rpms/openscap
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import openscap-1.3.5-2.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-05-05 22:18:34 +00:00 committed by Andrew Lukoshko
parent 9e46cbccf4
commit 2e1bf8a8a9
10 changed files with 19 additions and 564 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/openscap-1.3.4.tar.gz
SOURCES/openscap-1.3.5.tar.gz

2
.openscap.metadata
View File

@ -1 +1 @@
3e303f06aa00e5c2616db606b980389ee0b73883 SOURCES/openscap-1.3.4.tar.gz
77494383980082f8bc625a6e196a6760d30a5107 SOURCES/openscap-1.3.5.tar.gz

162
SOURCES/openscap-1.3.5-coverity1-PR_1617.patch
View File

@ -1,162 +0,0 @@
From 0311ac9d8368acd5baac8b7fc6f753bd895ea3fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 6 Oct 2020 13:32:19 +0200
Subject: [PATCH 1/2] Fix Coverity warnings
Addressing multiple Coverity defects similar to this one:
Defect type: CHECKED_RETURN
check_return: Calling "curl_easy_setopt(curl, _curl_opt, _curl_trace)"
without checking return value. This library function may fail and return
an error code.
---
src/common/oscap_acquire.c | 65 +++++++++++++++++++++++++++++++-------
1 file changed, 53 insertions(+), 12 deletions(-)
diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
index 666f4f5c9..34a92fa19 100644
--- a/src/common/oscap_acquire.c
+++ b/src/common/oscap_acquire.c
@@ -326,18 +326,59 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
return NULL;
}
- struct oscap_buffer* buffer = oscap_buffer_new();
-
- curl_easy_setopt(curl, CURLOPT_URL, url);
- curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback);
- curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer);
- curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, "");
- curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true);
- curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
- curl_easy_setopt(curl, CURLOPT_VERBOSE, true);
- curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace);
-
- CURLcode res = curl_easy_perform(curl);
+ CURLcode res;
+
+ res = curl_easy_setopt(curl, CURLOPT_URL, url);
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_URL to '%s': %s", url, curl_easy_strerror(res));
+ return NULL;
+ }
+
+ res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback);
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_WRITEFUNCTION to write_to_memory_callback: %s", curl_easy_strerror(res));
+ return NULL;
+ }
+
+ res = curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, "");
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_ACCEPT_ENCODING to an empty string: %s", curl_easy_strerror(res));
+ return NULL;
+ }
+
+ res = curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true);
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_TRANSFER_ENCODING to true: %s", curl_easy_strerror(res));
+ return NULL;
+ }
+
+ res = curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_FOLLOWLOCATION to true: %s", curl_easy_strerror(res));
+ return NULL;
+ }
+
+ res = curl_easy_setopt(curl, CURLOPT_VERBOSE, true);
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_VERBOSE to true: %s", curl_easy_strerror(res));
+ return NULL;
+ }
+
+ res = curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace);
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_DEBUGFUNCTION to _curl_trace: %s", curl_easy_strerror(res));
+ return NULL;
+ }
+
+ struct oscap_buffer *buffer = oscap_buffer_new();
+ res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer);
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_WRITEDATA as buffer: %s", curl_easy_strerror(res));
+ oscap_buffer_free(buffer);
+ return NULL;
+ }
+
+ res = curl_easy_perform(curl);
curl_easy_cleanup(curl);
if (res != 0) {
From 34af1348b6ff6e4710aeb6e383b1a50c4751c16e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 26 Oct 2020 11:12:04 +0100
Subject: [PATCH 2/2] Add curl_easy_cleanup everywhere
---
src/common/oscap_acquire.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
index 34a92fa19..cd9bfc36f 100644
--- a/src/common/oscap_acquire.c
+++ b/src/common/oscap_acquire.c
@@ -330,42 +330,49 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
res = curl_easy_setopt(curl, CURLOPT_URL, url);
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_URL to '%s': %s", url, curl_easy_strerror(res));
return NULL;
}
res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback);
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_WRITEFUNCTION to write_to_memory_callback: %s", curl_easy_strerror(res));
return NULL;
}
res = curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, "");
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_ACCEPT_ENCODING to an empty string: %s", curl_easy_strerror(res));
return NULL;
}
res = curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true);
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_TRANSFER_ENCODING to true: %s", curl_easy_strerror(res));
return NULL;
}
res = curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_FOLLOWLOCATION to true: %s", curl_easy_strerror(res));
return NULL;
}
res = curl_easy_setopt(curl, CURLOPT_VERBOSE, true);
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_VERBOSE to true: %s", curl_easy_strerror(res));
return NULL;
}
res = curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace);
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_DEBUGFUNCTION to _curl_trace: %s", curl_easy_strerror(res));
return NULL;
}
@@ -373,6 +380,7 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
struct oscap_buffer *buffer = oscap_buffer_new();
res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer);
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_WRITEDATA as buffer: %s", curl_easy_strerror(res));
oscap_buffer_free(buffer);
return NULL;

