rpms/openscap
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import openscap-1.3.3-2.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-07-28 07:35:04 -04:00 committed by Stepan Oksanichenko
parent 9245d8bb40
commit 7f02774543
6 changed files with 343 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/openscap-1.3.1.tar.gz
SOURCES/openscap-1.3.3.tar.gz

2
.openscap.metadata
View File

@ -1 +1 @@
4783aa3943d3ea99719bda0e6cbfbc96f5841a6f SOURCES/openscap-1.3.1.tar.gz
6988d1ea7b86669d410ab5defc1be394cba5b017 SOURCES/openscap-1.3.3.tar.gz

24
SOURCES/fix_report_a11y.patch
View File

File diff suppressed because one or more lines are too long

59
SOURCES/openscap-1.3.4-fix-environmentvariable58-regression.patch Normal file
View File

@ -0,0 +1,59 @@
diff --git a/src/OVAL/probes/independent/environmentvariable58_probe.c b/src/OVAL/probes/independent/environmentvariable58_probe.c
index 552ce6700..77233aeeb 100644
--- a/src/OVAL/probes/independent/environmentvariable58_probe.c
+++ b/src/OVAL/probes/independent/environmentvariable58_probe.c
@@ -96,32 +96,32 @@ static int read_environment(SEXP_t *pid_ent, SEXP_t *name_ent, probe_ctx *ctx)
ssize_t buffer_used;
size_t buffer_size;
+ const char *extra_vars = getenv("OSCAP_CONTAINER_VARS");
+ if (extra_vars && *extra_vars) {
+ char *vars = strdup(extra_vars);
+ char *tok, *eq_chr, *str, *strp;
+
+ for (str = vars; ; str = NULL) {
+ tok = strtok_r(str, "\n", &strp);
+ if (tok == NULL)
+ break;
+ eq_chr = strchr(tok, '=');
+ if (eq_chr == NULL)
+ continue;
+ PROBE_ENT_I32VAL(pid_ent, pid, pid = -1;, pid = 0;);
+ collect_variable(tok, eq_chr - tok, pid, name_ent, ctx);
+ }
+
+ free(vars);
+ return 0;
+ }
+
const char *prefix = getenv("OSCAP_PROBE_ROOT");
snprintf(path, PATH_MAX, "%s/proc", prefix ? prefix : "");
d = opendir(path);
if (d == NULL) {
- const char *extra_vars = getenv("OSCAP_CONTAINER_VARS");
- if (!extra_vars) {
- dE("Can't read %s/proc: errno=%d, %s.", prefix ? prefix : "", errno, strerror(errno));
- return PROBE_EACCESS;
- } else {
- char *vars = strdup(extra_vars);
- char *tok, *eq_chr, *str, *strp;
-
- for (str = vars; ; str = NULL) {
- tok = strtok_r(str, "\n", &strp);
- if (tok == NULL)
- break;
- eq_chr = strchr(tok, '=');
- if (eq_chr == NULL)
- continue;
- PROBE_ENT_I32VAL(pid_ent, pid, pid = -1;, pid = 0;);
- collect_variable(tok, eq_chr - tok, pid, name_ent, ctx);
- }
-
- free(vars);
- return 0;
- }
+ dE("Can't read %s/proc: errno=%d, %s.", prefix ? prefix : "", errno, strerror(errno));
+ return PROBE_EACCESS;
}
if ((buffer = realloc(NULL, BUFFER_SIZE)) == NULL) {

