openscap-1.3.2-1

This commit is contained in:
Jan Černý 2020-01-14 12:29:56 +01:00
parent 6c7ca3dc9b
commit 431857fd33
6 changed files with 7 additions and 229 deletions

1
.gitignore vendored
View File

@ -64,3 +64,4 @@ openscap-0.6.0.tar.gz
/openscap-1.3.0_alpha2.tar.gz /openscap-1.3.0_alpha2.tar.gz
/openscap-1.3.0.tar.gz /openscap-1.3.0.tar.gz
/openscap-1.3.1.tar.gz /openscap-1.3.1.tar.gz
/openscap-1.3.2.tar.gz

View File

@ -1,67 +0,0 @@
From e09334091d5678b666ea4e92d1a4b55838aa1a41 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 11 Jun 2019 16:12:55 +0300
Subject: [PATCH 1/3] Handle rpmVerifyFile() removal in rpm >= 4.15
Using rpmfiVerify() directly would be simpler but if upstream wants
to preserve compatibility with older rpms...
---
CMakeLists.txt | 1 +
src/OVAL/probes/unix/linux/rpm-helper.c | 12 ++++++++++++
src/OVAL/probes/unix/linux/rpm-helper.h | 5 +++++
3 files changed, 18 insertions(+)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 720d8d8eb..058319599 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -132,6 +132,7 @@ if(RPM_FOUND)
check_library_exists("${RPM_LIBRARY}" headerFormat "" HAVE_HEADERFORMAT)
check_library_exists("${RPMIO_LIBRARY}" rpmFreeCrypto "" HAVE_RPMFREECRYPTO)
check_library_exists("${RPM_LIBRARY}" rpmFreeFilesystems "" HAVE_RPMFREEFILESYSTEMS)
+ check_library_exists("${RPM_LIBRARY}" rpmVerifyFile "" HAVE_RPMVERIFYFILE)
set(HAVE_RPMVERCMP 1)
endif()
diff --git a/src/OVAL/probes/unix/linux/rpm-helper.c b/src/OVAL/probes/unix/linux/rpm-helper.c
index bfb95c363..4d23cf202 100644
--- a/src/OVAL/probes/unix/linux/rpm-helper.c
+++ b/src/OVAL/probes/unix/linux/rpm-helper.c
@@ -32,6 +32,18 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data)
}
#endif
+#ifndef HAVE_RPMVERIFYFILE
+int rpmVerifyFile(const rpmts ts, const rpmfi fi,
+ rpmVerifyAttrs * res, rpmVerifyAttrs omitMask)
+{
+ rpmVerifyAttrs vfy = rpmfiVerify(fi, omitMask);
+ if (res)
+ *res = vfy;
+
+ return (vfy & RPMVERIFY_LSTATFAIL) ? 1 : 0;
+}
+#endif
+
void rpmLibsPreload()
{
// Don't load rpmrc files. The are useless for us,
diff --git a/src/OVAL/probes/unix/linux/rpm-helper.h b/src/OVAL/probes/unix/linux/rpm-helper.h
index 4e9af8702..f879a5a5b 100644
--- a/src/OVAL/probes/unix/linux/rpm-helper.h
+++ b/src/OVAL/probes/unix/linux/rpm-helper.h
@@ -87,6 +87,11 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data);
#define DISABLE_PLUGINS(ts) rpmDefineMacro(NULL,"__plugindir \"\"", 0);
#endif
+#ifndef HAVE_RPMVERIFYFILE
+int rpmVerifyFile(const rpmts ts, const rpmfi fi,
+ rpmVerifyAttrs * res, rpmVerifyAttrs omitMask);
+#endif
+
/**
* Preload libraries required by rpm
* It destroy error callback!
--
2.22.0

