openscap-1.3.2-1
This commit is contained in:
parent
6c7ca3dc9b
commit
431857fd33
1
.gitignore
vendored
1
.gitignore
vendored
@ -64,3 +64,4 @@ openscap-0.6.0.tar.gz
|
|||||||
/openscap-1.3.0_alpha2.tar.gz
|
/openscap-1.3.0_alpha2.tar.gz
|
||||||
/openscap-1.3.0.tar.gz
|
/openscap-1.3.0.tar.gz
|
||||||
/openscap-1.3.1.tar.gz
|
/openscap-1.3.1.tar.gz
|
||||||
|
/openscap-1.3.2.tar.gz
|
||||||
|
@ -1,67 +0,0 @@
|
|||||||
From e09334091d5678b666ea4e92d1a4b55838aa1a41 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Panu Matilainen <pmatilai@redhat.com>
|
|
||||||
Date: Tue, 11 Jun 2019 16:12:55 +0300
|
|
||||||
Subject: [PATCH 1/3] Handle rpmVerifyFile() removal in rpm >= 4.15
|
|
||||||
|
|
||||||
Using rpmfiVerify() directly would be simpler but if upstream wants
|
|
||||||
to preserve compatibility with older rpms...
|
|
||||||
---
|
|
||||||
CMakeLists.txt | 1 +
|
|
||||||
src/OVAL/probes/unix/linux/rpm-helper.c | 12 ++++++++++++
|
|
||||||
src/OVAL/probes/unix/linux/rpm-helper.h | 5 +++++
|
|
||||||
3 files changed, 18 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
|
||||||
index 720d8d8eb..058319599 100644
|
|
||||||
--- a/CMakeLists.txt
|
|
||||||
+++ b/CMakeLists.txt
|
|
||||||
@@ -132,6 +132,7 @@ if(RPM_FOUND)
|
|
||||||
check_library_exists("${RPM_LIBRARY}" headerFormat "" HAVE_HEADERFORMAT)
|
|
||||||
check_library_exists("${RPMIO_LIBRARY}" rpmFreeCrypto "" HAVE_RPMFREECRYPTO)
|
|
||||||
check_library_exists("${RPM_LIBRARY}" rpmFreeFilesystems "" HAVE_RPMFREEFILESYSTEMS)
|
|
||||||
+ check_library_exists("${RPM_LIBRARY}" rpmVerifyFile "" HAVE_RPMVERIFYFILE)
|
|
||||||
set(HAVE_RPMVERCMP 1)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
diff --git a/src/OVAL/probes/unix/linux/rpm-helper.c b/src/OVAL/probes/unix/linux/rpm-helper.c
|
|
||||||
index bfb95c363..4d23cf202 100644
|
|
||||||
--- a/src/OVAL/probes/unix/linux/rpm-helper.c
|
|
||||||
+++ b/src/OVAL/probes/unix/linux/rpm-helper.c
|
|
||||||
@@ -32,6 +32,18 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data)
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifndef HAVE_RPMVERIFYFILE
|
|
||||||
+int rpmVerifyFile(const rpmts ts, const rpmfi fi,
|
|
||||||
+ rpmVerifyAttrs * res, rpmVerifyAttrs omitMask)
|
|
||||||
+{
|
|
||||||
+ rpmVerifyAttrs vfy = rpmfiVerify(fi, omitMask);
|
|
||||||
+ if (res)
|
|
||||||
+ *res = vfy;
|
|
||||||
+
|
|
||||||
+ return (vfy & RPMVERIFY_LSTATFAIL) ? 1 : 0;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
void rpmLibsPreload()
|
|
||||||
{
|
|
||||||
// Don't load rpmrc files. The are useless for us,
|
|
||||||
diff --git a/src/OVAL/probes/unix/linux/rpm-helper.h b/src/OVAL/probes/unix/linux/rpm-helper.h
|
|
||||||
index 4e9af8702..f879a5a5b 100644
|
|
||||||
--- a/src/OVAL/probes/unix/linux/rpm-helper.h
|
|
||||||
+++ b/src/OVAL/probes/unix/linux/rpm-helper.h
|
|
||||||
@@ -87,6 +87,11 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data);
|
|
||||||
#define DISABLE_PLUGINS(ts) rpmDefineMacro(NULL,"__plugindir \"\"", 0);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifndef HAVE_RPMVERIFYFILE
|
|
||||||
+int rpmVerifyFile(const rpmts ts, const rpmfi fi,
|
|
||||||
+ rpmVerifyAttrs * res, rpmVerifyAttrs omitMask);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* Preload libraries required by rpm
|
|
||||||
* It destroy error callback!