177
SOURCES/openscap-1.3.4-fix-no-more-recursion.patch Normal file
View File

@ -0,0 +1,177 @@
From c8fc880a672afbfdbd384dc6afa4b7fbdd666b73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 27 May 2020 10:38:56 +0200
Subject: [PATCH 1/3] Add a regression test for RHBZ#1686370
There is a non-optimal behavior of file probe. It happens when file path
is specified using a variable with 2 values with `operation="equals"`
and `var_check="all"`. The probe recurses into a file system tree even
if it's obvious that it won't find any match. If one of values is a big
tree (for example `/`) it eventually runs out of memory and crashes. The
OVAL doesn't make sense because it's impossible that a single file would
have 2 different paths. But despite that it's a valid OVAL document.
The test is expected to fail because the bug hasn't been fixed.
---
tests/probes/file/CMakeLists.txt | 1 +
.../test_probes_file_multiple_file_paths.sh | 39 +++++++++++++++++
.../test_probes_file_multiple_file_paths.xml | 42 +++++++++++++++++++
3 files changed, 82 insertions(+)
create mode 100755 tests/probes/file/test_probes_file_multiple_file_paths.sh
create mode 100644 tests/probes/file/test_probes_file_multiple_file_paths.xml
diff --git a/tests/probes/file/CMakeLists.txt b/tests/probes/file/CMakeLists.txt
index 12718603f..35b4c1169 100644
--- a/tests/probes/file/CMakeLists.txt
+++ b/tests/probes/file/CMakeLists.txt
@@ -1,3 +1,4 @@
if(ENABLE_PROBES_UNIX)
add_oscap_test("test_probes_file.sh")
+ add_oscap_test("test_probes_file_multiple_file_paths.sh")
endif()
diff --git a/tests/probes/file/test_probes_file_multiple_file_paths.sh b/tests/probes/file/test_probes_file_multiple_file_paths.sh
new file mode 100755
index 000000000..1cececbb0
--- /dev/null
+++ b/tests/probes/file/test_probes_file_multiple_file_paths.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+set -e -o pipefail
+
+. $builddir/tests/test_common.sh
+
+probecheck "file" || exit 255
+which strace || exit 255
+
+function check_strace_output {
+ strace_log="$1"
+ grep -q "/tmp/numbers/1" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2/3" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2/3/4" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2/3/4/5" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2/3/4/5/6" $strace_log && return 1
+ grep -q "/tmp/letters/a" $strace_log && return 1
+ grep -q "/tmp/letters/a/b" $strace_log && return 1
+ grep -q "/tmp/letters/a/b/c" $strace_log && return 1
+ grep -q "/tmp/letters/a/b/c/d" $strace_log && return 1
+ grep -q "/tmp/letters/a/b/c/d/e" $strace_log && return 1
+ grep -q "/tmp/letters/a/b/c/d/e/f" $strace_log && return 1
+ return 0
+}
+
+rm -rf /tmp/numbers
+mkdir -p /tmp/numbers/1/2/3/4/5/6
+rm -rf /tmp/letters
+mkdir -p /tmp/letters/a/b/c/d/e/f
+strace_log=$(mktemp)
+strace -f -e openat -o $strace_log $OSCAP oval eval --results results.xml "$srcdir/test_probes_file_multiple_file_paths.xml"
+ret=0
+check_strace_output $strace_log || ret=$?
+rm -f $strace_log
+rm -f results.xml
+rm -rf /tmp/numbers
+rm -rf /tmp/letters
+exit $ret
diff --git a/tests/probes/file/test_probes_file_multiple_file_paths.xml b/tests/probes/file/test_probes_file_multiple_file_paths.xml
new file mode 100644
index 000000000..893a3fe97
--- /dev/null
+++ b/tests/probes/file/test_probes_file_multiple_file_paths.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0"?>
+<oval_definitions xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
+ <generator>
+ <oval:schema_version>5.10</oval:schema_version>
+ <oval:timestamp>0001-01-01T00:00:00+00:00</oval:timestamp>
+ </generator>
+
+ <definitions>
+ <definition class="compliance" version="1" id="oval:x:def:1">
+ <metadata>
+ <title>Specify a file path using variable with two values</title>
+ <description>x</description>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ </metadata>
+ <criteria operator="AND">
+ <criterion comment="Check multiple paths" test_ref="oval:x:tst:1"/>
+ </criteria>
+ </definition>
+ </definitions>
+
+ <tests>
+ <file_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:x:tst:1" version="1" comment="Verify all paths exist" check_existence="all_exist" check="all">
+ <object object_ref="oval:x:obj:1"/>
+ </file_test>
+ </tests>
+
+ <objects>
+ <file_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:x:obj:1" version="1" comment="uses var_check=all together with operation=equals">
+ <path datatype="string" var_ref="oval:x:var:1" var_check="all" operation="equals"/>
+ <filename xsi:nil="true" datatype="string"/>
+ </file_object>
+ </objects>
+
+ <variables>
+ <constant_variable datatype="string" comment="2 file paths" version="1" id="oval:x:var:1">
+ <value>/tmp/numbers</value>
+ <value>/tmp/letters</value>
+ </constant_variable>
+ </variables>
+</oval_definitions>
From 569e0013ca83adef233ddecc78a052db9b3ccc5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 2 Jun 2020 15:11:37 +0200
Subject: [PATCH 2/3] Add strace to the list of test dependencies
---
docs/developer/developer.adoc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/developer/developer.adoc b/docs/developer/developer.adoc
index 823a1504e..0f01ace74 100644
--- a/docs/developer/developer.adoc
+++ b/docs/developer/developer.adoc
@@ -152,7 +152,7 @@ After building the library you might want to run library self-checks. To do
that you need to have these additional packages installed:
----
-wget lua which procps-ng initscripts chkconfig sendmail bzip2 rpm-build
+wget lua which procps-ng initscripts chkconfig sendmail bzip2 rpm-build strace
----
On Ubuntu 18.04, also install:
From a47604bf30c6574e570abde4fd01488ba120f82d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 17 Jun 2020 11:00:02 +0200
Subject: [PATCH 3/3] Terminate matching to prevent recursion
Fixes: RHBZ#1686370
---
src/OVAL/probes/oval_fts.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/OVAL/probes/oval_fts.c b/src/OVAL/probes/oval_fts.c
index 696997942..2b7314c38 100644
--- a/src/OVAL/probes/oval_fts.c
+++ b/src/OVAL/probes/oval_fts.c
@@ -1029,6 +1029,15 @@ static FTSENT *oval_fts_read_match_path(OVAL_FTS *ofts)
if (ores == OVAL_RESULT_TRUE)
break;
+ if (ofts->ofts_path_op == OVAL_OPERATION_EQUALS) {
+ /* At this point the comparison result isn't OVAL_RESULT_TRUE. Since
+ we passed the exact path (from filepath or path elements) to
+ fts_open() we surely know that we can't find other items that would
+ be equal. Therefore we can terminate the matching. This can happen
+ if the filepath or path element references a variable that has
+ multiple different values. */
+ return NULL;
+ }
} /* for (;;) */
/*

