import openscap-1.3.4-6.el8_4

SOURCES/openscap-1.3.6-PR-1779-initialize-crapi-once.patch

@@ -0,0 +1,136 @@
+From 5c422226df442855a7dc9834eb4ff74865394a92 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 8 Jul 2021 14:28:16 +0200
+Subject: [PATCH 1/3] Initialize crypto API only once
+
+The function `crapi_init` calls `gcry_check_version` which must be
+called before any other function from the Libgcrypt library. That might
+be violated when multiple threads executing multiple probes are running.
+The mitigation proposed in this PR is to call `crapi_init` only once
+when the session is initialized which means before any threads are
+spawned.
+
+See also: https://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading
+
+Resolves: RHBZ#1959570
+---
+ src/OVAL/oval_probe_session.c                  | 5 +++++
+ src/OVAL/probes/independent/filehash58_probe.c | 6 ------
+ src/OVAL/probes/independent/filehash_probe.c   | 6 ------
+ src/OVAL/probes/independent/filemd5_probe.c    | 6 ------
+ 4 files changed, 5 insertions(+), 18 deletions(-)
+
+diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
+index 435ca148fd..6f6d7ad426 100644
+--- a/src/OVAL/oval_probe_session.c
++++ b/src/OVAL/oval_probe_session.c
+@@ -93,6 +93,11 @@ static void oval_probe_session_libinit(void)
+ 	SEXP_free((SEXP_t *)exp);
+ 
+         ncache_libinit();
++	/*
++	 * Initialize crypto API
++	 */
++	if (crapi_init (NULL) != 0)
++		return (NULL);
+ }
+ 
+ /**
+diff --git a/src/OVAL/probes/independent/filehash58_probe.c b/src/OVAL/probes/independent/filehash58_probe.c
+index ff1e065746..32a38562bd 100644
+--- a/src/OVAL/probes/independent/filehash58_probe.c
++++ b/src/OVAL/probes/independent/filehash58_probe.c
+@@ -210,12 +210,6 @@ int filehash58_probe_offline_mode_supported()
+ 
+ void *filehash58_probe_init(void)
+ {
+-	/*
+-	 * Initialize crypto API
+-	 */
+-	if (crapi_init (NULL) != 0)
+-		return (NULL);
+-
+ 	/*
+ 	 * Initialize mutex.
+ 	 */
+diff --git a/src/OVAL/probes/independent/filehash_probe.c b/src/OVAL/probes/independent/filehash_probe.c
+index 522d976512..6d8780dc95 100644
+--- a/src/OVAL/probes/independent/filehash_probe.c
++++ b/src/OVAL/probes/independent/filehash_probe.c
+@@ -190,12 +190,6 @@ int filehash_probe_offline_mode_supported()
+ 
+ void *filehash_probe_init(void)
+ {
+-        /*
+-         * Initialize crypto API
+-         */
+-        if (crapi_init (NULL) != 0)
+-                return (NULL);
+-
+         /*
+          * Initialize mutex.
+          */
+diff --git a/src/OVAL/probes/independent/filemd5_probe.c b/src/OVAL/probes/independent/filemd5_probe.c
+index d0de402d8b..99913581f0 100644
+--- a/src/OVAL/probes/independent/filemd5_probe.c
++++ b/src/OVAL/probes/independent/filemd5_probe.c
+@@ -163,12 +163,6 @@ int probe_offline_mode_supported()
+ 
+ void *probe_init (void)
+ {
+-        /*
+-         * Initialize crypto API
+-         */
+-        if (crapi_init (NULL) != 0)
+-                return (NULL);
+-
+         /*
+          * Initialize mutex.
+          */
+
+From c4c26d99a59205d744befe52be4e81bcf5f55d9c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Tue, 13 Jul 2021 13:03:21 +0200
+Subject: [PATCH 2/3] Add a missing include
+
+---
+ src/OVAL/oval_probe_session.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
+index 6f6d7ad426..295782b536 100644
+--- a/src/OVAL/oval_probe_session.c
++++ b/src/OVAL/oval_probe_session.c
+@@ -48,6 +48,7 @@
+ #include "oval_probe_ext.h"
+ #include "probe-table.h"
+ #include "oval_types.h"
++#include "crapi/crapi.h"
+ 
+ #if defined(OSCAP_THREAD_SAFE)
+ #include <pthread.h>
+
+From 6241a8835574429a787e0dd48d2c0ac2a71499b8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 15 Jul 2021 14:21:00 +0200
+Subject: [PATCH 3/3] Don't initialize crypto on Windows
+
+---
+ src/OVAL/oval_probe_session.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
+index 295782b536..b443cbcc80 100644
+--- a/src/OVAL/oval_probe_session.c
++++ b/src/OVAL/oval_probe_session.c
+@@ -97,8 +97,10 @@ static void oval_probe_session_libinit(void)
+ 	/*
+ 	 * Initialize crypto API
+ 	 */
++#ifndef OS_WINDOWS
+ 	if (crapi_init (NULL) != 0)
+ 		return (NULL);
++#endif
+ }
+ 
+ /**