147
SOURCES/openscap-1.3.5-coverity2-PR_1620.patch
View File

@ -1,147 +0,0 @@
From 538c70780b49a36a4d2420ef93b87b78817dc14c Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Mon, 26 Oct 2020 08:31:53 +0100
Subject: [PATCH] Covscan fixes
---
src/OVAL/probes/fsdev.c | 2 +-
src/OVAL/probes/independent/yamlfilecontent_probe.c | 5 +++--
src/OVAL/probes/unix/fileextendedattribute_probe.c | 2 +-
src/OVAL/probes/unix/linux/partition_probe.c | 2 +-
src/OVAL/probes/unix/xinetd_probe.c | 7 ++++++-
src/XCCDF/xccdf_session.c | 4 ++--
utils/oscap-tool.c | 6 +++++-
utils/oscap-xccdf.c | 3 +--
8 files changed, 20 insertions(+), 11 deletions(-)
diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c
index b2b984441..c82ab620b 100644
--- a/src/OVAL/probes/fsdev.c
+++ b/src/OVAL/probes/fsdev.c
@@ -219,7 +219,7 @@ static fsdev_t *__fsdev_init(fsdev_t *lfs)
endmntent(fp);
void *new_ids = realloc(lfs->ids, sizeof(dev_t) * i);
- if (new_ids == NULL) {
+ if (new_ids == NULL && i > 0) {
e = errno;
free(lfs->ids);
free(lfs);
diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c
index 6f18abf83..e7e6cb3f5 100644
--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c
+++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c
@@ -216,12 +216,13 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str
result_error("YAML parser error: %s", parser.problem);
goto cleanup;
}
+
+ event_type = event.type;
+
if (yaml_path_filter_event(yaml_path, &parser, &event) == YAML_PATH_FILTER_RESULT_OUT) {
goto next;
}
- event_type = event.type;
-
if (sequence) {
if (event_type == YAML_SEQUENCE_END_EVENT) {
sequence = false;
diff --git a/src/OVAL/probes/unix/fileextendedattribute_probe.c b/src/OVAL/probes/unix/fileextendedattribute_probe.c
index b442ea540..ee853886a 100644
--- a/src/OVAL/probes/unix/fileextendedattribute_probe.c
+++ b/src/OVAL/probes/unix/fileextendedattribute_probe.c
@@ -298,7 +298,7 @@ static int file_cb(const char *prefix, const char *p, const char *f, void *ptr,
// Allocate buffer, '+1' is for trailing '\0'
void *new_xattr_val = realloc(xattr_val, sizeof(char) * (xattr_vallen + 1));
- if (xattr_val == NULL) {
+ if (new_xattr_val == NULL) {
dE("Failed to allocate memory for xattr_val");
free(xattr_val);
goto exit;
diff --git a/src/OVAL/probes/unix/linux/partition_probe.c b/src/OVAL/probes/unix/linux/partition_probe.c
index a74c0323a..adb244b04 100644
--- a/src/OVAL/probes/unix/linux/partition_probe.c
+++ b/src/OVAL/probes/unix/linux/partition_probe.c
@@ -207,7 +207,7 @@ static int collect_item(probe_ctx *ctx, oval_schema_version_t over, struct mnten
mnt_ocnt = add_mnt_opt(&mnt_opts, mnt_ocnt, "move");
}
- dD("mnt_ocnt = %d, mnt_opts[mnt_ocnt]=%p", mnt_ocnt, mnt_opts[mnt_ocnt]);
+ dD("mnt_ocnt = %d, mnt_opts[mnt_ocnt]=%p", mnt_ocnt, mnt_opts == NULL ? NULL : mnt_opts[mnt_ocnt]);
