Remove SHA-1 and MD5, fix coverity issues

Resolves: rhbz#1936619 Resolves: rhbz#1938830
2021-07-22 09:19:54 +02:00 · 2021-07-22 09:19:54 +02:00 · 286e29fdb1
commit 286e29fdb1
parent 71d8346d4a
4 changed files with 2264 additions and 1 deletions
--- a/openscap-1.3.6-coverity-issues-pr-1748.patch
+++ b/openscap-1.3.6-coverity-issues-pr-1748.patch
@ -0,0 +1,52 @@
+From 378ef5e438a2f5af7a50374d2bd23bdd3403201f Mon Sep 17 00:00:00 2001
+From: Evgeny Kolesnikov <ekolesni@redhat.com>
+Date: Tue, 4 May 2021 08:41:06 +0200
+Subject: [PATCH] Fix covscan-reported issues in yamlfilecontent probe and
+ schematron
+
+Error: FORWARD_NULL (CWE-476): [#def1]
+/OVAL/probes/independent/yamlfilecontent_probe.c:392: var_compare_op: Comparing "yaml_file" to null implies that "yaml_file" might be null.
+/OVAL/probes/independent/yamlfilecontent_probe.c:417: var_deref_model: Passing null pointer "yaml_file" to "fclose", which dereferences it.
+#  416|   cleanup:
+#  417|-> 	fclose(yaml_file);
+#  418|   	yaml_parser_delete(&parser);
+
+Error: RESOURCE_LEAK (CWE-772): [#def2] [important]
+/source/schematron.c:549: alloc_fn: Storage is returned from allocation function "xmlXPathNodeEval".
+/source/schematron.c:549: var_assign: Assigning: "component_refs" = storage returned from "xmlXPathNodeEval(data_stream_node, (xmlChar *)"ds:checklists/ds:component-ref", context)".
+/source/schematron.c:551: leaked_storage: Variable "component_refs" going out of scope leaks the storage it points to.
+#  550|   	if (component_refs == NULL || component_refs->nodesetval == NULL) {
+#  551|-> 		return res;
+#  552|   	}
+---
+ src/OVAL/probes/independent/yamlfilecontent_probe.c | 3 ++-
+ src/source/schematron.c                             | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c
+index ed5ce0d68..62a8f4ff2 100644
+--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c
+++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c
+@@ -414,7 +414,8 @@ static int process_yaml_file(const char *prefix, const char *path, const char *f
+ 	}
+ 
+ cleanup:
+-	fclose(yaml_file);
+	if (yaml_file != NULL)
+		fclose(yaml_file);
+ 	yaml_parser_delete(&parser);
+ 	free(filepath_with_prefix);
+ 	free(filepath);
+diff --git a/src/source/schematron.c b/src/source/schematron.c
+index 6cb22658b..c32d5aed6 100644
+--- a/src/source/schematron.c
+++ b/src/source/schematron.c
+@@ -548,6 +548,8 @@ static bool _req_src_346_1_sub1(xmlNodePtr data_stream_node, xmlXPathContextPtr
+ 	/* every $m in ds:checklists/ds:component-ref satisfies ... */
+ 	xmlXPathObjectPtr component_refs = xmlXPathNodeEval(data_stream_node, BAD_CAST "ds:checklists/ds:component-ref", context);
+ 	if (component_refs == NULL || component_refs->nodesetval == NULL) {
+		if (component_refs != NULL)
+			xmlXPathFreeObject(component_refs);
+ 		return res;
+ 	}
+ 	for (int i = 0; i < component_refs->nodesetval->nodeNr; i++) {
--- a/openscap-1.3.6-coverity-issues-pr-1778.patch
+++ b/openscap-1.3.6-coverity-issues-pr-1778.patch
@ -0,0 +1,248 @@
+From 6885a1caaad68f0844715cca90fd0d913e19aba5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 1 Jul 2021 16:06:23 +0200
+Subject: [PATCH 1/9] Plug a memory leak
+
+Addressing:
+
+1. openscap-1.3.5/src/OVAL/probes/independent/system_info_probe.c:738:6: warning[unix.Malloc]: Potential leak of memory pointed to by 'hname'
