 ++- + src/source/schematron.c | 2 ++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c +index ed5ce0d68..62a8f4ff2 100644 +--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c ++++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c +@@ -414,7 +414,8 @@ static int process_yaml_file(const char *prefix, const char *path, const char *f + } + + cleanup: +- fclose(yaml_file); ++ if (yaml_file != NULL) ++ fclose(yaml_file); + yaml_parser_delete(&parser); + free(filepath_with_prefix); + free(filepath); +diff --git a/src/source/schematron.c b/src/source/schematron.c +index 6cb22658b..c32d5aed6 100644 +--- a/src/source/schematron.c ++++ b/src/source/schematron.c +@@ -548,6 +548,8 @@ static bool _req_src_346_1_sub1(xmlNodePtr data_stream_node, xmlXPathContextPtr + /* every $m in ds:checklists/ds:component-ref satisfies ... */ + xmlXPathObjectPtr component_refs = xmlXPathNodeEval(data_stream_node, BAD_CAST "ds:checklists/ds:component-ref", context); + if (component_refs == NULL || component_refs->nodesetval == NULL) { ++ if (component_refs != NULL) ++ xmlXPathFreeObject(component_refs); + return res; + } + for (int i = 0; i < component_refs->nodesetval->nodeNr; i++) { diff --git a/SOURCES/openscap-1.3.6-PR-1749-blueprint-fix.patch b/SOURCES/openscap-1.3.6-PR-1749-blueprint-fix.patch new file mode 100644 index 0000000..0e44989 --- /dev/null +++ b/SOURCES/openscap-1.3.6-PR-1749-blueprint-fix.patch @@ -0,0 +1,64 @@ +From 5f0a9033b466d929613a2a55a1524ec75c09b5b0 Mon Sep 17 00:00:00 2001 +From: Evgeny Kolesnikov +Date: Thu, 6 May 2021 08:14:12 +0200 +Subject: [PATCH] Introduce OSBuild Blueprint fix type + +--- + utils/oscap-xccdf.c | 7 +++++-- + utils/oscap.8 | 2 +- + xsl/xccdf-share.xsl | 1 + + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c +index 95c1c7658d..801e54fa35 100644 +--- a/utils/oscap-xccdf.c ++++ b/utils/oscap-xccdf.c +@@ -275,7 +275,8 @@ static struct oscap_module XCCDF_GEN_FIX = { + .usage = "[options] xccdf-file.xml", + .help = GEN_OPTS + "\nFix Options:\n" +- " --fix-type - Fix type. Should be one of: bash, ansible, puppet, anaconda (default: bash).\n" ++ " --fix-type - Fix type. Should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes,\n" ++ " blueprint (default: bash).\n" + " --output - Write the script into file.\n" + " --result-id - Fixes will be generated for failed rule-results of the specified TestResult.\n" + " --template - Fix template. (default: bash)\n" +@@ -887,10 +888,12 @@ int app_generate_fix(const struct oscap_action *action) + template = "urn:xccdf:fix:script:ignition"; + } else if (strcmp(action->fix_type, "kubernetes") == 0) { + template = "urn:xccdf:fix:script:kubernetes"; ++ } else if (strcmp(action->fix_type, "blueprint") == 0) { ++ template = "urn:redhat:osbuild:blueprint"; + } else { + fprintf(stderr, + "Unknown fix type '%s'.\n" +- "Please provide one of: bash, ansible, puppet, anaconda, ignition, kubernetes.\n" ++ "Please provide one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint.\n" + "Or provide a custom template using '--template' instead.