From 3b25f40987be0240eb976d0189160f40175074e2 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 27 Sep 2022 09:04:19 -0400
Subject: [PATCH] import openscap-1.3.6-4.el9

---
 ...861-failed-to-check-available-memory.patch |  22 ++
 ...-PR-1874-unit-test-read-common-sizet.patch | 233 ++++++++++++++++++
 ...cap-1.3.7-PR-1875-reset-errno-strtol.patch |  71 ++++++
 ....3.7-PR-1876-disable-oscap-remediate.patch |  82 ++++++
 SPECS/openscap.spec                           |  22 +-
 5 files changed, 418 insertions(+), 12 deletions(-)
 create mode 100644 SOURCES/openscap-1.3.7-PR-1861-failed-to-check-available-memory.patch
 create mode 100644 SOURCES/openscap-1.3.7-PR-1874-unit-test-read-common-sizet.patch
 create mode 100644 SOURCES/openscap-1.3.7-PR-1875-reset-errno-strtol.patch
 create mode 100644 SOURCES/openscap-1.3.7-PR-1876-disable-oscap-remediate.patch

diff --git a/SOURCES/openscap-1.3.7-PR-1861-failed-to-check-available-memory.patch b/SOURCES/openscap-1.3.7-PR-1861-failed-to-check-available-memory.patch
new file mode 100644
index 0000000..b2951ff
--- /dev/null
+++ b/SOURCES/openscap-1.3.7-PR-1861-failed-to-check-available-memory.patch
@@ -0,0 +1,22 @@
+From 12f9c02a612bb1687676b74a4739126b1913b1fe Mon Sep 17 00:00:00 2001
+From: Ajay Nair <ajaynair59@gmail.com>
+Date: Mon, 9 May 2022 13:31:47 -0400
+Subject: [PATCH] Reset errno before call to strtoll
+
+---
+ src/common/memusage.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/common/memusage.c b/src/common/memusage.c
+index c6755f21f1..ffa70b662b 100644
+--- a/src/common/memusage.c
++++ b/src/common/memusage.c
+@@ -71,6 +71,8 @@ static int read_common_sizet(void *szp, char *strval)
+ 		return (-1);
+ 
+ 	*end = '\0';
++
++	errno = 0;
+ 	*(size_t *)szp = strtoll(strval, NULL, 10);
+ 
+ 	if (errno == EINVAL ||
diff --git a/SOURCES/openscap-1.3.7-PR-1874-unit-test-read-common-sizet.patch b/SOURCES/openscap-1.3.7-PR-1874-unit-test-read-common-sizet.patch
new file mode 100644
index 0000000..7e1fbc3
--- /dev/null
+++ b/SOURCES/openscap-1.3.7-PR-1874-unit-test-read-common-sizet.patch
@@ -0,0 +1,233 @@
+From 07486e9033d8cc1fd03962994b3359cb611a9ac9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 22 Jul 2022 16:50:01 +0200
+Subject: [PATCH 1/3] Add unit test for read_common_sizet function
+
+The unit test will cover the missing set errno
+to 0 which was the root cause of:
+https://github.com/OpenSCAP/openscap/issues/1867
+
+Therefore, this test can be used during verification of:
+https://bugzilla.redhat.com/show_bug.cgi?id=2109485
+---
+ tests/API/probes/CMakeLists.txt   |  9 +++++
+ tests/API/probes/test_memusage.c  | 67 +++++++++++++++++++++++++++++++
+ tests/API/probes/test_memusage.sh |  9 +++++
+ 3 files changed, 85 insertions(+)
+ create mode 100644 tests/API/probes/test_memusage.c
+ create mode 100755 tests/API/probes/test_memusage.sh
+
+diff --git a/tests/API/probes/CMakeLists.txt b/tests/API/probes/CMakeLists.txt
+index ae3c7212a0..2ac4081ac2 100644
+--- a/tests/API/probes/CMakeLists.txt
++++ b/tests/API/probes/CMakeLists.txt
+@@ -38,3 +38,12 @@ target_include_directories(oval_fts_list PUBLIC
+ )
+ target_link_libraries(oval_fts_list openscap)
+ add_oscap_test("fts.sh")
++
++add_oscap_test_executable(test_memusage
++	"test_memusage.c"
++	"${CMAKE_SOURCE_DIR}/src/common/bfind.c"
++)
++target_include_directories(test_memusage PUBLIC
++	"${CMAKE_SOURCE_DIR}/src/common"
++)
++add_oscap_test("test_memusage.sh")
+diff --git a/tests/API/probes/test_memusage.c b/tests/API/probes/test_memusage.c
+new file mode 100644
+index 0000000000..5dced98f03
+--- /dev/null
++++ b/tests/API/probes/test_memusage.c
+@@ -0,0 +1,67 @@
++/*
++ * Copyright 2022 Red Hat Inc., Durham, North Carolina.