120
SPECS/openscap.spec
View File

@ -1,29 +1,48 @@
Name: openscap
Version: 1.3.1
Version: 1.3.3
Release: 2%{?dist}
Summary: Set of open source libraries enabling integration of the SCAP line of standards
Group: System Environment/Libraries
License: LGPLv2+
URL: http://www.open-scap.org/
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
Patch1: fix_report_a11y.patch
Patch1: openscap-1.3.4-fix-environmentvariable58-regression.patch
Patch2: openscap-1.3.4-fix-no-more-recursion.patch
BuildRequires: cmake >= 2.6
BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
BuildRequires: rpm-devel
BuildRequires: libgcrypt-devel
BuildRequires: pcre-devel
BuildRequires: libacl-devel
BuildRequires: libselinux-devel libcap-devel
BuildRequires: libselinux-devel
BuildRequires: libcap-devel
BuildRequires: libblkid-devel
BuildRequires: bzip2-devel
BuildRequires: asciidoc
BuildRequires: openldap-devel
BuildRequires: GConf2-devel
BuildRequires: glib2-devel
BuildRequires: dbus-devel
BuildRequires: libyaml-devel
%if %{?_with_check:1}%{!?_with_check:0}
BuildRequires: perl-XML-XPath
BuildRequires: bzip2
%endif
Requires: bash
Requires: bzip2-libs
Requires: dbus
Requires: libyaml
Requires: GConf2
Requires: glib2
Requires: libacl
Requires: libblkid
Requires: libcap
Requires: libselinux
Requires: openldap
Requires: popt
# RHEL8 has procps-ng, which provides procps
Requires: procps
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
Obsoletes: python2-openscap
@ -79,6 +98,7 @@ Group: Applications/System
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: rpmdevtools rpm-build
Requires: %{name}-scanner%{?_isa} = %{version}-%{release}
Requires: bash
%description utils
The %{name}-utils package contains command-line tools build on top
@ -109,6 +129,7 @@ for developing applications that use %{name}-engine-sce.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
mkdir build
%build
@ -116,9 +137,9 @@ cd build
%cmake -DENABLE_PERL=OFF \
-DENABLE_DOCS=ON \
-DENABLE_OSCAP_UTIL_DOCKER=OFF \
-DENABLE_OSCAP_UTIL_CHROOT=OFF \
-DENABLE_OSCAP_UTIL_PODMAN=OFF \
-DENABLE_OSCAP_UTIL_VM=OFF \
-DENABLE_OSCAP_UTIL_CHROOT=ON \
-DENABLE_OSCAP_UTIL_PODMAN=ON \
-DENABLE_OSCAP_UTIL_VM=ON \
..
make %{?_smp_mflags}
make docs
@ -174,27 +195,97 @@ rm -rf $RPM_BUILD_ROOT
%files scanner
%{_mandir}/man8/oscap.8.gz
%{_bindir}/oscap
# RHEL-8.1.0 will not support oscap-chroot. Future releases may include this. Note: remove double % when enabling command.
#%%{_mandir}/man8/oscap-chroot.8.gz
#%%{_bindir}/oscap-chroot
%{_mandir}/man8/oscap-chroot.8.gz
%{_bindir}/oscap-chroot
%{_sysconfdir}/bash_completion.d
%files utils
%doc docs/oscap-scan.cron
%{_mandir}/man8/oscap-ssh.8.gz
%{_bindir}/oscap-ssh
# RHEL-8.1.0 will not support oscap-vm and oscap-podman. Future releases may include this. Note: remove double % when enabling command.
#%%{_mandir}/man8/oscap-podman.8.gz
#%%{_bindir}/oscap/oscap-podman
#%%{_mandir}/man8/oscap-vm.8.gz
#%%{_bindir}/oscap/oscap-vm
%{_mandir}/man8/oscap-podman.8.gz
%{_bindir}/oscap-podman
%{_mandir}/man8/oscap-vm.8.gz
%{_bindir}/oscap-vm
%{_mandir}/man8/scap-as-rpm.8.gz
%{_bindir}/scap-as-rpm
%{_mandir}/man8/autotailor.8.gz
%{_bindir}/autotailor
%files engine-sce
%{_libdir}/libopenscap_sce.so.*
%{_bindir}/oscap-run-sce-script
%changelog
* Thu Jun 25 2020 Matěj Týč <matyc@redhat.com> - 1.3.3-2
- Prevent unwanted recursion that could crash the scanner (RHBZ#1686370)
* Mon May 04 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.3-1
- Upgrade to the latest upstream release (rhbz#1829761)
- Added a Python script that can be used for CLI tailoring (autotailor)
