rpms
/
openscap
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'c8' into a8

This commit is contained in:
eabdullin 2023-02-21 14:10:47 +03:00
parent 1964f3bb2e cc3c270e01
commit a65efbb898
18 changed files with 756 additions and 590 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/openscap-1.3.5.tar.gz
SOURCES/openscap-1.3.6.tar.gz

2
.openscap.metadata
View File

@ -1 +1 @@
77494383980082f8bc625a6e196a6760d30a5107 SOURCES/openscap-1.3.5.tar.gz
8c1b41bb7c32c22d541a6881ab8c5b8bef06890f SOURCES/openscap-1.3.6.tar.gz

43
SOURCES/openscap-1.3.6-PR-1745-waive-hugepages.patch
View File

@ -1,43 +0,0 @@
From 192f908562779fe4c9b7e5cc7605840976a06c85 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 26 Apr 2021 13:13:26 +0200
Subject: [PATCH] Waive the known issue with hugepages on ppc64/ppc64le
The known issue has been reported in
https://bugzilla.redhat.com/show_bug.cgi?id=1642995
This modification is currently applied as a patch applied during setup
phase of Sanity/smoke-test in Fedora CI gating.
https://src.fedoraproject.org/tests/openscap/blob/main/f/Sanity/smoke-test
The patched file got changed recetly so the patch doesn't apply anymore
which causes the Rawhide gating to fail.
We have decided to propose the change to upstream to avoid the need
for modifying the patch in the tests and to prevent similar problems
in the future.
---
tests/probes/sysctl/test_sysctl_probe_all.sh | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh
index 2280ff7ae..c79d7ed18 100755
--- a/tests/probes/sysctl/test_sysctl_probe_all.sh
+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh
@@ -73,6 +73,10 @@ if [ "$procps_ver" != "$lowest_ver" ]; then
sed -i '/.*vm.stat_refresh/d' "$sysctlNames"
fi
+if ! grep -q "hugepages" "$ourNames"; then
+ sed -i "/^.*hugepages.*$/d" "$sysctlNames"
+fi
+
echo "Diff (sysctlNames / ourNames): ------"
diff "$sysctlNames" "$ourNames"
echo "-------------------------------------"
@@ -84,6 +88,7 @@ sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr"
# that can't fit into 8K buffer and result in errno 14
# (for example /proc/sys/kernel/spl/hostid could be the case)
sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr"
+sed -i "/^.*hugepages.*$/d" "$stderr"
echo "Errors (without messages related to permissions):"
cat "$stderr"

52
SOURCES/openscap-1.3.6-PR-1748-covscan.patch
View File

@ -1,52 +0,0 @@
From 378ef5e438a2f5af7a50374d2bd23bdd3403201f Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Tue, 4 May 2021 08:41:06 +0200
Subject: [PATCH] Fix covscan-reported issues in yamlfilecontent probe and
schematron
Error: FORWARD_NULL (CWE-476): [#def1]
/OVAL/probes/independent/yamlfilecontent_probe.c:392: var_compare_op: Comparing "yaml_file" to null implies that "yaml_file" might be null.
/OVAL/probes/independent/yamlfilecontent_probe.c:417: var_deref_model: Passing null pointer "yaml_file" to "fclose", which dereferences it.
# 416| cleanup:
# 417|-> fclose(yaml_file);
# 418| yaml_parser_delete(&parser);
Error: RESOURCE_LEAK (CWE-772): [#def2] [important]
/source/schematron.c:549: alloc_fn: Storage is returned from allocation function "xmlXPathNodeEval".
/source/schematron.c:549: var_assign: Assigning: "component_refs" = storage returned from "xmlXPathNodeEval(data_stream_node, (xmlChar *)"ds:checklists/ds:component-ref", context)".
/source/schematron.c:551: leaked_storage: Variable "component_refs" going out of scope leaks the storage it points to.
# 550| if (component_refs == NULL || component_refs->nodesetval == NULL) {
# 551|-> return res;
# 552| }
---
src/OVAL/probes/independent/yamlfilecontent_probe.c | 3 ++-
src/source/schematron.c | 2 ++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c
index ed5ce0d68..62a8f4ff2 100644
--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c
+++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c
@@ -414,7 +414,8 @@ static int process_yaml_file(const char *prefix, const char *path, const char *f
}
cleanup:
- fclose(yaml_file);
+ if (yaml_file != NULL)
+ fclose(yaml_file);
yaml_parser_delete(&parser);
free(filepath_with_prefix);
free(filepath);
diff --git a/src/source/schematron.c b/src/source/schematron.c
index 6cb22658b..c32d5aed6 100644
--- a/src/source/schematron.c
+++ b/src/source/schematron.c
@@ -548,6 +548,8 @@ static bool _req_src_346_1_sub1(xmlNodePtr data_stream_node, xmlXPathContextPtr
/* every $m in ds:checklists/ds:component-ref satisfies ... */
xmlXPathObjectPtr component_refs = xmlXPathNodeEval(data_stream_node, BAD_CAST "ds:checklists/ds:component-ref", context);
if (component_refs == NULL || component_refs->nodesetval == NULL) {
+ if (component_refs != NULL)
+ xmlXPathFreeObject(component_refs);
return res;
}
for (int i = 0; i < component_refs->nodesetval->nodeNr; i++) {