/*
* "Correct" the type (this won't be (hopefully) needed in a later version
diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c
index 75b12f95b..d61c7d547 100644
--- a/src/OVAL/probes/unix/xinetd_probe.c
+++ b/src/OVAL/probes/unix/xinetd_probe.c
@@ -566,7 +566,12 @@ static int xiconf_add_cfile(xiconf_t *xiconf, const char *path, int depth)
}
xifile->depth = depth;
- xiconf->cfile = realloc(xiconf->cfile, sizeof(xiconf_file_t *) * ++xiconf->count);
+ void *cfile = realloc(xiconf->cfile, sizeof(xiconf_file_t *) * ++xiconf->count);
+ if (cfile == NULL) {
+ dE("Failed re-allocate memory for cfile");
+ return (-1);
+ }
+ xiconf->cfile = cfile;
xiconf->cfile[xiconf->count - 1] = xifile;
dD("Added new file to the cfile queue: %s; fi=%zu", path, xiconf->count - 1);
diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c
index 8bd394e2f..f1b837959 100644
--- a/src/XCCDF/xccdf_session.c
+++ b/src/XCCDF/xccdf_session.c
@@ -286,9 +286,9 @@ static struct oscap_source *xccdf_session_extract_arf_source(struct xccdf_sessio
}
struct tm *tm_mtime = malloc(sizeof(struct tm));
#ifdef OS_WINDOWS
- tm_mtime = localtime_s(tm_mtime, &file_stat.st_mtime);
+ localtime_s(tm_mtime, &file_stat.st_mtime);
#else
- tm_mtime = localtime_r(&file_stat.st_mtime, tm_mtime);
+ localtime_r(&file_stat.st_mtime, tm_mtime);
#endif
strftime(tailoring_doc_timestamp, max_timestamp_len,
"%Y-%m-%dT%H:%M:%S", tm_mtime);
diff --git a/utils/oscap-tool.c b/utils/oscap-tool.c
index 9bfe52697..660a19047 100644
--- a/utils/oscap-tool.c
+++ b/utils/oscap-tool.c
@@ -315,7 +315,10 @@ static void getopt_parse_env(struct oscap_module *module, int *argc, char ***arg
opt = oscap_strtok_r(opts, delim, &state);
while (opt != NULL) {
eargc++;
- eargv = realloc(eargv, eargc * sizeof(char *));
+ void *new_eargv = realloc(eargv, eargc * sizeof(char *));
+ if (new_eargv == NULL)
+ goto exit;
+ eargv = new_eargv;
eargv[eargc - 1] = strdup(opt);
opt = oscap_strtok_r(NULL, delim, &state);
}
@@ -334,6 +337,7 @@ static void getopt_parse_env(struct oscap_module *module, int *argc, char ***arg
*argc = nargc;
*argv = nargv;
+exit:
free(opts);
free(eargv);
}
diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
index af337b844..0a9ae5270 100644
--- a/utils/oscap-xccdf.c
+++ b/utils/oscap-xccdf.c
@@ -610,8 +610,7 @@ int app_evaluate_xccdf(const struct oscap_action *action)
/* syslog message */
#if defined(HAVE_SYSLOG_H)
- syslog(priority, "Evaluation finished. Return code: %d, Base score %f.", evaluation_result,
- session == NULL ? 0 : xccdf_session_get_base_score(session));
+ syslog(priority, "Evaluation finished. Return code: %d, Base score %f.", evaluation_result, xccdf_session_get_base_score(session));
#endif
xccdf_session_set_xccdf_export(session, action->f_results);