|
|
||||||
--
|
|
||||||
2.22.0
|
|
||||||
|
|
@ -1,99 +0,0 @@
|
|||||||
From 9db9474dd092a67e37af54a2eb898cea625a98cd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Panu Matilainen <pmatilai@redhat.com>
|
|
||||||
Date: Tue, 11 Jun 2019 16:12:56 +0300
|
|
||||||
Subject: [PATCH 2/3] Refer to the RPMVERIFY_* constants instead of VERIFY_*
|
|
||||||
counterparts
|
|
||||||
|
|
||||||
The RPMVERIFY_* values always refer to corresponding file verification
|
|
||||||
attributes, which is what we're dealing with here. The VERIFY_*
|
|
||||||
constants do not exist in all versions, and include things that
|
|
||||||
do not make any sense at all for files anyway, such as VERIFY_DEPS
|
|
||||||
and VERIFY_SCRIPT which are package-level operations and VERIFY_SIGNATURE
|
|
||||||
and VERIFY_DIGEST which are not verify operations at all.
|
|
||||||
---
|
|
||||||
src/OVAL/probes/unix/linux/rpmverify_probe.c | 21 ++++++----------
|
|
||||||
.../probes/unix/linux/rpmverifyfile_probe.c | 25 +++++++++----------
|
|
||||||
2 files changed, 20 insertions(+), 26 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/OVAL/probes/unix/linux/rpmverify_probe.c b/src/OVAL/probes/unix/linux/rpmverify_probe.c
|
|
||||||
index 07bd09d84..dbc9523ba 100644
|
|
||||||
--- a/src/OVAL/probes/unix/linux/rpmverify_probe.c
|
|
||||||
+++ b/src/OVAL/probes/unix/linux/rpmverify_probe.c
|
|
||||||
@@ -303,19 +303,14 @@ typedef struct {
|
|
||||||
} rpmverify_bhmap_t;
|
|
||||||
|
|
||||||
const rpmverify_bhmap_t rpmverify_bhmap[] = {
|
|
||||||
- { "nodeps", (uint64_t)VERIFY_DEPS },
|
|
||||||
- { "nodigest", (uint64_t)VERIFY_DIGEST },
|
|
||||||
- { "nofiles", (uint64_t)VERIFY_FILES },
|
|
||||||
- { "noscripts", (uint64_t)VERIFY_SCRIPT },
|
|
||||||
- { "nosignature", (uint64_t)VERIFY_SIGNATURE },
|
|
||||||
- { "nolinkto", (uint64_t)VERIFY_LINKTO },
|
|
||||||
- { "nomd5", (uint64_t)VERIFY_MD5 },
|
|
||||||
- { "nosize", (uint64_t)VERIFY_SIZE },
|
|
||||||
- { "nouser", (uint64_t)VERIFY_USER },
|
|
||||||
- { "nogroup", (uint64_t)VERIFY_GROUP },
|
|
||||||
- { "nomtime", (uint64_t)VERIFY_MTIME },
|
|
||||||
- { "nomode", (uint64_t)VERIFY_MODE },
|
|
||||||
- { "nordev", (uint64_t)VERIFY_RDEV },
|
|
||||||
+ { "nolinkto", (uint64_t)RPMVERIFY_LINKTO },
|
|
||||||
+ { "nomd5", (uint64_t)RPMVERIFY_MD5 },
|
|
||||||
+ { "nosize", (uint64_t)RPMVERIFY_FILESIZE },
|
|
||||||
+ { "nouser", (uint64_t)RPMVERIFY_USER },
|
|
||||||
+ { "nogroup", (uint64_t)RPMVERIFY_GROUP },
|
|
||||||
+ { "nomtime", (uint64_t)RPMVERIFY_MTIME },
|
|
||||||
+ { "nomode", (uint64_t)RPMVERIFY_MODE },
|
|
||||||
+ { "nordev", (uint64_t)RPMVERIFY_RDEV },
|
|
||||||
{ "noconfigfiles", RPMVERIFY_SKIP_CONFIG },
|
|
||||||
{ "noghostfiles", RPMVERIFY_SKIP_GHOST }
|
|
||||||
};
|
|
||||||
diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
|
|
||||||
index d81728ebe..10fcdf8df 100644
|
|
||||||
--- a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
|
|
||||||
+++ b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
|
|
||||||
@@ -83,11 +83,10 @@ struct rpmverify_res {
|
|
||||||
* They all have the same value (1) - see 'rpm/rpmvf.h'.