View File

@ -1,99 +0,0 @@
From 9db9474dd092a67e37af54a2eb898cea625a98cd Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 11 Jun 2019 16:12:56 +0300
Subject: [PATCH 2/3] Refer to the RPMVERIFY_* constants instead of VERIFY_*
counterparts
The RPMVERIFY_* values always refer to corresponding file verification
attributes, which is what we're dealing with here. The VERIFY_*
constants do not exist in all versions, and include things that
do not make any sense at all for files anyway, such as VERIFY_DEPS
and VERIFY_SCRIPT which are package-level operations and VERIFY_SIGNATURE
and VERIFY_DIGEST which are not verify operations at all.
---
src/OVAL/probes/unix/linux/rpmverify_probe.c | 21 ++++++----------
.../probes/unix/linux/rpmverifyfile_probe.c | 25 +++++++++----------
2 files changed, 20 insertions(+), 26 deletions(-)
diff --git a/src/OVAL/probes/unix/linux/rpmverify_probe.c b/src/OVAL/probes/unix/linux/rpmverify_probe.c
index 07bd09d84..dbc9523ba 100644
--- a/src/OVAL/probes/unix/linux/rpmverify_probe.c
+++ b/src/OVAL/probes/unix/linux/rpmverify_probe.c
@@ -303,19 +303,14 @@ typedef struct {
} rpmverify_bhmap_t;
const rpmverify_bhmap_t rpmverify_bhmap[] = {
- { "nodeps", (uint64_t)VERIFY_DEPS },
- { "nodigest", (uint64_t)VERIFY_DIGEST },
- { "nofiles", (uint64_t)VERIFY_FILES },
- { "noscripts", (uint64_t)VERIFY_SCRIPT },
- { "nosignature", (uint64_t)VERIFY_SIGNATURE },
- { "nolinkto", (uint64_t)VERIFY_LINKTO },
- { "nomd5", (uint64_t)VERIFY_MD5 },
- { "nosize", (uint64_t)VERIFY_SIZE },
- { "nouser", (uint64_t)VERIFY_USER },
- { "nogroup", (uint64_t)VERIFY_GROUP },
- { "nomtime", (uint64_t)VERIFY_MTIME },
- { "nomode", (uint64_t)VERIFY_MODE },
- { "nordev", (uint64_t)VERIFY_RDEV },
+ { "nolinkto", (uint64_t)RPMVERIFY_LINKTO },
+ { "nomd5", (uint64_t)RPMVERIFY_MD5 },
+ { "nosize", (uint64_t)RPMVERIFY_FILESIZE },
+ { "nouser", (uint64_t)RPMVERIFY_USER },
+ { "nogroup", (uint64_t)RPMVERIFY_GROUP },
+ { "nomtime", (uint64_t)RPMVERIFY_MTIME },
+ { "nomode", (uint64_t)RPMVERIFY_MODE },
+ { "nordev", (uint64_t)RPMVERIFY_RDEV },
{ "noconfigfiles", RPMVERIFY_SKIP_CONFIG },
{ "noghostfiles", RPMVERIFY_SKIP_GHOST }
};
diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
index d81728ebe..10fcdf8df 100644
--- a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
+++ b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
@@ -83,11 +83,10 @@ struct rpmverify_res {
* They all have the same value (1) - see 'rpm/rpmvf.h'.
*/
#define RPMVERIFY_FILEDIGEST RPMVERIFY_MD5
- #define VERIFY_FILEDIGEST VERIFY_MD5
- /* VERIFY_CAPS is not supported in older rpmlib.
+ /* RPMVERIFY_CAPS is not supported in older rpmlib.
* We can set it to 0 because 0 is neutral to bit OR operation.
*/
- #define VERIFY_CAPS 0
+ #define RPMVERIFY_CAPS 0
#endif
#define RPMVERIFY_LOCK RPM_MUTEX_LOCK(&g_rpm->mutex)
@@ -423,18 +422,18 @@ typedef struct {
} rpmverifyfile_bhmap_t;
const rpmverifyfile_bhmap_t rpmverifyfile_bhmap[] = {
- { "nolinkto", (uint64_t)VERIFY_LINKTO },
- { "nomd5", (uint64_t)VERIFY_MD5 }, // deprecated since OVAL 5.11.1
- { "nosize", (uint64_t)VERIFY_SIZE },
- { "nouser", (uint64_t)VERIFY_USER },
- { "nogroup", (uint64_t)VERIFY_GROUP },
- { "nomtime", (uint64_t)VERIFY_MTIME },
- { "nomode", (uint64_t)VERIFY_MODE },
- { "nordev", (uint64_t)VERIFY_RDEV },
+ { "nolinkto", (uint64_t)RPMVERIFY_LINKTO },
+ { "nomd5", (uint64_t)RPMVERIFY_MD5 }, // deprecated since OVAL 5.11.1
+ { "nosize", (uint64_t)RPMVERIFY_FILESIZE },
+ { "nouser", (uint64_t)RPMVERIFY_USER },
+ { "nogroup", (uint64_t)RPMVERIFY_GROUP },
+ { "nomtime", (uint64_t)RPMVERIFY_MTIME },
+ { "nomode", (uint64_t)RPMVERIFY_MODE },
+ { "nordev", (uint64_t)RPMVERIFY_RDEV },
{ "noconfigfiles", RPMVERIFY_SKIP_CONFIG },
{ "noghostfiles", RPMVERIFY_SKIP_GHOST },
- { "nofiledigest", (uint64_t)VERIFY_FILEDIGEST },
- { "nocaps", (uint64_t)VERIFY_CAPS }
+ { "nofiledigest", (uint64_t)RPMVERIFY_FILEDIGEST },
+ { "nocaps", (uint64_t)RPMVERIFY_CAPS }
};
int rpmverifyfile_probe_main(probe_ctx *ctx, void *arg)
--
2.22.0

