From 37373652db07e1c9faa8bdc46400a0e127b77a79 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 8 Dec 2025 09:58:42 -0600 Subject: [PATCH] Upgrade to the latest upstream release Resolves: RHEL-133978 Resolves: RHEL-104651 --- 2227.patch | 103 -------------------------------------------------- 2283.patch | 45 ++++++++++++++++++++++ openscap.spec | 8 +++- sources | 2 +- 4 files changed, 52 insertions(+), 106 deletions(-) delete mode 100644 2227.patch create mode 100644 2283.patch diff --git a/2227.patch b/2227.patch deleted file mode 100644 index e77f9dd..0000000 --- a/2227.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 2b5cd91842e49d2cc6552bc46d2677fdb7f65c10 Mon Sep 17 00:00:00 2001 -From: Evgeny Kolesnikov -Date: Thu, 17 Apr 2025 14:02:55 +0200 -Subject: [PATCH] Inherit opscap environment when executing Bash remediations - with --remediate - -Make the Bash remediation environment consistent with other -types of remediation. ---- - src/XCCDF_POLICY/xccdf_policy_remediate.c | 14 ++----------- - tests/API/XCCDF/unittests/CMakeLists.txt | 1 + - .../unittests/test_remediation_environment.sh | 21 +++++++++++++++++++ - .../test_remediation_environment.xccdf.xml | 16 ++++++++++++++ - 4 files changed, 40 insertions(+), 12 deletions(-) - create mode 100755 tests/API/XCCDF/unittests/test_remediation_environment.sh - create mode 100644 tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml - -diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c -index b435f89e5a..d2e5ef31ca 100644 ---- a/src/XCCDF_POLICY/xccdf_policy_remediate.c -+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c -@@ -483,18 +483,8 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_ - NULL - }; - -- char *oscap_bootc_build = getenv("OSCAP_BOOTC_BUILD"); -- char *oscap_bootc_build_kvarg = NULL; -- if (oscap_bootc_build != NULL) { -- oscap_bootc_build_kvarg = oscap_sprintf("OSCAP_BOOTC_BUILD=%s", oscap_bootc_build); -- } -- char *const envp[3] = { -- "PATH=/bin:/sbin:/usr/bin:/usr/sbin", -- oscap_bootc_build_kvarg, -- NULL -- }; -- -- execve(interpret, argvp, envp); -+ // We are inheriting openscap environment -+ execve(interpret, argvp, environ); - /* Wow, execve returned. In this special case, we failed to execute the fix - * and we return 0 from function. At least the following error message will - * indicate the problem in xccdf:message. */ -diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt -index 6b557d0837..d22b370e2d 100644 ---- a/tests/API/XCCDF/unittests/CMakeLists.txt -+++ b/tests/API/XCCDF/unittests/CMakeLists.txt -@@ -94,6 +94,7 @@ add_oscap_test("test_remediation_cdata.sh") - add_oscap_test("test_remediation_subs_unresolved.sh") - add_oscap_test("test_remediation_fix_without_system.sh") - add_oscap_test("test_remediation_invalid_characters.sh") -+add_oscap_test("test_remediation_environment.sh") - add_oscap_test("test_remediate_simple.sh") - add_oscap_test("test_remediate_perl.sh") - add_oscap_test("test_report_check_with_empty_selector.sh") -diff --git a/tests/API/XCCDF/unittests/test_remediation_environment.sh b/tests/API/XCCDF/unittests/test_remediation_environment.sh -new file mode 100755 -index 0000000000..1f5fd0afbf ---- /dev/null -+++ b/tests/API/XCCDF/unittests/test_remediation_environment.sh -@@ -0,0 +1,21 @@ -+#!