|
|
||||||
*/
|
|
||||||
#define RPMVERIFY_FILEDIGEST RPMVERIFY_MD5
|
|
||||||
- #define VERIFY_FILEDIGEST VERIFY_MD5
|
|
||||||
- /* VERIFY_CAPS is not supported in older rpmlib.
|
|
||||||
+ /* RPMVERIFY_CAPS is not supported in older rpmlib.
|
|
||||||
* We can set it to 0 because 0 is neutral to bit OR operation.
|
|
||||||
*/
|
|
||||||
- #define VERIFY_CAPS 0
|
|
||||||
+ #define RPMVERIFY_CAPS 0
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#define RPMVERIFY_LOCK RPM_MUTEX_LOCK(&g_rpm->mutex)
|
|
||||||
@@ -423,18 +422,18 @@ typedef struct {
|
|
||||||
} rpmverifyfile_bhmap_t;
|
|
||||||
|
|
||||||
const rpmverifyfile_bhmap_t rpmverifyfile_bhmap[] = {
|
|
||||||
- { "nolinkto", (uint64_t)VERIFY_LINKTO },
|
|
||||||
- { "nomd5", (uint64_t)VERIFY_MD5 }, // deprecated since OVAL 5.11.1
|
|
||||||
- { "nosize", (uint64_t)VERIFY_SIZE },
|
|
||||||
- { "nouser", (uint64_t)VERIFY_USER },
|
|
||||||
- { "nogroup", (uint64_t)VERIFY_GROUP },
|
|
||||||
- { "nomtime", (uint64_t)VERIFY_MTIME },
|
|
||||||
- { "nomode", (uint64_t)VERIFY_MODE },
|
|
||||||
- { "nordev", (uint64_t)VERIFY_RDEV },
|
|
||||||
+ { "nolinkto", (uint64_t)RPMVERIFY_LINKTO },
|
|
||||||
+ { "nomd5", (uint64_t)RPMVERIFY_MD5 }, // deprecated since OVAL 5.11.1
|
|
||||||
+ { "nosize", (uint64_t)RPMVERIFY_FILESIZE },
|
|
||||||
+ { "nouser", (uint64_t)RPMVERIFY_USER },
|
|
||||||
+ { "nogroup", (uint64_t)RPMVERIFY_GROUP },
|
|
||||||
+ { "nomtime", (uint64_t)RPMVERIFY_MTIME },
|
|
||||||
+ { "nomode", (uint64_t)RPMVERIFY_MODE },
|
|
||||||
+ { "nordev", (uint64_t)RPMVERIFY_RDEV },
|
|
||||||
{ "noconfigfiles", RPMVERIFY_SKIP_CONFIG },
|
|
||||||
{ "noghostfiles", RPMVERIFY_SKIP_GHOST },
|
|
||||||
- { "nofiledigest", (uint64_t)VERIFY_FILEDIGEST },
|
|
||||||
- { "nocaps", (uint64_t)VERIFY_CAPS }
|
|
||||||
+ { "nofiledigest", (uint64_t)RPMVERIFY_FILEDIGEST },
|
|
||||||
+ { "nocaps", (uint64_t)RPMVERIFY_CAPS }
|
|
||||||
};
|
|
||||||
|
|
||||||
int rpmverifyfile_probe_main(probe_ctx *ctx, void *arg)
|
|
||||||
--
|
|
||||||
2.22.0
|
|
||||||
|
|
@ -1,56 +0,0 @@
|
|||||||
From efd08dd9d8453583f1e801ddb5ac0af65cc86f69 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Panu Matilainen <pmatilai@redhat.com>
|
|
||||||
Date: Tue, 11 Jun 2019 16:12:57 +0300
|
|
||||||
Subject: [PATCH 3/3] Drop bogus VERIFY_SIGNATURE and VERIFY_DIGEST checks
|
|
||||||
|
|
||||||
VERIFY_SIGNATURE and VERIFY_DIGEST are not independent verification
|
|
||||||
checks, these checks are performed internally by rpm and failure in
|
|
||||||
either will cause the entire header failing to load. These flags allow
|
|
||||||
disabling that verification, but this doesn't make sense for openscap
|
|
||||||
and doesn't work this way in rpm >= 4.15 anyway.