- Added timezone to XCCDF TestResult start/end time
- Added yamlfilecontent independent probe (proposal/draft implementation)
- Added ability to generate `machineconfig` fix
- Introduced `urn:xccdf:fix:script:kubernetes` fix type in XCCDF
- Fixed filepath pattern matching in offline mode in textfilecontent58 probe
- Fixed #170: The rpmverifyfile probe can't verify files from '/bin' directory
- Fixed #1512: Severity refinement lost in generated guide
- Fixed #1453: Pointer lost in Swig API
- The data system_info probe return for offline and online modes is consistent and actual
- Evaluation Characteristics of the XCCDF report are now consistent with OVAL entities
from system_info probe
* Fri Mar 27 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-9
- Generate HTML guides from tailored profiles (RHBZ#1743835)
* Wed Mar 18 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-8
- Fix tests for rpmverifyfileprobe (RHBZ#1814726)
* Thu Mar 12 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-7
- Fix segmentation fault in systemdunitdependency_probe (RHBZ#1793050)
- Fix crash in textfilecontent probe (RHBZ#1686467)
- Do not drop empty lines from Ansible remediations (RHBZ#1795563)
- Fix oscap-ssh --sudo (RHBZ#1803116)
- Remove useless warnings (RHBZ#1764139)
* Thu Jan 23 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-6
- Fix FindACL.cmake
* Tue Jan 21 2020 Matěj Týč <matyc@redhat.com> - 1.3.2-5
- Added more exhaustive package dependencies.
- Added the covscan/UX patch.
* Mon Jan 20 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.2-4
- Added patch: utils/oscap-podman: Detect ambiguous scan target
* Mon Jan 20 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.2-3
- Refined requirements
* Sun Jan 19 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.2-2
- Added patch: Fix case where CMake couldn't find libacl or xattr.h
* Wed Jan 15 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.2-1
- Upgrade to the latest upstream release (rhbz#1778296)
- Offline mode support for environmentvariable58 probe (rhbz#1493614)
- The oscap-docker wrapper is available without Atomic
- Improved support of multi-check rules (report, remediations, console output) (rhbz#1771438)
- Improved HTML report look and feel, including printed version (rhbz#1640839)
- Less clutter in verbose mode output; some warnings and errors demoted to verbose mode levels
- Probe rpmverifyfile uses and returns canonical paths (rhbz#1776308)
- Improved a11y of HTML reports and guides (rhbz#1767382)
- Fixes and improvements for SWIG Python bindings (rhbz#1753603)
- #1403 fixed: Scanner would not apply remediation for multicheck rules (verbosity)
- Fixed URL link mechanism for Red Hat Errata
- New STIG Viewer URI: public.cyber.mil
- Probe selinuxsecuritycontext would not check if SELinux is enabled
- Scanner would provide information about unsupported OVAL objects
- Added more tests for offline mode (probes, remediation) (rhbz#1618489)
- #528 fixed: Eval SCE script when /tmp is in mode noexec
- #1173, RHBZ#1603347 fixed: Double chdir/chroot in probe rpmverifypackage (rhbz#1636431)
* Wed Dec 18 2019 Vojtech Polasek <vpolasek@redhat.com> - 1.3.1-3
- put back openscap-chroot, openscap-podman and openscap-vm files
* Fri Nov 01 2019 Vojtech Polasek <vpolasek@redhat.com> - 1.3.1-2
- Fixed XSLT template making rule details in reports accessible for screenreader users (#1767382)
@ -637,4 +728,3 @@ rm -rf $RPM_BUILD_ROOT
* Thu Jan 15 2009 Tomas Heinrich <theinric@redhat.com> 0.1.1-1
- Initial rpm