From 67c1c7bf86b1ff6bf8f7f1499ba5a7f59d16348c Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Tue, 29 Apr 2025 14:05:35 +0200 Subject: [PATCH] Upgrade to the latest upstream release Resolves: RHEL-88842 --- .gitignore | 4 +-- 2218.patch | 30 ++++++++++++++++ 2224.patch | 47 +++++++++++++++++++++++++ 2233.patch | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++ openscap.spec | 13 +++++-- sources | 2 +- 6 files changed, 187 insertions(+), 6 deletions(-) create mode 100644 2218.patch create mode 100644 2224.patch create mode 100644 2233.patch diff --git a/.gitignore b/.gitignore index 8c0cba3..0768770 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1 @@ -SOURCES/openscap-1.3.7.tar.gz -/openscap-1.3.7.tar.gz -/openscap-1.3.10.tar.gz +/openscap-1.3.*.tar.gz diff --git a/2218.patch b/2218.patch new file mode 100644 index 0000000..4bdd101 --- /dev/null +++ b/2218.patch @@ -0,0 +1,30 @@ +From a65dff2815eb10c3e420c61c81f1793a683630dc Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Sat, 19 Oct 2024 18:58:30 +0800 +Subject: [PATCH] Make a copy before spliting. + +--- + src/OVAL/probes/probe/worker.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/OVAL/probes/probe/worker.c b/src/OVAL/probes/probe/worker.c +index d667127d63..e0a07c31ec 100644 +--- a/src/OVAL/probes/probe/worker.c ++++ b/src/OVAL/probes/probe/worker.c +@@ -985,7 +985,7 @@ static SEXP_t *probe_set_eval(probe_t *probe, SEXP_t *set, size_t depth) + + static void _add_blocked_paths(struct oscap_list *bpaths) + { +- char *envar = getenv("OSCAP_PROBE_IGNORE_PATHS"); ++ char *envar = oscap_strdup(getenv("OSCAP_PROBE_IGNORE_PATHS")); + if (envar == NULL) { + return; + } +@@ -996,6 +996,7 @@ static void _add_blocked_paths(struct oscap_list *bpaths) + for (int i = 0; paths[i]; ++i) { + oscap_list_add(bpaths, strdup(paths[i])); + } ++ free(envar); + free(paths); + #endif + } diff --git a/2224.patch b/2224.patch new file mode 100644 index 0000000..f44a4fe --- /dev/null +++ b/2224.patch @@ -0,0 +1,47 @@ +From d38914a4d62b2ad9d011a530bf39b4acf76e5b1b Mon Sep 17 00:00:00 2001 +From: Evgeny Kolesnikov +Date: Tue, 15 Apr 2025 15:05:07 +0200 +Subject: [PATCH] tests: OVAL/API/skip_paths + +Modify the test so it could catch the regression +with environment variable modified during execution. +See #2168. +--- + tests/API/OVAL/skip_paths/test_skip_paths.sh | 4 ++-- + tests/API/OVAL/skip_paths/test_skip_paths.xml | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tests/API/OVAL/skip_paths/test_skip_paths.sh b/tests/API/OVAL/skip_paths/test_skip_paths.sh +index 4b69c9aa33..26dc5b395a 100755 +--- a/tests/API/OVAL/skip_paths/test_skip_paths.sh ++++ b/tests/API/OVAL/skip_paths/test_skip_paths.sh +@@ -15,8 +15,8 @@ cp "$srcdir/test.xml" "$root/b/" + mkdir -p "$root/c" + touch "$root/c/z" + cp "$srcdir/test.xml" "$root/c/" +-# oscap probes will skip directories "b" and "c" +-export OSCAP_PROBE_IGNORE_PATHS="$root/b:$root/c" ++# oscap probes will skip directories "$root/n", "$root/b" and "$root/c" ++export OSCAP_PROBE_IGNORE_PATHS="$root/n:$root/c:$root/b" + $OSCAP oval eval --results $result "$srcdir/test_skip_paths.xml" + assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:1" and @result="true"]' + assert_exists 1 '/oval_results/results/system/oval_system_characteristics/collected_objects/object[@id="oval:x:obj:1" and @flag="complete"]' +diff --git a/tests/API/OVAL/skip_paths/test_skip_paths.xml b/tests/API/OVAL/skip_paths/test_skip_paths.xml +index a03196153b..57048f3ef7 100644 +--- a/tests/API/OVAL/skip_paths/test_skip_paths.xml ++++ b/tests/API/OVAL/skip_paths/test_skip_paths.xml +@@ -90,12 +90,12 @@ + + /tmp/oscap_test_skip_paths/a/x + ^.*$ +- 1 ++ 1 + + + /tmp/oscap_test_skip_paths/b/y + ^.*$ +- 1 ++ 1 + + + /tmp/oscap_test_skip_paths/a/x diff --git a/2233.patch b/2233.patch new file mode 100644 index 0000000..bf6c4de --- /dev/null +++ b/2233.patch @@ -0,0 +1,97 @@ +From 94934207b34978f92ab2f7b7cc0e8a73508c8266 Mon Sep 17 00:00:00 2001 +From: Evgeny Kolesnikov +Date: Thu, 17 Apr 2025 14:02:55 +0200 +Subject: [PATCH] Inherit opscap environment when executing Bash remediations + with --remediate + +Make the Bash remediation environment consistent with other +types of remediation. +--- + src/XCCDF_POLICY/xccdf_policy_remediate.c | 8 ++----- + tests/API/XCCDF/unittests/CMakeLists.txt | 1 + + .../unittests/test_remediation_environment.sh | 21 +++++++++++++++++++ + .../test_remediation_environment.xccdf.xml | 16 ++++++++++++++ + 4 files changed, 40 insertions(+), 6 deletions(-) + create