++ * All Rights Reserved.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
++ *
++ * Authors:
++ *      "Jan Černý" <jcerny@redhat.com>
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <stdio.h>
++#include "memusage.h"
++#include "memusage.c"
++#define OS_LINUX
++
++static int test_basic()
++{
++	size_t size;
++	char *strval = strdup("17 MB");
++	read_common_sizet(&size, strval);
++	free(strval);
++	return (size == 17);
++}
++
++static int test_errno()
++{
++	size_t size;
++	char *strval = strdup("17 MB");
++
++	/* Test that setting errno outside of the read_common_sizet function
++	 * doesn't influence the function and doesn't make the function fail.
++	 */
++	errno = EINVAL;
++
++	int ret = read_common_sizet(&size, strval);
++	free(strval);
++	return (ret != -1);
++}
++
++int main(int argc, char *argv[])
++{
++	if (!test_basic()) {
++		fprintf(stderr, "test_basic has failed\n");
++		return 1;
++	}
++	if (!test_errno()) {
++		fprintf(stderr, "test_errno has failed\n");
++		return 1;
++	}
++	return 0;
++}
+diff --git a/tests/API/probes/test_memusage.sh b/tests/API/probes/test_memusage.sh
+new file mode 100755
+index 0000000000..4c76bdc0ac
+--- /dev/null
++++ b/tests/API/probes/test_memusage.sh
+@@ -0,0 +1,9 @@
++#!/usr/bin/env bash
++
++. $builddir/tests/test_common.sh
++
++if [ -n "${CUSTOM_OSCAP+x}" ] ; then
++    exit 255
++fi
++
++./test_memusage
+
+From 2cc649d5e9fbf337bbfca69c21313657a5b8a7cf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Mon, 25 Jul 2022 09:00:36 +0200
+Subject: [PATCH 2/3] Replace license by SPDX ID
+
+---
+ tests/API/probes/test_memusage.c | 22 +---------------------
+ 1 file changed, 1 insertion(+), 21 deletions(-)
+
+diff --git a/tests/API/probes/test_memusage.c b/tests/API/probes/test_memusage.c
+index 5dced98f03..db2915f6d5 100644
+--- a/tests/API/probes/test_memusage.c
++++ b/tests/API/probes/test_memusage.c
+@@ -1,24 +1,4 @@
+-/*
+- * Copyright 2022 Red Hat Inc., Durham, North Carolina.
+- * All Rights Reserved.
+- *
+- * This library is free software; you can redistribute it and/or
+- * modify it under the terms of the GNU Lesser General Public
+- * License as published by the Free Software Foundation; either
+- * version 2.1 of the License, or (at your option) any later version.
+- *
+- * This library is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+- * Lesser General Public License for more details.
+- *
+- * You should have received a copy of the GNU Lesser General Public
+- * License along with this library; if not, write to the Free Software
+- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+- *
+- * Authors:
+- *      "Jan Černý" <jcerny@redhat.com>
+- */
++// SPDX-License-Identifier: LGPL-2.1-or-later
+ 
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+
+From caadd89e61f5d70e251180055686a3b52c763c66 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Mon, 25 Jul 2022 09:00:45 +0200
+Subject: [PATCH 3/3] Improve unit test for read_common_sizet
+
+Check for multiple different situations.
+---
+ tests/API/probes/test_memusage.c | 34 ++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/tests/API/probes/test_memusage.c b/tests/API/probes/test_memusage.c
+index db2915f6d5..b9db865d45 100644
+--- a/tests/API/probes/test_memusage.c
++++ b/tests/API/probes/test_memusage.c
+@@ -12,16 +12,34 @@
+ static int test_basic()
+ {
+ 	size_t size;
+-	char *strval = strdup("17 MB");
+-	read_common_sizet(&size, strval);
++	char *strval = strdup("17 kB\n");
++	int ret = read_common_sizet(&size, strval);
+ 	free(strval);
+-	return (size == 17);
++	return (size == 17 && ret == 0);
++}
++
++static int test_no_unit()
++{
++	size_t size;
++	char *strval = strdup("42");
++	int ret = read_common_sizet(&size, strval);
++	free(strval);
++	return (ret == -1);
++}
++
++static int test_invalid_number()
++{
++	size_t size;
++	char *strval = strdup("www kB\n");
++	int ret = read_common_sizet(&size, strval);
++	free(strval);
++	return (size == 0 && ret == 0);
+ }
+ 
+ static int test_errno()
+ {
+ 	size_t size;
+-	char *strval = strdup("17 MB");
++	char *strval = strdup("17 kB\n");
+ 
+ 	/* Test that setting errno outside of the read_common_sizet function
+ 	 * doesn't influence the function and doesn't make the function fail.
