From 431857fd33e547b4c93b0613b4c4ec5f419b8d01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 14 Jan 2020 12:29:56 +0100 Subject: [PATCH] openscap-1.3.2-1 --- .gitignore | 1 + ...le-rpmVerifyFile-removal-in-rpm-4.15.patch | 67 ------------- ...VERIFY_-constants-instead-of-VERIFY_.patch | 99 ------------------- ...Y_SIGNATURE-and-VERIFY_DIGEST-checks.patch | 56 ----------- openscap.spec | 11 +-- sources | 2 +- 6 files changed, 7 insertions(+), 229 deletions(-) delete mode 100644 0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch delete mode 100644 0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch delete mode 100644 0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch diff --git a/.gitignore b/.gitignore index a383f65..21cfa3d 100644 --- a/.gitignore +++ b/.gitignore @@ -64,3 +64,4 @@ openscap-0.6.0.tar.gz /openscap-1.3.0_alpha2.tar.gz /openscap-1.3.0.tar.gz /openscap-1.3.1.tar.gz +/openscap-1.3.2.tar.gz diff --git a/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch b/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch deleted file mode 100644 index aa78a80..0000000 --- a/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch +++ /dev/null @@ -1,67 +0,0 @@ -From e09334091d5678b666ea4e92d1a4b55838aa1a41 Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Tue, 11 Jun 2019 16:12:55 +0300 -Subject: [PATCH 1/3] Handle rpmVerifyFile() removal in rpm >= 4.15 - -Using rpmfiVerify() directly would be simpler but if upstream wants -to preserve compatibility with older rpms... ---- - CMakeLists.txt | 1 + - src/OVAL/probes/unix/linux/rpm-helper.c | 12 ++++++++++++ - src/OVAL/probes/unix/linux/rpm-helper.h | 5 +++++ - 3 files changed, 18 insertions(+) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 720d8d8eb..058319599 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -132,6 +132,7 @@ if(RPM_FOUND) - check_library_exists("${RPM_LIBRARY}" headerFormat "" HAVE_HEADERFORMAT) - check_library_exists("${RPMIO_LIBRARY}" rpmFreeCrypto "" HAVE_RPMFREECRYPTO) - check_library_exists("${RPM_LIBRARY}" rpmFreeFilesystems "" HAVE_RPMFREEFILESYSTEMS) -+ check_library_exists("${RPM_LIBRARY}" rpmVerifyFile "" HAVE_RPMVERIFYFILE) - set(HAVE_RPMVERCMP 1) - endif() - -diff --git a/src/OVAL/probes/unix/linux/rpm-helper.c b/src/OVAL/probes/unix/linux/rpm-helper.c -index bfb95c363..4d23cf202 100644 ---- a/src/OVAL/probes/unix/linux/rpm-helper.c -+++ b/src/OVAL/probes/unix/linux/rpm-helper.c -@@ -32,6 +32,18 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data) - } - #endif - -+#ifndef HAVE_RPMVERIFYFILE -+int rpmVerifyFile(const rpmts ts, const rpmfi fi, -+ rpmVerifyAttrs * res, rpmVerifyAttrs omitMask) -+{ -+ rpmVerifyAttrs vfy = rpmfiVerify(fi, omitMask); -+ if (res) -+ *res = vfy; -+ -+ return (vfy & RPMVERIFY_LSTATFAIL) ? 1 : 0; -+} -+#endif -+ - void rpmLibsPreload() - { - // Don't load rpmrc files. The are useless for us, -diff --git a/src/OVAL/probes/unix/linux/rpm-helper.h b/src/OVAL/probes/unix/linux/rpm-helper.h -index 4e9af8702..f879a5a5b 100644 ---- a/src/OVAL/probes/unix/linux/rpm-helper.h -+++ b/src/OVAL/probes/unix/linux/rpm-helper.h -@@ -87,6 +87,11 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data); - #define DISABLE_PLUGINS(ts) rpmDefineMacro(NULL,"__plugindir \"\"", 0); - #endif - -+#ifndef HAVE_RPMVERIFYFILE -+int rpmVerifyFile(const rpmts ts, const rpmfi fi, -+ rpmVerifyAttrs * res, rpmVerifyAttrs omitMask); -+#endif -+ - /** - * Preload libraries required by rpm - * It destroy error callback! --- -2.22.0 - diff --git a/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch b/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch deleted file mode 100644 index 4294235..0000000 --- a/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 9db9474dd092a67e37af54a2eb898cea625a98cd Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Tue, 11 Jun 2019 16:12:56 +0300 -Subject: [PATCH 2/3] Refer to the RPMVERIFY_* constants instead of VERIFY_* - counterparts - -The