SOURCES/openscap-1.3.6-PR-1788-test-rhbz1959570.patch

@@ -0,0 +1,97 @@
+From 05faede8f6602b7b71d71fd965276225a986fb1f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Wed, 28 Jul 2021 13:06:25 +0200
+Subject: [PATCH] Add a regression test for rhbz#1959570
+
+The bug was a segmentation fault in filehash58 probe which happened
+in openscap-1.3.3-6.el8_3.
+
+The bug was fixed by https://github.com/OpenSCAP/openscap/pull/1779
+and this patch adds a very small test.
+---
+ tests/probes/filehash58/CMakeLists.txt        |  1 +
+ .../probes/filehash58/rhbz1959570_segfault.sh | 19 +++++++++
+ .../rhbz1959570_segfault_reproducer.xml       | 39 +++++++++++++++++++
+ 3 files changed, 59 insertions(+)
+ create mode 100755 tests/probes/filehash58/rhbz1959570_segfault.sh
+ create mode 100644 tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
+
+diff --git a/tests/probes/filehash58/CMakeLists.txt b/tests/probes/filehash58/CMakeLists.txt
+index b26d8171fb..cdec0792eb 100644
+--- a/tests/probes/filehash58/CMakeLists.txt
++++ b/tests/probes/filehash58/CMakeLists.txt
+@@ -1,3 +1,4 @@
+ if(ENABLE_PROBES_INDEPENDENT)
+ 	add_oscap_test("test_probes_filehash58.sh")
++	add_oscap_test("rhbz1959570_segfault.sh")
+ endif()
+diff --git a/tests/probes/filehash58/rhbz1959570_segfault.sh b/tests/probes/filehash58/rhbz1959570_segfault.sh
+new file mode 100755
+index 0000000000..0c32cc79f1
+--- /dev/null
++++ b/tests/probes/filehash58/rhbz1959570_segfault.sh
+@@ -0,0 +1,19 @@
++#!/usr/bin/env bash
++
++# Copyright 2021 Red Hat Inc., Durham, North Carolina.
++# All Rights Reserved.
++#
++# OpenSCAP Probes Test Suite.
++#
++# Authors:
++#      Jan Černý, <jcerny@redhat.com>
++
++set -e -o pipefail
++. $builddir/tests/test_common.sh
++
++# Test Cases
++
++stderr="$(mktemp)"
++$OSCAP oval eval --id oval:x:def:1 "$srcdir/rhbz1959570_segfault_reproducer.xml" 2> "$stderr"
++[ ! -s "$stderr" ]
++rm "$stderr"
+diff --git a/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
+new file mode 100644
+index 0000000000..4b3fc4863a
+--- /dev/null
++++ b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
+@@ -0,0 +1,39 @@
++<?xml version="1.0"?>
++<oval-def:oval_definitions xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
++  <oval-def:generator>
++    <oval:product_name>jcerny</oval:product_name>
++    <oval:product_version>1</oval:product_version>
++    <oval:schema_version>5.11</oval:schema_version>
++    <oval:timestamp>2021-07-28T07:40:55</oval:timestamp>
++  </oval-def:generator>
++  <oval-def:definitions>
++    <oval-def:definition class="compliance" id="oval:x:def:1" version="1">
++      <oval-def:metadata>
++        <oval-def:title>title</oval-def:title>
++        <oval-def:description>description</oval-def:description>
++      </oval-def:metadata>
++      <oval-def:criteria>
++        <oval-def:criterion comment="comment" test_ref="oval:x:tst:1"/>
++      </oval-def:criteria>
++    </oval-def:definition>
++  </oval-def:definitions>
++  <oval-def:tests>
++    <ind:filehash58_test check="all" check_existence="all_exist" comment="comment" id="oval:x:tst:1" version="1">
++      <ind:object object_ref="oval:x:obj:1"/>
++      <ind:state state_ref="oval:x:ste:1"/>
++    </ind:filehash58_test>
++  </oval-def:tests>
++  <oval-def:objects>
++    <ind:filehash58_object id="oval:x:obj:1" version="1">
++      <ind:filepath>/etc/os-release</ind:filepath>
++      <ind:hash_type>SHA-256</ind:hash_type>
++    </ind:filehash58_object>
++  </oval-def:objects>
++  <oval-def:states>
++    <ind:filehash58_state id="oval:x:ste:1" version="1">
++      <ind:filepath>/etc/os-release</ind:filepath>
++      <ind:hash_type>SHA-256</ind:hash_type>
++      <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
++    </ind:filehash58_state>
++  </oval-def:states>
++</oval-def:oval_definitions>

SPECS/openscap.spec

@@ -1,6 +1,6 @@
 Name:           openscap
 Version:        1.3.4
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 Group:          System Environment/Libraries
 License:        LGPLv2+
@@ -13,6 +13,8 @@ Patch4:         openscap-1.3.5-yamlfilecontent-fix-field-names-PR_1619.patch
 Patch5:         openscap-1.3.5-memory-PR_1627.patch
 Patch6:         openscap-1.3.5-use-MALLOC_CHECK-in-tests-PR_1635.patch
 Patch7:         openscap-1.3.5-test-non-local-gpfs-PR_1653.patch
+Patch8:         openscap-1.3.6-PR-1779-initialize-crapi-once.patch
+Patch9:         openscap-1.3.6-PR-1788-test-rhbz1959570.patch
 BuildRequires:  cmake >= 2.6
 BuildRequires:  swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
 BuildRequires:  rpm-devel
@@ -219,6 +221,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_bindir}/oscap-run-sce-script
 
 %changelog
+* Mon Aug 30 2021 Jan Černý <jcerny@redhat.com> - 1.3.4-6
+- Initialize crypto API only once (rhbz#1998045)
+
 * Wed Nov 25 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.4-5
 - Add check for non-local GPFS file system into Test Suite (RHBZ#1840578)