84
SOURCES/openscap-1.3.5-memory-PR_1627.patch
View File

@ -1,84 +0,0 @@
From 5eea79eaf426ac3e51a09d3f3fe72c2b385abc89 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 10 Nov 2020 11:16:00 +0100
Subject: [PATCH] Fix memory allocation
We can't assume that size of a structure is a sum of sizes of its
members because padding and alignment can be involved. In fact,
we need to allocate more bytes for the structure than the
sum of sizes of its members.
The wrong assumption caused invalid writes and invalid reads
which can be discovered by valgrind. Moreover, when run with
MALLOC_CHECK_ environment variable set to non-zero value, the
program aborted.
The memory issue happened only when NDEBUG is defined, eg. when cmake
-DCMAKE_BUILD_TYPE=RelWithDebInfo or Release, it doesn't happen if cmake
-DCMAKE_BUILD_TYPE=Debug which we usually use in Jenkins CI. This is
most likely because in debug mode the struct SEXP contains 2 additional
members which are the magic canaries and therefore is bigger.
This commit wants to fix the problem by 2 step allocation in which
first the size of the struct SEXP_val_lblk is used and then the
array of SEXPs is allocated separately.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1891770
---
src/OVAL/probes/SEAP/_sexp-value.h | 2 +-
src/OVAL/probes/SEAP/sexp-value.c | 12 ++++++------
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/OVAL/probes/SEAP/_sexp-value.h b/src/OVAL/probes/SEAP/_sexp-value.h
index 426cd2c3d..e66777ef9 100644
--- a/src/OVAL/probes/SEAP/_sexp-value.h
+++ b/src/OVAL/probes/SEAP/_sexp-value.h
@@ -94,7 +94,7 @@ struct SEXP_val_lblk {
uintptr_t nxsz;
uint16_t real;
uint16_t refs;
- SEXP_t memb[];
+ SEXP_t *memb;
};
size_t SEXP_rawval_list_length (struct SEXP_val_list *list);
diff --git a/src/OVAL/probes/SEAP/sexp-value.c b/src/OVAL/probes/SEAP/sexp-value.c
index a11cbc70c..b8b3ed609 100644
--- a/src/OVAL/probes/SEAP/sexp-value.c
+++ b/src/OVAL/probes/SEAP/sexp-value.c
@@ -106,10 +106,8 @@ uintptr_t SEXP_rawval_lblk_new (uint8_t sz)
{
_A(sz < 16);
- struct SEXP_val_lblk *lblk = oscap_aligned_malloc(
- sizeof(uintptr_t) + (2 * sizeof(uint16_t)) + (sizeof(SEXP_t) * (1 << sz)),
- SEXP_LBLK_ALIGN
- );
+ struct SEXP_val_lblk *lblk = malloc(sizeof(struct SEXP_val_lblk));
+ lblk->memb = malloc(sizeof(SEXP_t) * (1 << sz));
lblk->nxsz = ((uintptr_t)(NULL) & SEXP_LBLKP_MASK) | ((uintptr_t)sz & SEXP_LBLKS_MASK);
lblk->refs = 1;
@@ -519,7 +517,8 @@ void SEXP_rawval_lblk_free (uintptr_t lblkp, void (*func) (SEXP_t *))
func (lblk->memb + lblk->real);
}
- oscap_aligned_free(lblk);
+ free(lblk->memb);
+ free(lblk);
if (next != NULL)
SEXP_rawval_lblk_free ((uintptr_t)next, func);
@@ -540,7 +539,8 @@ void SEXP_rawval_lblk_free1 (uintptr_t lblkp, void (*func) (SEXP_t *))
func (lblk->memb + lblk->real);
}
- oscap_aligned_free(lblk);
+ free(lblk->memb);
+ free(lblk);
}
return;
--
2.26.2