RPMVERIFY_* values always refer to corresponding file verification -attributes, which is what we're dealing with here. The VERIFY_* -constants do not exist in all versions, and include things that -do not make any sense at all for files anyway, such as VERIFY_DEPS -and VERIFY_SCRIPT which are package-level operations and VERIFY_SIGNATURE -and VERIFY_DIGEST which are not verify operations at all. ---- - src/OVAL/probes/unix/linux/rpmverify_probe.c | 21 ++++++---------- - .../probes/unix/linux/rpmverifyfile_probe.c | 25 +++++++++---------- - 2 files changed, 20 insertions(+), 26 deletions(-) - -diff --git a/src/OVAL/probes/unix/linux/rpmverify_probe.c b/src/OVAL/probes/unix/linux/rpmverify_probe.c -index 07bd09d84..dbc9523ba 100644 ---- a/src/OVAL/probes/unix/linux/rpmverify_probe.c -+++ b/src/OVAL/probes/unix/linux/rpmverify_probe.c -@@ -303,19 +303,14 @@ typedef struct { - } rpmverify_bhmap_t; - - const rpmverify_bhmap_t rpmverify_bhmap[] = { -- { "nodeps", (uint64_t)VERIFY_DEPS }, -- { "nodigest", (uint64_t)VERIFY_DIGEST }, -- { "nofiles", (uint64_t)VERIFY_FILES }, -- { "noscripts", (uint64_t)VERIFY_SCRIPT }, -- { "nosignature", (uint64_t)VERIFY_SIGNATURE }, -- { "nolinkto", (uint64_t)VERIFY_LINKTO }, -- { "nomd5", (uint64_t)VERIFY_MD5 }, -- { "nosize", (uint64_t)VERIFY_SIZE }, -- { "nouser", (uint64_t)VERIFY_USER }, -- { "nogroup", (uint64_t)VERIFY_GROUP }, -- { "nomtime", (uint64_t)VERIFY_MTIME }, -- { "nomode", (uint64_t)VERIFY_MODE }, -- { "nordev", (uint64_t)VERIFY_RDEV }, -+ { "nolinkto", (uint64_t)RPMVERIFY_LINKTO }, -+ { "nomd5", (uint64_t)RPMVERIFY_MD5 }, -+ { "nosize", (uint64_t)RPMVERIFY_FILESIZE }, -+ { "nouser", (uint64_t)RPMVERIFY_USER }, -+ { "nogroup", (uint64_t)RPMVERIFY_GROUP }, -+ { "nomtime", (uint64_t)RPMVERIFY_MTIME }, -+ { "nomode", (uint64_t)RPMVERIFY_MODE }, -+ { "nordev", (uint64_t)RPMVERIFY_RDEV }, - { "noconfigfiles", RPMVERIFY_SKIP_CONFIG }, - { "noghostfiles", RPMVERIFY_SKIP_GHOST } - }; -diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c -index d81728ebe..10fcdf8df 100644 ---- a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c -+++ b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c -@@ -83,11 +83,10 @@ struct rpmverify_res { - * They all have the same value (1) - see 'rpm/rpmvf.h'. - */ - #define RPMVERIFY_FILEDIGEST RPMVERIFY_MD5 -- #define VERIFY_FILEDIGEST VERIFY_MD5 -- /* VERIFY_CAPS is not supported in older rpmlib. -+ /* RPMVERIFY_CAPS is not supported in older rpmlib. - * We can set it to 0 because 0 is neutral to bit OR operation. - */ -- #define VERIFY_CAPS 0 -+ #define RPMVERIFY_CAPS 0 - #endif - - #define RPMVERIFY_LOCK RPM_MUTEX_LOCK(&g_rpm->mutex) -@@ -423,18 +422,18 @@ typedef struct { - } rpmverifyfile_bhmap_t; - - const rpmverifyfile_bhmap_t rpmverifyfile_bhmap[] = { -- { "nolinkto", (uint64_t)VERIFY_LINKTO }, -- { "nomd5", (uint64_t)VERIFY_MD5 }, // deprecated since OVAL 5.11.1 -- { "nosize", (uint64_t)VERIFY_SIZE }, -- { "nouser", (uint64_t)VERIFY_USER }, -- { "nogroup", (uint64_t)VERIFY_GROUP }, -- { "nomtime", (uint64_t)VERIFY_MTIME }, -- { "nomode", (uint64_t)VERIFY_MODE }, -- { "nordev", (uint64_t)VERIFY_RDEV }, -+ { "nolinkto", (uint64_t)RPMVERIFY_LINKTO }, -+ { "nomd5", (uint64_t)RPMVERIFY_MD5 }, // deprecated since OVAL 5.11.1 -+ { "nosize", (uint64_t)RPMVERIFY_FILESIZE }, -+ { "nouser", (uint64_t)RPMVERIFY_USER }, -+ { "nogroup", (uint64_t)RPMVERIFY_GROUP }, -+ { "nomtime", (uint64_t)RPMVERIFY_MTIME }, -+ { "nomode", (uint64_t)RPMVERIFY_MODE }, -+ { "nordev", (uint64_t)RPMVERIFY_RDEV }, - { "noconfigfiles", RPMVERIFY_SKIP_CONFIG }, - { "noghostfiles", RPMVERIFY_SKIP_GHOST }, -- { "nofiledigest", (uint64_t)VERIFY_FILEDIGEST }, -- { "nocaps", (uint64_t)VERIFY_CAPS } -+ { "nofiledigest", (uint64_t)RPMVERIFY_FILEDIGEST }, -+ { "nocaps", (uint64_t)RPMVERIFY_CAPS } - }; - - int rpmverifyfile_probe_main(probe_ctx *ctx, void *arg) --- -2.22.0 - diff --git a/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch b/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch deleted file mode 100644 index cc2be0a..0000000 --- a/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch +++ /dev/null @@ -1,56 +0,0 @@ -From efd08dd9d8453583f1e801ddb5ac0af65cc86f69 Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Tue, 11 Jun 2019 16:12:57 +0300 -Subject: [PATCH 3/3] Drop bogus VERIFY_SIGNATURE and VERIFY_DIGEST checks - -VERIFY_SIGNATURE and VERIFY_DIGEST are not independent verification -checks, these checks are performed internally by rpm and failure in -either will cause the entire header failing to load. These flags allow -disabling that verification, but this doesn't make sense for openscap -and doesn't work this way in rpm >= 4.15 anyway. ---- - .../probes/unix/linux/rpmverifypackage_probe.c | 14 -------------- - 1 file changed, 14 deletions(-) - -diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c -index ed6c714d8..06059ae47 100644 ---- a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c -+++ b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c -@@ -69,9 +69,7 @@ typedef struct { - - const rpmverifypackage_bhmap_t rpmverifypackage_bhmap[] = { - { "nodeps", (uint64_t)VERIFY_DEPS , "--nodeps"}, -- { "nodigest", (uint64_t)VERIFY_DIGEST , "--nodigest"}, - { "noscripts", (uint64_t)VERIFY_SCRIPT , "--noscript"}, -- { "nosignature", (uint64_t)VERIFY_SIGNATURE , "--nosignature"} - }; - - struct rpmverify_res { -@@ -409,24 +407,12 @@ static int rpmverifypackage_additem(probe_ctx *ctx, struct rpmverify_res *res) - probe_item_ent_add(item, "dependency_check_passed", NULL, value); - SEXP_free(value); - } -- if (res->vflags & VERIFY_DIGEST) { -- dI("VERIFY_DIGEST %d", res->vresults & VERIFY_DIGEST); -- value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_DIGEST ? "1" : "0"), 1); -- probe_item_ent_add(item, "digest_check_passed", NULL, value); -- SEXP_free(value); -- } - if (res->vflags & VERIFY_SCRIPT) { - dI("VERIFY_SCRIPT %d", res->vresults & VERIFY_SCRIPT); - value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SCRIPT ? "1" : "0"), 1); - probe_item_ent_add(item, "verification_script_successful", NULL, value); - SEXP_free(value); - } -- if (res->vflags & VERIFY_SIGNATURE) { -- dI("VERIFY_SIGNATURE %d", res->vresults & VERIFY_SIGNATURE); -- value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SIGNATURE ? "1" : "0"), 1); -- probe_item_ent_add(item, "signature_check_passed", NULL, value); -- SEXP_free(value); -- } - - return probe_item_collect(ctx, item) == 2 ? 1 : 0; - } --- -2.22.0 - diff --git a/openscap.spec b/openscap.spec index e596c7a..4c43f88 100644 --- a/openscap.spec +++ b/openscap.spec @@ -1,15 +1,11 @@ Name: openscap -Version: 1.3.1 -Release: 4%{?dist} +Version: 1.3.2 +Release: 1%{?dist} Epoch: 1 Summary: Set of open source libraries enabling integration of the SCAP line of standards License: LGPLv2+ URL: http://www.open-scap.org/ Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz -# https://github.com/OpenSCAP/openscap/pull/1352 -Patch0001: 0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch -Patch0002: 0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch -Patch0003: 0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch BuildRequires: cmake >= 2.6 BuildRequires: gcc BuildRequires: gcc-c++ @@ -192,6 +188,9 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm %{_mandir}/man8/oscap-podman.8* %changelog +* Tue Jan 14 2020 Jan Černý - 1:1.3.2-1 +- Upgrade to the latest upstream release + * Thu Oct 03 2019 Miro Hrončok - 1:1.3.1-4 - Rebuilt for Python 3.8.0rc1 (#1748018) diff --git a/sources b/sources index d99aaab..7574c90 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openscap-1.3.1.tar.gz) = c42c59a19e3f71a4ef55daa82be7a2b66514dfe4a98b8e897a03d4785b25395a3508ff2457072d3ae123328a104cab054e64dcb52209ae77060542484439d859 +SHA512 (openscap-1.3.2.tar.gz) = 7f41c223d9ca1228a03cc4d16c4ee57279ec55954aa0c5b9d8fc602e267ab1fbd31bbb102fd556563a37091c3307e09487f0a85992eaf01d70b5812455ab0235