View File

@ -1,56 +0,0 @@
From efd08dd9d8453583f1e801ddb5ac0af65cc86f69 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 11 Jun 2019 16:12:57 +0300
Subject: [PATCH 3/3] Drop bogus VERIFY_SIGNATURE and VERIFY_DIGEST checks
VERIFY_SIGNATURE and VERIFY_DIGEST are not independent verification
checks, these checks are performed internally by rpm and failure in
either will cause the entire header failing to load. These flags allow
disabling that verification, but this doesn't make sense for openscap
and doesn't work this way in rpm >= 4.15 anyway.
---
.../probes/unix/linux/rpmverifypackage_probe.c | 14 --------------
1 file changed, 14 deletions(-)
diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
index ed6c714d8..06059ae47 100644
--- a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
+++ b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
@@ -69,9 +69,7 @@ typedef struct {
const rpmverifypackage_bhmap_t rpmverifypackage_bhmap[] = {
{ "nodeps", (uint64_t)VERIFY_DEPS , "--nodeps"},
- { "nodigest", (uint64_t)VERIFY_DIGEST , "--nodigest"},
{ "noscripts", (uint64_t)VERIFY_SCRIPT , "--noscript"},
- { "nosignature", (uint64_t)VERIFY_SIGNATURE , "--nosignature"}
};
struct rpmverify_res {
@@ -409,24 +407,12 @@ static int rpmverifypackage_additem(probe_ctx *ctx, struct rpmverify_res *res)
probe_item_ent_add(item, "dependency_check_passed", NULL, value);
SEXP_free(value);
}
- if (res->vflags & VERIFY_DIGEST) {
- dI("VERIFY_DIGEST %d", res->vresults & VERIFY_DIGEST);
- value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_DIGEST ? "1" : "0"), 1);
- probe_item_ent_add(item, "digest_check_passed", NULL, value);
- SEXP_free(value);
- }
if (res->vflags & VERIFY_SCRIPT) {
dI("VERIFY_SCRIPT %d", res->vresults & VERIFY_SCRIPT);
value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SCRIPT ? "1" : "0"), 1);
probe_item_ent_add(item, "verification_script_successful", NULL, value);
SEXP_free(value);
}
- if (res->vflags & VERIFY_SIGNATURE) {
- dI("VERIFY_SIGNATURE %d", res->vresults & VERIFY_SIGNATURE);
- value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SIGNATURE ? "1" : "0"), 1);
- probe_item_ent_add(item, "signature_check_passed", NULL, value);
- SEXP_free(value);
- }
return probe_item_collect(ctx, item) == 2 ? 1 : 0;
}
--
2.22.0

View File

@ -1,15 +1,11 @@
Name: openscap Name: openscap
Version: 1.3.1 Version: 1.3.2
Release: 4%{?dist} Release: 1%{?dist}
Epoch: 1 Epoch: 1
Summary: Set of open source libraries enabling integration of the SCAP line of standards Summary: Set of open source libraries enabling integration of the SCAP line of standards
License: LGPLv2+ License: LGPLv2+
URL: http://www.open-scap.org/ URL: http://www.open-scap.org/
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
# https://github.com/OpenSCAP/openscap/pull/1352
Patch0001: 0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch
Patch0002: 0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch
Patch0003: 0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch
BuildRequires: cmake >= 2.6 BuildRequires: cmake >= 2.6
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gcc-c++ BuildRequires: gcc-c++
@ -192,6 +188,9 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
%{_mandir}/man8/oscap-podman.8* %{_mandir}/man8/oscap-podman.8*
%changelog %changelog
* Tue Jan 14 2020 Jan Černý <jcerny@redhat.com> - 1:1.3.2-1
- Upgrade to the latest upstream release
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 1:1.3.1-4 * Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 1:1.3.1-4
- Rebuilt for Python 3.8.0rc1 (#1748018) - Rebuilt for Python 3.8.0rc1 (#1748018)

View File

@ -1 +1 @@
SHA512 (openscap-1.3.1.tar.gz) = c42c59a19e3f71a4ef55daa82be7a2b66514dfe4a98b8e897a03d4785b25395a3508ff2457072d3ae123328a104cab054e64dcb52209ae77060542484439d859 SHA512 (openscap-1.3.2.tar.gz) = 7f41c223d9ca1228a03cc4d16c4ee57279ec55954aa0c5b9d8fc602e267ab1fbd31bbb102fd556563a37091c3307e09487f0a85992eaf01d70b5812455ab0235