+   736|   		hname = strdup(unknown);
+   737|
+   738|-> 	if (__sysinfo_saneval(os_name) < 1 ||
+   739|   		__sysinfo_saneval(os_version) < 1 ||
+   740|   		__sysinfo_saneval(architecture) < 1 ||
+---
+ src/OVAL/probes/independent/system_info_probe.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/OVAL/probes/independent/system_info_probe.c b/src/OVAL/probes/independent/system_info_probe.c
+index 8251e655e..9f680e14d 100644
+--- a/src/OVAL/probes/independent/system_info_probe.c
+++ b/src/OVAL/probes/independent/system_info_probe.c
+@@ -732,8 +732,13 @@ int system_info_probe_main(probe_ctx *ctx, void *arg)
+ 	if (!architecture)
+ 		architecture = strdup(unknown);
+ 
+-	if (!hname || *hname == '\0')
+	if (hname && *hname == '\0') {
+		free(hname);
+		hname = NULL;
+	}
+	if (!hname) {
+ 		hname = strdup(unknown);
+	}
+ 
+ 	if (__sysinfo_saneval(os_name) < 1 ||
+ 		__sysinfo_saneval(os_version) < 1 ||
+
+From a600fa5d034daa408d277f91ceefd29b5ab10213 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 1 Jul 2021 16:43:46 +0200
+Subject: [PATCH 2/9] Fix a possible NULL dereference
+
+Addressing:
+openscap-1.3.5/utils/oscap-tool.c:78:11: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL 'to'
+---
+ utils/oscap-tool.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/utils/oscap-tool.c b/utils/oscap-tool.c
+index 62c4cde0e..d37fbb0e5 100644
+--- a/utils/oscap-tool.c
+++ b/utils/oscap-tool.c
+@@ -73,7 +73,8 @@ static size_t paramlist_size(const char **p) { size_t s = 0; if (!p) return s; w
+ 
+ static size_t paramlist_cpy(const char **to, const char **p) {
+     size_t s = 0;
+-    if (!p) return s;
+    if (!to || !p)
+        return s;
+     for (;p && p[s]; s += 2) to[s] = p[s], to[s+1] = p[s+1];
+     to[s] = p[s];
+     return s;
+
+From d7bb7e755b262424e5970f2bcc2d2af670f8ac63 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 1 Jul 2021 17:03:09 +0200
+Subject: [PATCH 3/9] Fix a possible NULL dereference
+
+Addressing:
+openscap-1.3.5/src/source/xslt.c:124:21: warning[-Wanalyzer-possible-null-argument]: use of possibly-NULL 'strdup(xsltfile)' where non-null expected
+---
+ src/source/xslt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/source/xslt.c b/src/source/xslt.c
+index 0d01c535b..24c4c46e9 100644
+--- a/src/source/xslt.c
+++ b/src/source/xslt.c
+@@ -105,7 +105,7 @@ static inline int save_stylesheet_result_to_file(xmlDoc *resulting_doc, xsltStyl
+ static xmlDoc *apply_xslt_path_internal(struct oscap_source *source, const char *xsltfile, const char **params, const char *path_to_xslt, xsltStylesheet **stylesheet)
+ {
+ 	xmlDoc *doc = oscap_source_get_xmlDoc(source);
+-	if (doc == NULL || stylesheet == NULL) {
+	if (doc == NULL || stylesheet == NULL || xsltfile == NULL) {
+ 		return NULL;
+ 	}
+ 
+
+From a51952f0bc66402c3b68783ee9deaf3b4ecd529e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 2 Jul 2021 10:12:31 +0200
+Subject: [PATCH 4/9] Fix possible NULL dereference
+
+Addressing:
+
+openscap-1.3.5/src/XCCDF/xccdf_session.c:1349:15: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL 'to'
+---
+ src/XCCDF/xccdf_session.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c
+index 9d8f42c44..10735214c 100644
+--- a/src/XCCDF/xccdf_session.c
+++ b/src/XCCDF/xccdf_session.c
+@@ -1344,7 +1344,8 @@ static size_t _paramlist_size(const char **p) { size_t s = 0; if (!p) return s;