+@@ -39,6 +57,14 @@ int main(int argc, char *argv[])
+ 		fprintf(stderr, "test_basic has failed\n");
+ 		return 1;
+ 	}
++	if (!test_no_unit()) {
++		fprintf(stderr, "test_no_unit has failed\n");
++		return 1;
++	}
++	if (!test_invalid_number()) {
++		fprintf(stderr, "test_invalid_number has failed\n");
++		return 1;
++	}
+ 	if (!test_errno()) {
+ 		fprintf(stderr, "test_errno has failed\n");
+ 		return 1;
diff --git a/SOURCES/openscap-1.3.7-PR-1875-reset-errno-strtol.patch b/SOURCES/openscap-1.3.7-PR-1875-reset-errno-strtol.patch
new file mode 100644
index 0000000..b02507d
--- /dev/null
+++ b/SOURCES/openscap-1.3.7-PR-1875-reset-errno-strtol.patch
@@ -0,0 +1,71 @@
+From 55b09ba184c1803a5e1454c44e9e9a5c578dd741 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Mon, 25 Jul 2022 17:10:17 +0200
+Subject: [PATCH] Reset errno before strtol
+
+This sets errno to 0 before strotol calls after which the errno
+is being checked.
+
+Per man 3 strtol:
+Since  strtol()  can  legitimately  return 0, LONG_MAX, or
+LONG_MIN (LLONG_MAX or LLONG_MIN for strtoll()) on both success and
+failure, the calling program should set errno to 0 before the call, and
+then determine if an error occurred by checking whether errno has a
+nonzero value after the call.
+
+This is inspired by https://github.com/OpenSCAP/openscap/pull/1861.
+---
+ src/OVAL/probes/independent/sql57_probe.c | 1 +
+ src/OVAL/probes/independent/sql_probe.c   | 1 +
+ src/OVAL/probes/oval_fts.c                | 1 +
+ src/OVAL/probes/unix/xinetd_probe.c       | 1 +
+ 4 files changed, 4 insertions(+)
+
+diff --git a/src/OVAL/probes/independent/sql57_probe.c b/src/OVAL/probes/independent/sql57_probe.c
+index ce1466635c..2b35750ee2 100644
+--- a/src/OVAL/probes/independent/sql57_probe.c
++++ b/src/OVAL/probes/independent/sql57_probe.c
+@@ -216,6 +216,7 @@ static int dbURIInfo_parse(dbURIInfo_t *info, const char *conn)
+ 			matchitem1(tok, 'c',
+ 				   "onnecttimeout", tmp);
+ 			if (tmp != NULL) {
++				errno = 0;
+ 				info->conn_timeout = strtol(tmp, NULL, 10);
+ 
+ 				if (errno == ERANGE || errno == EINVAL)
+diff --git a/src/OVAL/probes/independent/sql_probe.c b/src/OVAL/probes/independent/sql_probe.c
+index 2ede89d031..71ba3c08c3 100644
+--- a/src/OVAL/probes/independent/sql_probe.c
++++ b/src/OVAL/probes/independent/sql_probe.c
+@@ -216,6 +216,7 @@ static int dbURIInfo_parse(dbURIInfo_t *info, const char *conn)
+ 			matchitem1(tok, 'c',
+ 				   "onnecttimeout", tmp);
+ 			if (tmp != NULL) {
++				errno = 0;
+ 				info->conn_timeout = strtol(tmp, NULL, 10);
+ 
+ 				if (errno == ERANGE || errno == EINVAL)
+diff --git a/src/OVAL/probes/oval_fts.c b/src/OVAL/probes/oval_fts.c
+index 1364159c90..f9d0a0c1fd 100644
+--- a/src/OVAL/probes/oval_fts.c
++++ b/src/OVAL/probes/oval_fts.c
+@@ -729,6 +729,7 @@ OVAL_FTS *oval_fts_open_prefixed(const char *prefix, SEXP_t *path, SEXP_t *filen
+ 	/* max_depth */
+ 	PROBE_ENT_AREF(behaviors, r0, "max_depth", return NULL;);
+ 	SEXP_string_cstr_r(r0, cstr_buff, sizeof cstr_buff - 1);
++	errno = 0;
+ 	max_depth = strtol(cstr_buff, NULL, 10);
+ 	if (errno == EINVAL || errno == ERANGE) {
+ 		dE("Invalid value of the `%s' attribute: %s", "recurse_direction", cstr_buff);
+diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c
+index b3375500db..703a07f513 100644
+--- a/src/OVAL/probes/unix/xinetd_probe.c
++++ b/src/OVAL/probes/unix/xinetd_probe.c
+@@ -1280,6 +1280,7 @@ int op_assign_bool(void *var, char *val)
+ 		*((bool *)(var)) = false;
+ 	} else {
+ 		char *endptr = NULL;
++		errno = 0;
+ 		*((bool *)(var)) = (bool) strtol (val, &endptr, 2);
+ 		if (errno == EINVAL || errno == ERANGE) {
+ 			return -1;
diff --git a/SOURCES/openscap-1.3.7-PR-1876-disable-oscap-remediate.patch b/SOURCES/openscap-1.3.7-PR-1876-disable-oscap-remediate.patch
new file mode 100644
index 0000000..a6b3345
--- /dev/null
+++ b/SOURCES/openscap-1.3.7-PR-1876-disable-oscap-remediate.patch
@@ -0,0 +1,82 @@
+From 140d60bc751e6c0e4138ab3a2e8e9b130264f905 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Wed, 27 Jul 2022 09:40:29 +0200
+Subject: [PATCH] Add CMake option to disable oscap-remediate service
+
+This patch introduces a new CMake build option
+ENABLE_OSCAP_REMEDIATE_SERVICE which can be used to disable the
+installation of the files related to the oscap-remediate systemd
+service. Downstream packagers can use this option to disable shipping
+the oscap-remediate service in their RPM spec files.
+
+Resolves: rhbz#2111358
+Resolves: rhbz#2111360
+---
+ CMakeLists.txt       | 15 +++++++++------
+ utils/CMakeLists.txt | 20 +++++++++++---------
+ 2 files changed, 20 insertions(+), 15 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 61c57d7a3e..48e19e5203 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -327,6 +327,7 @@ cmake_dependent_option(ENABLE_OSCAP_UTIL_VM "enables the oscap-vm utility, this
+ cmake_dependent_option(ENABLE_OSCAP_UTIL_PODMAN "enables the oscap-podman utility, this lets you scan Podman containers and container images" ON "NOT WIN32" OFF)
+ cmake_dependent_option(ENABLE_OSCAP_UTIL_CHROOT "enables the oscap-chroot utility, this lets you scan entire chroots using offline scanning" ON "NOT WIN32" OFF)
+ option(ENABLE_OSCAP_UTIL_AUTOTAILOR "enables the autotailor utility that is able to perform command-line tailoring" TRUE)
++option(ENABLE_OSCAP_REMEDIATE_SERVICE "enables the oscap-remediate service" TRUE)
+ 
+ # ---------- TEST-SUITE SWITCHES
+ 
+@@ -609,12 +610,14 @@ if(NOT WIN32)
+ 		DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
+ 	)
+ 	if(WITH_SYSTEMD)
+-		# systemd service for offline (boot-time) remediation
+-		configure_file("oscap-remediate.service.in" "oscap-remediate.service" @ONLY)
+-		install(FILES
+-			${CMAKE_CURRENT_BINARY_DIR}/oscap-remediate.service
+-			DESTINATION ${SYSTEMD_UNITDIR}
+-		)
++		if(ENABLE_OSCAP_REMEDIATE_SERVICE)
++			# systemd service for offline (boot-time) remediation
++			configure_file("oscap-remediate.service.in" "oscap-remediate.service" @ONLY)
++			install(FILES
++				${CMAKE_CURRENT_BINARY_DIR}/oscap-remediate.service
++				DESTINATION ${SYSTEMD_UNITDIR}
++			)
++		endif()
+ 	endif()
+ endif()
+ 
+diff --git a/utils/CMakeLists.txt b/utils/CMakeLists.txt
+index 3f199eaabc..93ce1f2a9d 100644
+--- a/utils/CMakeLists.txt
++++ b/utils/CMakeLists.txt
+@@ -59,15 +59,17 @@ if(ENABLE_OSCAP_UTIL)
+ 		)
+ 
+ 		if(WITH_SYSTEMD)
+-			install(PROGRAMS "oscap-remediate"
+-				DESTINATION ${CMAKE_INSTALL_LIBEXECDIR}