\n", + action->fix_type); + return OSCAP_ERROR; +diff --git a/utils/oscap.8 b/utils/oscap.8 +index 240b829d7b..6cae0ffe8a 100644 +--- a/utils/oscap.8 ++++ b/utils/oscap.8 +@@ -395,7 +395,7 @@ Result-oriented fixes are generated using result-id provided to select only the + Profile-oriented fixes are generated using all rules within the provided profile. If no result-id/profile are provided, (default) profile will be used to generate fixes. + .TP + \fB\-\-fix-type TYPE\fR +-Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN. ++Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN. + .TP + \fB\-\-output FILE\fR + Write the report to this file instead of standard output. +diff --git a/xsl/xccdf-share.xsl b/xsl/xccdf-share.xsl +index 9f8e587676..d7a9f3b7e2 100644 +--- a/xsl/xccdf-share.xsl ++++ b/xsl/xccdf-share.xsl +@@ -295,6 +295,7 @@ Authors: + Puppet snippet + Anaconda snippet + Kubernetes snippet ++ OSBuild Blueprint snippet + script + + diff --git a/SOURCES/openscap-1.3.6-PR-1753-getlogin.patch b/SOURCES/openscap-1.3.6-PR-1753-getlogin.patch new file mode 100644 index 0000000..a63f094 --- /dev/null +++ b/SOURCES/openscap-1.3.6-PR-1753-getlogin.patch @@ -0,0 +1,36 @@ +From b31cff1bc3a298cfa36a10476f2d633c290b6741 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 11 May 2021 13:20:18 +0200 +Subject: [PATCH] Replace getlogin by cuserid + +The getlogin() is used here to fill in the xccdf:identity element which +shall contain information about the system identity or user employed +during application of the benchmark. But, the getlogin() can return NULL +when there is no controlling terminal. This happened when testing oscap +on a test system with no pty. As an alternative, the system provides +also cuserid() function which gets the effective user ID of the process. +However, these 2 values differ when the program is executed under sudo. +From the user experience point of view, it would be better to have +displayed there the user logged in on the controlling terminal. As a +compromise, we will first attempt to obtain the name using getlogin() +and if that fails we will run cuserid(). +--- + src/XCCDF/result.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/XCCDF/result.c b/src/XCCDF/result.c +index cd03e6bd8f..cbe016c44a 100644 +--- a/src/XCCDF/result.c ++++ b/src/XCCDF/result.c +@@ -217,7 +217,10 @@ static inline void _xccdf_result_fill_identity(struct xccdf_result *result) + xccdf_identity_set_authenticated(id, 0); + xccdf_identity_set_privileged(id, 0); + #ifdef OSCAP_UNIX +- xccdf_identity_set_name(id, getlogin()); ++ char *name = getlogin(); ++ if (name == NULL) ++ name = cuserid(NULL); ++ xccdf_identity_set_name(id, name); + #elif defined(OS_WINDOWS) + GetUserName((TCHAR *) w32_username, &w32_usernamesize); /* XXX: Check the return value? */ + xccdf_identity_set_name(id, w32_username); diff --git a/SOURCES/openscap-1.3.6-PR-1756-yaml-nulls.patch b/SOURCES/openscap-1.3.6-PR-1756-yaml-nulls.patch new file mode 100644 index 0000000..9489211 --- /dev/null +++ b/SOURCES/openscap-1.3.6-PR-1756-yaml-nulls.patch @@ -0,0 +1,150 @@ +From 89f99834ba183284a7d75835932a0c0ea4eb9007 Mon Sep 17 00:00:00 2001 +From: Evgeny Kolesnikov +Date: Mon, 17 May 2021 08:40:17 +0200 +Subject: [PATCH] oval/yamlfilecontent: Add 'null' values handling + +For now null values would be represented as string '(null)' as +record's field could not be attributed as nil="true" yet. +--- + .../independent/yamlfilecontent_probe.c | 9 ++++ + .../test_probes_yamlfilecontent_types.sh | 5 ++ + .../test_probes_yamlfilecontent_types.xml | 52 +++++++++++++++++++ + tests/probes/yamlfilecontent/types.yaml | 4 ++ + 4 files changed, 70 insertions(+) + +diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c +index 62a8f4ff29..2d0cac6991 100644 +--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c ++++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c +@@ -41,6 +41,7 @@ + #define OSCAP_YAML_BOOL_TAG "tag:yaml.org,2002:bool" + #define OSCAP_YAML_FLOAT_TAG "tag:yaml.org,2002:float" + #define OSCAP_YAML_INT_TAG "tag:yaml.org,2002:int" ++#define OSCAP_YAML_NULL_TAG "tag:yaml.org,2002:null" + + #define OVECCOUNT 30 /* should be a multiple of 3 */ + +@@ -135,6 +136,14 @@ static SEXP_t *yaml_scalar_event_to_sexp(yaml_event_t *event) + return NULL; + } + } ++ if (question || !strcmp(tag, OSCAP_YAML_NULL_TAG)) { ++ if (match_regex("^(null|Null|NULL|~|)$", value)) { ++ // TODO: Return real NULL when record's field will support nil="true" ++ return SEXP_string_new("(null)", strlen("(null)")); ++ } else if (!question) { ++ return NULL; ++ } ++ } + + return SEXP_string_new(value, strlen(value)); + } +diff --git a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.sh b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.sh +index 4f110f6eb7..e445771d03 100755 +--- a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.sh ++++ b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.sh +@@ -60,6 +60,11 @@ function test_probes_yamlfilecontent_types { + assert_exists 1 $sd'/ind-sys:yamlfilecontent_item/ind-sys:value/field[@name="#" and @datatype!="boolean" and text()="true"]' + # string_number + assert_exists 1 $sd'/ind-sys:yamlfilecontent_item/ind-sys:value/field[@name="#" and @datatype!="int" and text()="81"]' ++ # string_null ++ assert_exists 1 $sd'/ind-sys:yamlfilecontent_item/ind-sys:value/field[@name="#" and text()="null"]' ++ ++ # null_1_2_3 ++ assert_exists 3 $sd'/ind-sys:yamlfilecontent_item/ind-sys:value/field[@name="#" and text()="(null)"]' + + # bool_error_cast, int_error_cast, float_error_cast + co='/oval_results/results/system/oval_system_characteristics/collected_objects' +diff --git a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml +index adf96571b8..503ec2d4a4 100644 +--- a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml ++++ b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml +@@ -262,6 +262,19 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + +@@ -364,6 +377,21 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + +@@ -517,6 +545,30 @@ + types.yaml + .float_error_cast + ++ ++ ++ /tmp ++ types.yaml ++ .null_1 ++ ++ ++ ++ /tmp ++ types.yaml ++ .null_2 ++ ++ ++ ++ /tmp ++ types.yaml ++ .null_3 ++ ++ ++ ++ /tmp ++ types.yaml ++ .string_null ++ + + + +diff --git a/tests/probes/yamlfilecontent/types.yaml b/tests/probes/yamlfilecontent/types.yaml +index f05fa3a967..fb26eab5f0 100644 +--- a/tests/probes/yamlfilecontent/types.yaml ++++ b/tests/probes/yamlfilecontent/types.yaml +@@ -19,7 +19,11 @@ bool_false_cast: !!bool "false" + int_cast: !!int "369" + float_cast: !!float "978.65" + string_true: "true" ++string_null: "null" + string_number: "81" + bool_error_cast: !!bool "falsee" + int_error_cast: !!int "50%" + float_error_cast: !!float "58.41$" ++null_1: null ++null_2: ++null_3: !!null "null" diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index b91188d..900978e 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -1,20 +1,18 @@ Name: openscap -Version: 1.3.4 +Version: 1.3.5 Release: 6%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ URL: http://www.open-scap.org/ Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz -Patch1: openscap-1.3.5-plug-memory-leak-PR_1616.patch -Patch2: openscap-1.3.5-coverity1-PR_1617.patch -Patch3: openscap-1.3.5-coverity2-PR_1620.patch -Patch4: openscap-1.3.5-yamlfilecontent-fix-field-names-PR_1619.patch -Patch5: openscap-1.3.5-memory-PR_1627.patch -Patch6: openscap-1.3.5-use-MALLOC_CHECK-in-tests-PR_1635.patch -Patch7: openscap-1.3.5-test-non-local-gpfs-PR_1653.patch -Patch8: openscap-1.3.6-PR-1779-initialize-crapi-once.patch -Patch9: openscap-1.3.6-PR-1788-test-rhbz1959570.patch +Patch1: openscap-1.3.6-PR-1745-waive-hugepages.patch +Patch2: openscap-1.3.6-PR-1748-covscan.patch +Patch3: openscap-1.3.6-PR-1749-blueprint-fix.patch +Patch4: openscap-1.3.6-PR-1753-getlogin.patch +Patch5: openscap-1.3.6-PR-1756-yaml-nulls.patch +Patch6: openscap-1.3.6-PR-1779-initialize-crapi-once.patch +Patch7: openscap-1.3.6-PR-1788-test-rhbz1959570.patch BuildRequires: cmake >= 2.6 BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser BuildRequires: rpm-devel @@ -31,6 +29,7 @@ BuildRequires: GConf2-devel BuildRequires: glib2-devel BuildRequires: dbus-devel BuildRequires: libyaml-devel +BuildRequires: xmlsec1-devel xmlsec1-openssl-devel %if %{?_with_check:1}%{!?_with_check:0} BuildRequires: perl-XML-XPath BuildRequires: bzip2 @@ -49,6 +48,7 @@ Requires: openldap Requires: popt # RHEL8 has procps-ng, which provides procps Requires: procps +Requires: xmlsec1 xmlsec1-openssl Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig Obsoletes: python2-openscap @@ -221,8 +221,28 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/oscap-run-sce-script %changelog -* Mon Aug 30 2021 Jan Černý - 1.3.4-6 -- Initialize crypto API only once (rhbz#1998045) +* Wed Jul 28 2021 Jan Černý - 1.3.5-6 +- Initialize crypto API only once (rhbz#1959570) + +* Wed Jul 14 2021 Evgenii Kolesnikov - 1.3.5-5 +- Add 'null' values handling to the yamlfilecontent probe (RHBZ#1981691) + +* Tue Jun 01 2021 Jan Černý - 1.3.5-4 +- Replace getlogin by cuserid + +* Mon May 10 2021 Evgenii Kolesnikov - 1.3.5-3 +- Waive known issue with hugepages in upstream testsuite (RHBZ#1912000) +- Fix issues reported by the coverity scan +- Introduce OSBuild 'blueprint' fix type + +* Tue May 04 2021 Evgenii Kolesnikov - 1.3.5-2 +- Fix changelog (add missing 1.3.3-6 entry) + +* Thu Apr 29 2021 Evgenii Kolesnikov - 1.3.5-1 +- Upgrade to the latest upstream release (RHBZ#1953092) +- Fix segfault when using --stig-viewer option and latest XML file from DoD (RHBZ#1912000) +- Improve doc about --stig-viewer (RHBZ#1918759) +- Backport an upstream patch adding CentOS CPE (RHBZ#1907935) * Wed Nov 25 2020 Evgenii Kolesnikov - 1.3.4-5 - Add check for non-local GPFS file system into Test Suite (RHBZ#1840578) @@ -233,6 +253,10 @@ rm -rf $RPM_BUILD_ROOT * Tue Nov 10 2020 Jan Černý - 1.3.4-3 - Fix memory allocation (RHBZ#1891770) +* Thu Oct 29 2020 Evgenii Kolesnikov - 1.3.3-6 +- Enable profile composition with a specific platform (RHBZ#1896676) +- Enable YAML probe to work with sets of values (RHBZ#1895715) + * Mon Oct 26 2020 Evgenii Kolesnikov - 1.3.4-2 - Fix problems uncovered by the Coverity Scan (RHBZ#1887794)