mode 100755 tests/API/XCCDF/unittests/test_remediation_environment.sh + create mode 100644 tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml + +diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c +index d99f6d49de..842ef2df9d 100644 +--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c ++++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c +@@ -464,12 +464,8 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_ + NULL + }; + +- char *const envp[2] = { +- "PATH=/bin:/sbin:/usr/bin:/usr/sbin", +- NULL +- }; +- +- execve(interpret, argvp, envp); ++ // We are inheriting openscap environment ++ execve(interpret, argvp, environ); + /* Wow, execve returned. In this special case, we failed to execute the fix + * and we return 0 from function. At least the following error message will + * indicate the problem in xccdf:message. */ +diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt +index 164b795e0e..ef835e3506 100644 +--- a/tests/API/XCCDF/unittests/CMakeLists.txt ++++ b/tests/API/XCCDF/unittests/CMakeLists.txt +@@ -92,6 +92,7 @@ add_oscap_test("test_remediation_cdata.sh") + add_oscap_test("test_remediation_subs_unresolved.sh") + add_oscap_test("test_remediation_fix_without_system.sh") + add_oscap_test("test_remediation_invalid_characters.sh") ++add_oscap_test("test_remediation_environment.sh") + add_oscap_test("test_remediate_simple.sh") + add_oscap_test("test_remediate_perl.sh") + add_oscap_test("test_report_check_with_empty_selector.sh") +diff --git a/tests/API/XCCDF/unittests/test_remediation_environment.sh b/tests/API/XCCDF/unittests/test_remediation_environment.sh +new file mode 100755 +index 0000000000..1f5fd0afbf +--- /dev/null ++++ b/tests/API/XCCDF/unittests/test_remediation_environment.sh +@@ -0,0 +1,21 @@ ++#!/usr/bin/env bash ++. $builddir/tests/test_common.sh ++ ++set -e ++set -o pipefail ++ ++name=$(basename $0 .sh) ++result=$(mktemp -t ${name}.out.XXXXXX) ++ ++rm -f remediation.env ++ ++CANARY_EXPORTED="CANARY_EXPORTED_VALUE" ++export CANARY_EXPORTED ++CANARY_PROCESS="CANARY_PROCESS_VALUE" $OSCAP xccdf eval --remediate $srcdir/${name}.xccdf.xml || true ++ ++grep -q "${PATH}" remediation.env || die "PATH not found" ++grep -q "CANARY_EXPORTED_VALUE" remediation.env || die "CANARY_EXPORTED_VALUE not found" ++grep -q "CANARY_PROCESS_VALUE" remediation.env || die "CANARY_PROCESS_VALUE not found" ++ ++rm -f remediation.env ++rm $result +diff --git a/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml b/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml +new file mode 100644 +index 0000000000..0875b6c241 +--- /dev/null ++++ b/tests/API/XCCDF/unittests/test_remediation_environment.xccdf.xml +@@ -0,0 +1,16 @@ ++ ++ ++ accepted ++ 1.0 ++ ++ Write some environment variables ++ ++ echo "PATH=${PATH}" > remediation.env ++ echo "CANARY_EXPORTED=${CANARY_EXPORTED}" >> remediation.env ++ echo "CANARY_PROCESS=${CANARY_PROCESS}" >> remediation.env ++ ++ ++ ++ ++ ++ diff --git a/openscap.spec b/openscap.spec index d37e80c..5dfff5f 100644 --- a/openscap.spec +++ b/openscap.spec @@ -1,11 +1,14 @@ Name: openscap -Version: 1.3.10 -Release: 3%{?dist} +Version: 1.3.12 +Release: 1%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ URL: http://www.open-scap.org/ Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz +Patch0: 2218.patch +Patch1: 2224.patch +Patch2: 2233.patch BuildRequires: cmake >= 2.6 BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser BuildRequires: rpm-devel @@ -134,6 +137,7 @@ cd build %cmake -DENABLE_PERL=OFF \ -DENABLE_DOCS=ON \ -DENABLE_OSCAP_UTIL_DOCKER=OFF \ + -DENABLE_OSCAP_UTIL_IM=OFF \ -DENABLE_OSCAP_UTIL_CHROOT=ON \ -DENABLE_OSCAP_UTIL_PODMAN=ON \ -DENABLE_OSCAP_UTIL_VM=ON \ @@ -216,6 +220,11 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/oscap-run-sce-script %changelog +* Fri Apr 25 2025 Evgenii Kolesnikov - 1:1.3.12-1 +- Upgrade to the latest upstream release (RHEL-88842) +- Fix error when tailoring DISA content (RHEL-34104) +- Fix OSCAP_PROBE_IGNORE_PATHS handling (RHEL-67297) + * Wed Aug 07 2024 Milan Lysonek - 1.3.10-3 - Switch gating to tmt plan (RHEL-43240) diff --git a/sources b/sources index 2c75d2f..13e7113 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openscap-1.3.10.tar.gz) = 007556b8f020636f6613c2b1192a8b96dfb21b62994a3e257619d48021ad962f95b724c3ac9709a60dbbf7dba8f2499ff8b9b56a7f2d293ca3a8d6ec8107f595 +SHA512 (openscap-1.3.12.tar.gz) = a37f39012bdca0dee35ce07d8b50e8b95924a49267bf3793ee84de01431e4e27841d267cd5eee45b0782e7f549e656248e57fd31c0e022ab544f2a03246b9aec