71
SOURCES/openscap-1.3.5-plug-memory-leak-PR_1616.patch
View File

@ -1,71 +0,0 @@
From d5518f3f4c32ac19fcf3427602d5b2978b7ef1b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 5 Oct 2020 16:02:29 +0200
Subject: [PATCH] Plug a memory leak
Addressing:
8 bytes in 1 blocks are indirectly lost in loss record 7 of 235
at 0x483A809: malloc (vg_replace_malloc.c:307)
by 0x48F15CA: oval_collection_new (oval_collection.c:64)
by 0x48F4FCC: oval_result_criteria_node_new (oval_resultCriteriaNode.c:106)
by 0x48F5580: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:249)
by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130)
by 0x48F7F41: oval_result_system_get_new_definition_with_check (oval_resultSystem.c:217)
by 0x48F5686: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:279)
by 0x48F55BD: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:260)
by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130)
by 0x48F8794: oval_result_system_prepare_definition (oval_resultSystem.c:395)
by 0x48F86A6: oval_result_system_eval_definition (oval_resultSystem.c:369)
by 0x48C23FD: oval_agent_eval_definition (oval_agent.c:181)
8 bytes in 1 blocks are definitely lost in loss record 8 of 235
at 0x483A809: malloc (vg_replace_malloc.c:307)
by 0x48F1799: oval_collection_iterator (oval_collection.c:120)
by 0x48CCE4C: oval_criteria_node_get_subnodes (oval_criteriaNode.c:161)
by 0x48F5590: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:255)
by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130)
by 0x48F7F41: oval_result_system_get_new_definition_with_check (oval_resultSystem.c:217)
by 0x48F5686: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:279)
by 0x48F55BD: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:260)
by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130)
by 0x48F8794: oval_result_system_prepare_definition (oval_resultSystem.c:395)
by 0x48F86A6: oval_result_system_eval_definition (oval_resultSystem.c:369)
by 0x48C23FD: oval_agent_eval_definition (oval_agent.c:181)
48 (40 direct, 8 indirect) bytes in 1 blocks are definitely lost in loss record 125 of 235
at 0x483A809: malloc (vg_replace_malloc.c:307)
by 0x48F4F50: oval_result_criteria_node_new (oval_resultCriteriaNode.c:98)
by 0x48F5580: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:249)
by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130)
by 0x48F7F41: oval_result_system_get_new_definition_with_check (oval_resultSystem.c:217)
by 0x48F5686: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:279)
by 0x48F55BD: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:260)
by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130)
by 0x48F8794: oval_result_system_prepare_definition (oval_resultSystem.c:395)
by 0x48F86A6: oval_result_system_eval_definition (oval_resultSystem.c:369)
by 0x48C23FD: oval_agent_eval_definition (oval_agent.c:181)
by 0x48C2671: oval_agent_eval_system (oval_agent.c:286)
This leak has been created by #1610.
---
src/OVAL/results/oval_resultCriteriaNode.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/OVAL/results/oval_resultCriteriaNode.c b/src/OVAL/results/oval_resultCriteriaNode.c
index 807283206..f6e980861 100644
--- a/src/OVAL/results/oval_resultCriteriaNode.c
+++ b/src/OVAL/results/oval_resultCriteriaNode.c
@@ -258,8 +258,11 @@ struct oval_result_criteria_node *make_result_criteria_node_from_oval_criteria_n
= oval_criteria_node_iterator_next(oval_subnodes);
struct oval_result_criteria_node *rslt_subnode
= make_result_criteria_node_from_oval_criteria_node(sys, oval_subnode, visited_definitions, variable_instance);
- if (rslt_subnode == NULL)
+ if (rslt_subnode == NULL) {
+ oval_criteria_node_iterator_free(oval_subnodes);
+ oval_result_criteria_node_free(rslt_node);
return NULL;
+ }
oval_result_criteria_node_add_subnode(rslt_node, rslt_subnode);
}
oval_criteria_node_iterator_free(oval_subnodes);

9
SOURCES/openscap-1.3.5-test-non-local-gpfs-PR_1653.patch
View File

@ -1,9 +0,0 @@
diff --git a/tests/API/probes/fake_mtab b/tests/API/probes/fake_mtab
index 94b1fe295..32c516b7d 100644
--- a/tests/API/probes/fake_mtab
+++ b/tests/API/probes/fake_mtab
@@ -5,3 +5,4 @@ tmpfs /tmp tmpfs rw,seclabel,nosuid,nodev 0 0
/dev/mapper/fedora-home /home ext4 rw,seclabel,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
//192.168.0.5/storage /media/movies cifs guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm 0 0
+/dev/gpfsdev /gpfs gpfs rw,relatime 0 0

13
SOURCES/openscap-1.3.5-use-MALLOC_CHECK-in-tests-PR_1635.patch
View File

@ -1,13 +0,0 @@
diff --git a/tests/test_common.sh.in b/tests/test_common.sh.in
index 6b54ad015..5b6126dbf 100755
--- a/tests/test_common.sh.in
+++ b/tests/test_common.sh.in
@@ -17,6 +17,9 @@ PREFERRED_PYTHON=@PREFERRED_PYTHON_PATH@
LC_ALL=C
export LC_ALL
+MALLOC_CHECK_=3
+export MALLOC_CHECK_
+
OSCAP_FULL_VALIDATION=1
export OSCAP_FULL_VALIDATION