+-			)
+-			install(PROGRAMS "oscap-remediate-offline"
+-				DESTINATION ${CMAKE_INSTALL_BINDIR}
+-			)
+-			install(FILES "oscap-remediate-offline.8"
+-				DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"
+-			)
++			if (ENABLE_OSCAP_REMEDIATE_SERVICE)
++				install(PROGRAMS "oscap-remediate"
++					DESTINATION ${CMAKE_INSTALL_LIBEXECDIR}
++				)
++				install(PROGRAMS "oscap-remediate-offline"
++					DESTINATION ${CMAKE_INSTALL_BINDIR}
++				)
++				install(FILES "oscap-remediate-offline.8"
++					DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"
++				)
++			endif()
+ 		endif()
+ 	endif()
+ endif()
diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec
index c755ea0..bec4b75 100644
--- a/SPECS/openscap.spec
+++ b/SPECS/openscap.spec
@@ -1,6 +1,6 @@
 Name:           openscap
 Version:        1.3.6
-Release:        3%{?dist}
+Release:        4%{?dist}
 Epoch:          1
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 License:        LGPLv2+
@@ -10,6 +10,10 @@ Patch1:         openscap-1.3.7-PR-1841-coverity.patch
 Patch2:         openscap-1.3.7-PR-1843-fix-test-ds-misc.patch
 Patch3:         openscap-1.3.7-PR-1844-fix-test-ds-misc-2.patch
 Patch4:         openscap-1.3.7-PR-1846-file-permissions.patch
+Patch5:         openscap-1.3.7-PR-1861-failed-to-check-available-memory.patch
+Patch6:         openscap-1.3.7-PR-1874-unit-test-read-common-sizet.patch
+Patch7:         openscap-1.3.7-PR-1875-reset-errno-strtol.patch
+Patch8:         openscap-1.3.7-PR-1876-disable-oscap-remediate.patch
 BuildRequires:  make
 BuildRequires:  cmake >= 2.6
 BuildRequires:  gcc
@@ -126,6 +130,7 @@ for developing applications that use %{name}-engine-sce.
     -DENABLE_DOCS=ON \
     -DENABLE_PERL=OFF \
     -DENABLE_OSCAP_UTIL_DOCKER=OFF \
+    -DENABLE_OSCAP_REMEDIATE_SERVICE=OFF \
     -DOPENSCAP_PROBE_UNIX_GCONF=OFF \
     -DOPENSCAP_ENABLE_SHA1=OFF \
     -DOPENSCAP_ENABLE_MD5=OFF \
@@ -148,12 +153,6 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
 
 %ldconfig_scriptlets
 
-# enable oscap-remediate.service here for now
-# https://github.com/hughsie/PackageKit/issues/401
-# https://bugzilla.redhat.com/show_bug.cgi?id=1833176
-mkdir -p %{buildroot}%{_unitdir}/system-update.target.wants/
-ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.wants/oscap-remediate.service
-
 %files
 %doc AUTHORS NEWS README.md
 %license COPYING
@@ -186,12 +185,7 @@ ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.w
 %{_bindir}/oscap
 %{_mandir}/man8/oscap-chroot.8.gz
 %{_bindir}/oscap-chroot
-%{_mandir}/man8/oscap-remediate-offline.8.gz
-%{_bindir}/oscap-remediate-offline
 %{_sysconfdir}/bash_completion.d
-%{_libexecdir}/oscap-remediate
-%{_unitdir}/oscap-remediate.service
-%{_unitdir}/system-update.target.wants/
 
 %files utils
 %doc docs/oscap-scan.cron
@@ -211,6 +205,10 @@ ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.w
 %{_bindir}/oscap-run-sce-script
 
 %changelog
+* Thu Jul 21 2022 Jan Černý <jcerny@redhat.com> - 1:1.3.6-4
+- Fix potential invalid scan results in OpenSCAP (rhbz#2109485)
+- Remove oscap-remediate service (rhbz#2111358)
+
 * Mon Feb 07 2022 Jan Černý <jcerny@redhat.com> - 1:1.3.6-3
 - Prevent file permission errors (rhbz#2048571)