/usr/bin/env bash -+. $builddir/tests/test_common.sh -+ -+set -e -+set -o pipefail -+ -+name=$(basename $0 .sh) -+result=$(mktemp -t ${name}.out.XXXXXX) -+ -+rm -f remediation.env -+ -+CANARY_EXPORTED="CANARY_EXPORTED_VALUE" -+export CANARY_EXPORTED -+CANARY_PROCESS="CANARY_PROCESS_VALUE" $OSCAP xccdf eval --remediate $srcdir/${name}.xccdf.xml || true -+ -+grep -q "${PATH}" remediation.env || die "PATH not found" -+grep -q "CANARY_EXPORTED_VALUE" remediation.env || die "CANARY_EXPORTED_VALUE not found" -+grep -q "CANARY_PROCESS_VALUE" remediation.env || die "CANARY_PROCESS_VALUE not found" -+ -+rm -f remediation.env -+rm $result -diff --git a/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml b/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml -new file mode 100644 -index 0000000000..0875b6c241 ---- /dev/null -+++ b/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml -@@ -0,0 +1,16 @@ -+ -+ -+ accepted -+ 1.0 -+ -+ Write some environment variables -+ -+ echo "PATH=${PATH}" > remediation.env -+ echo "CANARY_EXPORTED=${CANARY_EXPORTED}" >> remediation.env -+ echo "CANARY_PROCESS=${CANARY_PROCESS}" >> remediation.env -+ -+ -+ -+ -+ -+ diff --git a/2283.patch b/2283.patch new file mode 100644 index 0000000..4fdea38 --- /dev/null +++ b/2283.patch @@ -0,0 +1,45 @@ +From 6767362e139bf1e8981e1f1138e38cad359e4182 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Fri, 5 Dec 2025 09:12:43 -0600 +Subject: [PATCH] Always check the current lists before inserting on blueprints + +Fixes OpenSCAP#2282 +--- + src/XCCDF_POLICY/xccdf_policy_remediate.c | 2 +- + .../unittests/test_remediation_blueprint.xccdf.xml | 10 ++++++++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c +index 0f6c21c4ee..5e4a0b1116 100644 +--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c ++++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c +@@ -742,7 +742,7 @@ static inline int _parse_blueprint_fix(const char *fix_text, struct blueprint_cu + memcpy(val, &fix_text[ovector[2]], ovector[3] - ovector[2]); + val[ovector[3] - ovector[2]] = '\0'; + +- if (!oscap_list_contains(customizations->kernel_append, val, (oscap_cmp_func) oscap_streq)) { ++ if (!oscap_list_contains(tab[i].list, val, (oscap_cmp_func) oscap_streq)) { + oscap_list_prepend(tab[i].list, val); + } else { + free(val); +diff --git a/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml b/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml +index 2fc909795b..de3b8468a8 100644 +--- a/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml ++++ b/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml +@@ -104,6 +104,16 @@ enabled = ["sshd"] + + [customizations.services] + masked = ["evil"] ++ ++ ++ ++ ++ ++ ++ Enable sshd ++ ++[customizations.services] ++enabled = ["sshd"] + + + diff --git a/openscap.spec b/openscap.spec index 478a767..91653b1 100644 --- a/openscap.spec +++ b/openscap.spec @@ -1,5 +1,5 @@ Name: openscap -Version: 1.4.2 +Version: 1.4.3 Release: 1%{?dist} Epoch: 1 Summary: Set of open source libraries enabling integration of the SCAP line of standards @@ -7,7 +7,7 @@ License: LGPL-2.1-or-later URL: http://www.open-scap.org/ VCS: https://github.com/OpenSCAP/openscap Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz -Patch0: 2227.patch +Patch0: 2283.patch %global common_description %{expand: OpenSCAP is a set of open source libraries providing an easier path @@ -158,6 +158,10 @@ find %{buildroot} -name '*.la' -exec rm -f {} ';' %changelog +* Mon Dec 08 2025 Matthew Burket - 1:1.4.3-1 +- Upgrade to the latest upstream release (RHEL-133978) +- Add the ability to show rule details in output (RHEL-104651) + * Fri Apr 25 2025 Evgenii Kolesnikov - 1:1.4.2-1 - Upgrade to the latest upstream release (RHEL-88845) diff --git a/sources b/sources index f47e51b..9006201 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openscap-1.4.2.tar.gz) = 126b88d028fafe9c2af882ae7b90ad59a7a429899b45cfa0f4fea188f32b0f9c51615d69a172e9bd4c0a6663aaf40e8fd85c8563575fce00099f3d58d572cbda +SHA512 (openscap-1.4.3.tar.gz) = 76ee761804f781f72adea07d9a07f0100cde9bb2a08f1637887b4e6f42438d9bbcfd73b17dc233b67cee3db86f9ccb1654f87c23c374bf3f834139413e121d6f