+ 
+ static size_t _paramlist_cpy(const char **to, const char **p) {
+ 	size_t s = 0;
+-	if (!p) return s;
+	if (!to || !p)
+		return s;
+ 	for (;p && p[s]; s += 2) to[s] = p[s], to[s+1] = p[s+1];
+ 	to[s] = p[s];
+ 	return s;
+
+From 2f0ad2e9a7bbd69ecad14b28de6e12d237bcbf9b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 2 Jul 2021 10:15:39 +0200
+Subject: [PATCH 5/9] Fix possible NULL dereference
+
+Addressing:
+openscap-1.3.5/src/OVAL/results/oval_cmp_evr_string.c:132:16: warning[-Wanalyzer-null-dereference]: dereference of NULL 's'
+---
+ src/OVAL/results/oval_cmp_evr_string.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/OVAL/results/oval_cmp_evr_string.c b/src/OVAL/results/oval_cmp_evr_string.c
+index 89e51729b..b195a73f7 100644
+--- a/src/OVAL/results/oval_cmp_evr_string.c
+++ b/src/OVAL/results/oval_cmp_evr_string.c
+@@ -128,6 +128,9 @@ static void parseEVR(char *evr, const char **ep, const char **vp, const char **r
+ 	const char *release;
+ 	char *s, *se;
+ 
+	if (!evr)
+		return;
+
+ 	s = evr;
+ 	while (*s && risdigit(*s)) s++;		/* s points to epoch terminator */
+ 	se = strrchr(s, '-');			/* se points to version terminator */
+
+From fe351d432d25d48116ec077671c97f0a2d996c82 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 2 Jul 2021 10:26:03 +0200
+Subject: [PATCH 6/9] Fix possible NULL dereference
+
+openscap-1.3.5/src/OVAL/probes/unix/xinetd_probe.c:1492:56: warning[-Wanalyzer-null-dereference]: dereference of NULL 'valstr_array'
+---
+ src/OVAL/probes/unix/xinetd_probe.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c
+index 009fb4c4c..b3375500d 100644
+--- a/src/OVAL/probes/unix/xinetd_probe.c
+++ b/src/OVAL/probes/unix/xinetd_probe.c
+@@ -1483,6 +1483,10 @@ int op_remove_strl(void *var, char *val)
+ 		valstr_array[valstr_array_size-1] = tok;
+ 		valstr_array[valstr_array_size] = NULL;
+ 	}
+	if (valstr_array == NULL) {
+		free(newstr_array);
+		return -2;
+	}
+ 
+ 	// Remove the insersection from the string array
+ 	newstr_array_size = 0;
+
+From 0ae47d335db49f049ba5bad5ba69c3bdbb0a55bc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 2 Jul 2021 10:52:28 +0200
+Subject: [PATCH 7/9] Fix possible NULL dereference
+
+The function oval_criteria_node_new can return NULL in multiple situations.
+
+Addressing:
+openscap-1.3.5/src/OVAL/oval_criteriaNode.c:390:28: warning[-Wanalyzer-null-dereference]: dereference of NULL 'node'
+---
+ src/OVAL/oval_criteriaNode.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/OVAL/oval_criteriaNode.c b/src/OVAL/oval_criteriaNode.c
+index de9081f9d..975a480a4 100644
+--- a/src/OVAL/oval_criteriaNode.c
+++ b/src/OVAL/oval_criteriaNode.c
+@@ -387,6 +387,11 @@ int oval_criteria_parse_tag(xmlTextReaderPtr reader, struct oval_parser_context
+ 		assert(context != NULL);	/* This is not asserted as attribute, because we
+ 						   can pass NULL pointer in case of OVAL_NODETYPE_UNKNOWN */
+ 		struct oval_criteria_node *node = oval_criteria_node_new(context->definition_model, type);
+		if (node == NULL) {
+			free(tagname);
+			free(namespace);
+			return 1;
+		}
+ 		node->type = type;
+ 		char *comm = (char *)xmlTextReaderGetAttribute(reader, BAD_CAST "comment");
+ 		if (comm != NULL) {
+
+From 832cba38133f59dc27b0e9f6d2d6eddb7604577a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 2 Jul 2021 11:02:51 +0200