67
SOURCES/openscap-1.3.5-yamlfilecontent-fix-field-names-PR_1619.patch
View File

@ -1,67 +0,0 @@
diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c
index 6f18abf83..17741a240 100644
--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c
+++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c
@@ -206,6 +206,7 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str
yaml_event_type_t event_type;
bool sequence = false;
bool mapping = false;
+ bool fake_mapping = false;
int index = 0;
char *key = strdup("#");
@@ -224,21 +225,39 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str
if (sequence) {
if (event_type == YAML_SEQUENCE_END_EVENT) {
- sequence = false;
+ if (fake_mapping) {
+ fake_mapping = false;
+ if (record && record->itemcount > 0) {
+ oscap_list_add(values, record);
+ } else {
+ // Do not collect empty records
+ oscap_htable_free0(record);
+ }
+ record = NULL;
+ } else {
+ sequence = false;
+ }
} else if (event_type == YAML_SEQUENCE_START_EVENT) {
- result_error("YAML path '%s' points to a multi-dimensional structure (sequence containing another sequence)", yaml_path_cstr);
- goto cleanup;
+ if (mapping || fake_mapping) {
+ result_error("YAML path '%s' points to a multi-dimensional structure (a map or a sequence containing other sequences)", yaml_path_cstr);
+ goto cleanup;
+ } else {
+ fake_mapping = true;
+ record = oscap_htable_new();
+ }
}
} else {
if (event_type == YAML_SEQUENCE_START_EVENT) {
sequence = true;
+ if (mapping)
+ index++;
}
}
if (mapping) {
if (event_type == YAML_MAPPING_END_EVENT) {
mapping = false;
- if (record->itemcount > 0) {
+ if (record && record->itemcount > 0) {
oscap_list_add(values, record);
} else {
// Do not collect empty records
@@ -255,6 +274,10 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str
result_error("YAML path '%s' points to an invalid structure (map containing another map)", yaml_path_cstr);
goto cleanup;
}
+ if (fake_mapping) {
+ result_error("YAML path '%s' points to a multi-dimensional structure (two-dimensional sequence containing a map)", yaml_path_cstr);
+ goto cleanup;
+ }
mapping = true;
sequence = false;
index = 0;

26
SPECS/openscap.spec
View File

@ -1,18 +1,11 @@
Name: openscap
Version: 1.3.4
Release: 5%{?dist}
Version: 1.3.5
Release: 2%{?dist}
Summary: Set of open source libraries enabling integration of the SCAP line of standards
Group: System Environment/Libraries
License: LGPLv2+
URL: http://www.open-scap.org/
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
Patch1: openscap-1.3.5-plug-memory-leak-PR_1616.patch
Patch2: openscap-1.3.5-coverity1-PR_1617.patch
Patch3: openscap-1.3.5-coverity2-PR_1620.patch
Patch4: openscap-1.3.5-yamlfilecontent-fix-field-names-PR_1619.patch
Patch5: openscap-1.3.5-memory-PR_1627.patch
Patch6: openscap-1.3.5-use-MALLOC_CHECK-in-tests-PR_1635.patch
Patch7: openscap-1.3.5-test-non-local-gpfs-PR_1653.patch
BuildRequires: cmake >= 2.6
BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
BuildRequires: rpm-devel
@ -29,6 +22,7 @@ BuildRequires: GConf2-devel
BuildRequires: glib2-devel
BuildRequires: dbus-devel
BuildRequires: libyaml-devel
BuildRequires: xmlsec1-devel xmlsec1-openssl-devel
%if %{?_with_check:1}%{!?_with_check:0}
BuildRequires: perl-XML-XPath
BuildRequires: bzip2
@ -47,6 +41,7 @@ Requires: openldap
Requires: popt
# RHEL8 has procps-ng, which provides procps
Requires: procps
Requires: xmlsec1 xmlsec1-openssl
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
Obsoletes: python2-openscap
@ -219,6 +214,15 @@ rm -rf $RPM_BUILD_ROOT
%{_bindir}/oscap-run-sce-script
%changelog
* Tue May 04 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.5-2
- Fix changelog (add missing 1.3.3-6 entry)
* Thu Apr 29 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.5-1
- Upgrade to the latest upstream release (RHBZ#1953092)
- Fix segfault when using --stig-viewer option and latest XML file from DoD (RHBZ#1912000)
- Improve doc about --stig-viewer (RHBZ#1918759)
- Backport an upstream patch adding CentOS CPE (RHBZ#1907935)
* Wed Nov 25 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.4-5
- Add check for non-local GPFS file system into Test Suite (RHBZ#1840578)
@ -228,6 +232,10 @@ rm -rf $RPM_BUILD_ROOT
* Tue Nov 10 2020 Jan Černý <jcerny@redhat.com> - 1.3.4-3
- Fix memory allocation (RHBZ#1891770)
* Thu Oct 29 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.3-6
- Enable profile composition with a specific platform (RHBZ#1896676)
- Enable YAML probe to work with sets of values (RHBZ#1895715)
* Mon Oct 26 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.4-2
- Fix problems uncovered by the Coverity Scan (RHBZ#1887794)