|
|
||||||
---
|
|
||||||
.../probes/unix/linux/rpmverifypackage_probe.c | 14 --------------
|
|
||||||
1 file changed, 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
|
|
||||||
index ed6c714d8..06059ae47 100644
|
|
||||||
--- a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
|
|
||||||
+++ b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
|
|
||||||
@@ -69,9 +69,7 @@ typedef struct {
|
|
||||||
|
|
||||||
const rpmverifypackage_bhmap_t rpmverifypackage_bhmap[] = {
|
|
||||||
{ "nodeps", (uint64_t)VERIFY_DEPS , "--nodeps"},
|
|
||||||
- { "nodigest", (uint64_t)VERIFY_DIGEST , "--nodigest"},
|
|
||||||
{ "noscripts", (uint64_t)VERIFY_SCRIPT , "--noscript"},
|
|
||||||
- { "nosignature", (uint64_t)VERIFY_SIGNATURE , "--nosignature"}
|
|
||||||
};
|
|
||||||
|
|
||||||
struct rpmverify_res {
|
|
||||||
@@ -409,24 +407,12 @@ static int rpmverifypackage_additem(probe_ctx *ctx, struct rpmverify_res *res)
|
|
||||||
probe_item_ent_add(item, "dependency_check_passed", NULL, value);
|
|
||||||
SEXP_free(value);
|
|
||||||
}
|
|
||||||
- if (res->vflags & VERIFY_DIGEST) {
|
|
||||||
- dI("VERIFY_DIGEST %d", res->vresults & VERIFY_DIGEST);
|
|
||||||
- value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_DIGEST ? "1" : "0"), 1);
|
|
||||||
- probe_item_ent_add(item, "digest_check_passed", NULL, value);
|
|
||||||
- SEXP_free(value);
|
|
||||||
- }
|
|
||||||
if (res->vflags & VERIFY_SCRIPT) {
|
|
||||||
dI("VERIFY_SCRIPT %d", res->vresults & VERIFY_SCRIPT);
|
|
||||||
value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SCRIPT ? "1" : "0"), 1);
|
|
||||||
probe_item_ent_add(item, "verification_script_successful", NULL, value);
|
|
||||||
SEXP_free(value);
|
|
||||||
}
|
|
||||||
- if (res->vflags & VERIFY_SIGNATURE) {
|
|
||||||
- dI("VERIFY_SIGNATURE %d", res->vresults & VERIFY_SIGNATURE);
|
|
||||||
- value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SIGNATURE ? "1" : "0"), 1);
|
|
||||||
- probe_item_ent_add(item, "signature_check_passed", NULL, value);
|
|
||||||
- SEXP_free(value);
|
|
||||||
- }
|
|
||||||
|
|
||||||
return probe_item_collect(ctx, item) == 2 ? 1 : 0;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.22.0
|
|
||||||
|
|
@ -1,15 +1,11 @@
|
|||||||
Name: openscap
|
Name: openscap
|
||||||
Version: 1.3.1
|
Version: 1.3.2
|
||||||
Release: 4%{?dist}
|
Release: 1%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Summary: Set of open source libraries enabling integration of the SCAP line of standards
|
Summary: Set of open source libraries enabling integration of the SCAP line of standards
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: http://www.open-scap.org/
|
URL: http://www.open-scap.org/
|
||||||
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
|
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
|
||||||
# https://github.com/OpenSCAP/openscap/pull/1352
|
|
||||||
Patch0001: 0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch
|
|
||||||
Patch0002: 0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch
|
|
||||||
Patch0003: 0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch
|
|
||||||
BuildRequires: cmake >= 2.6
|
BuildRequires: cmake >= 2.6
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
@ -192,6 +188,9 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
|
|||||||
%{_mandir}/man8/oscap-podman.8*
|
%{_mandir}/man8/oscap-podman.8*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jan 14 2020 Jan Černý <jcerny@redhat.com> - 1:1.3.2-1
|
||||||
|
- Upgrade to the latest upstream release
|
||||||
|
|
||||||
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 1:1.3.1-4
|
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 1:1.3.1-4
|
||||||
- Rebuilt for Python 3.8.0rc1 (#1748018)
|
- Rebuilt for Python 3.8.0rc1 (#1748018)
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (openscap-1.3.1.tar.gz) = c42c59a19e3f71a4ef55daa82be7a2b66514dfe4a98b8e897a03d4785b25395a3508ff2457072d3ae123328a104cab054e64dcb52209ae77060542484439d859
|
SHA512 (openscap-1.3.2.tar.gz) = 7f41c223d9ca1228a03cc4d16c4ee57279ec55954aa0c5b9d8fc602e267ab1fbd31bbb102fd556563a37091c3307e09487f0a85992eaf01d70b5812455ab0235
|
||||||
|
Loading…
Reference in New Issue
Block a user