+Subject: [PATCH 8/9] Fix possible NULL dereference
+
+Addressing:
+openscap-1.3.5/src/OVAL/oval_component.c:2371:83: warning[-Wanalyzer-null-dereference]: dereference of NULL 'vcl_root
+---
+ src/OVAL/oval_component.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/OVAL/oval_component.c b/src/OVAL/oval_component.c
+index 96788a471..95004bd80 100644
+--- a/src/OVAL/oval_component.c
+++ b/src/OVAL/oval_component.c
+@@ -2368,6 +2368,9 @@ static oval_syschar_collection_flag_t _oval_component_evaluate_ARITHMETIC(oval_a
+ 	}
+ 	oval_component_iterator_free(subcomps);
+ 
+	if (vcl_root == NULL) {
+		return SYSCHAR_FLAG_ERROR;
+	}
+ 	val_itr = (struct oval_value_iterator *) oval_collection_iterator(vcl_root->val_col);
+ 	while (oval_value_iterator_has_more(val_itr)) {
+ 		struct oval_value *ov;
+
+From 3fb63f51f45af8edf2b8044445bfc5cb7092b7a5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 2 Jul 2021 11:10:03 +0200
+Subject: [PATCH 9/9] Fix possible NULL dereference
+
+Addressing:
+openscap-1.3.5/src/DS/rds_index.c:124:21: warning[-Wanalyzer-null-argument]: use of NULL 'id' where non-null expected
+---
+ src/DS/rds_index.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/DS/rds_index.c b/src/DS/rds_index.c
+index 374b55d64..cc0e2bbed 100644
+--- a/src/DS/rds_index.c
+++ b/src/DS/rds_index.c
+@@ -117,6 +117,9 @@ struct rds_asset_index* rds_index_get_asset(struct rds_index *rds, const char *i
+ {
+ 	struct rds_asset_index *ret = NULL;
+ 
+	if (id == NULL)
+		return ret;
+
+ 	struct rds_asset_index_iterator *it = rds_index_get_assets(rds);
+ 	while (rds_asset_index_iterator_has_more(it))
+ 	{
--- a/openscap-1.3.6-disable-sha1-md5-pr-1781.patch
+++ b/openscap-1.3.6-disable-sha1-md5-pr-1781.patch
--- a/openscap.spec
+++ b/openscap.spec
@ -1,6 +1,6 @@
 Name:           openscap
 Version:        1.3.5
-Release:        4%{?dist}
+Release:        5%{?dist}
 Epoch:          1
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 License:        LGPLv2+
@ -13,6 +13,9 @@ Patch4:         openscap-1.3.6-ubi9-pr-1772.patch
 Patch5:         openscap-1.3.6-rpminspect-xml-pr-1773.patch
 Patch6:         openscap-1.3.6-fix-failing-test-pr-1775.patch
 Patch7:         openscap-1.3.6-yamlfile-null-pr-1756.patch
+Patch8:         openscap-1.3.6-coverity-issues-pr-1748.patch
+Patch9:         openscap-1.3.6-coverity-issues-pr-1778.patch
+Patch10:        openscap-1.3.6-disable-sha1-md5-pr-1781.patch
 BuildRequires:  cmake >= 2.6
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
@ -123,6 +126,8 @@ for developing applications that use %{name}-engine-sce.
 # gconf is a legacy system not used any more, and it blocks testing of oscap-anaconda-addon
 # as gconf is no longer part of the installation medium
 %cmake \
+    -DOPENSCAP_ENABLE_SHA1=OFF \
+    -DOPENSCAP_ENABLE_MD5=OFF \
    -DENABLE_PERL=OFF \
    -DENABLE_DOCS=ON \
    -DENABLE_OSCAP_UTIL_DOCKER=OFF \
@ -198,6 +203,10 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
 %{_bindir}/oscap-run-sce-script

 %changelog
+* Thu Jul 22 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-5
+- Remove support for SHA-1 and MD5 (rhbz#1936619)
+- Fix coverity findings (rhbz#1938830)
+
 * Tue Jun 29 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-4
 - Fix failing test tests/API/XCCDF/unittests/test_profile_selection_by_suffix.sh
 - Add 'null' yamlfilecontent values handling