64
SOURCES/openscap-1.3.6-PR-1749-blueprint-fix.patch
View File

@ -1,64 +0,0 @@
From 5f0a9033b466d929613a2a55a1524ec75c09b5b0 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Thu, 6 May 2021 08:14:12 +0200
Subject: [PATCH] Introduce OSBuild Blueprint fix type
---
utils/oscap-xccdf.c | 7 +++++--
utils/oscap.8 | 2 +-
xsl/xccdf-share.xsl | 1 +
3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
index 95c1c7658d..801e54fa35 100644
--- a/utils/oscap-xccdf.c
+++ b/utils/oscap-xccdf.c
@@ -275,7 +275,8 @@ static struct oscap_module XCCDF_GEN_FIX = {
.usage = "[options] xccdf-file.xml",
.help = GEN_OPTS
"\nFix Options:\n"
- " --fix-type <type> - Fix type. Should be one of: bash, ansible, puppet, anaconda (default: bash).\n"
+ " --fix-type <type> - Fix type. Should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes,\n"
+ " blueprint (default: bash).\n"
" --output <file> - Write the script into file.\n"
" --result-id <id> - Fixes will be generated for failed rule-results of the specified TestResult.\n"
" --template <id|filename> - Fix template. (default: bash)\n"
@@ -887,10 +888,12 @@ int app_generate_fix(const struct oscap_action *action)
template = "urn:xccdf:fix:script:ignition";
} else if (strcmp(action->fix_type, "kubernetes") == 0) {
template = "urn:xccdf:fix:script:kubernetes";
+ } else if (strcmp(action->fix_type, "blueprint") == 0) {
+ template = "urn:redhat:osbuild:blueprint";
} else {
fprintf(stderr,
"Unknown fix type '%s'.\n"
- "Please provide one of: bash, ansible, puppet, anaconda, ignition, kubernetes.\n"
+ "Please provide one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint.\n"
"Or provide a custom template using '--template' instead.\n",
action->fix_type);
return OSCAP_ERROR;
diff --git a/utils/oscap.8 b/utils/oscap.8
index 240b829d7b..6cae0ffe8a 100644
--- a/utils/oscap.8
+++ b/utils/oscap.8
@@ -395,7 +395,7 @@ Result-oriented fixes are generated using result-id provided to select only the
Profile-oriented fixes are generated using all rules within the provided profile. If no result-id/profile are provided, (default) profile will be used to generate fixes.
.TP
\fB\-\-fix-type TYPE\fR
-Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN.
+Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN.
.TP
\fB\-\-output FILE\fR
Write the report to this file instead of standard output.
diff --git a/xsl/xccdf-share.xsl b/xsl/xccdf-share.xsl
index 9f8e587676..d7a9f3b7e2 100644
--- a/xsl/xccdf-share.xsl
+++ b/xsl/xccdf-share.xsl
@@ -295,6 +295,7 @@ Authors:
<xsl:when test="$fix/@system = 'urn:xccdf:fix:script:puppet'">Puppet snippet</xsl:when>
<xsl:when test="$fix/@system = 'urn:redhat:anaconda:pre'">Anaconda snippet</xsl:when>
<xsl:when test="$fix/@system = 'urn:xccdf:fix:script:kubernetes'">Kubernetes snippet</xsl:when>
+ <xsl:when test="$fix/@system = 'urn:redhat:osbuild:blueprint'">OSBuild Blueprint snippet</xsl:when>
<xsl:otherwise>script</xsl:otherwise>
</xsl:choose>
</xsl:variable>

36
SOURCES/openscap-1.3.6-PR-1753-getlogin.patch
View File

@ -1,36 +0,0 @@
From b31cff1bc3a298cfa36a10476f2d633c290b6741 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 11 May 2021 13:20:18 +0200
Subject: [PATCH] Replace getlogin by cuserid
The getlogin() is used here to fill in the xccdf:identity element which
shall contain information about the system identity or user employed
during application of the benchmark. But, the getlogin() can return NULL
when there is no controlling terminal. This happened when testing oscap
on a test system with no pty. As an alternative, the system provides
also cuserid() function which gets the effective user ID of the process.
However, these 2 values differ when the program is executed under sudo.
From the user experience point of view, it would be better to have
displayed there the user logged in on the controlling terminal. As a
compromise, we will first attempt to obtain the name using getlogin()
and if that fails we will run cuserid().
---
src/XCCDF/result.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/XCCDF/result.c b/src/XCCDF/result.c
index cd03e6bd8f..cbe016c44a 100644
--- a/src/XCCDF/result.c
+++ b/src/XCCDF/result.c
@@ -217,7 +217,10 @@ static inline void _xccdf_result_fill_identity(struct xccdf_result *result)
xccdf_identity_set_authenticated(id, 0);
xccdf_identity_set_privileged(id, 0);
#ifdef OSCAP_UNIX
- xccdf_identity_set_name(id, getlogin());
+ char *name = getlogin();
+ if (name == NULL)
+ name = cuserid(NULL);
+ xccdf_identity_set_name(id, name);
#elif defined(OS_WINDOWS)
GetUserName((TCHAR *) w32_username, &w32_usernamesize); /* XXX: Check the return value? */
xccdf_identity_set_name(id, w32_username);

150
SOURCES/openscap-1.3.6-PR-1756-yaml-nulls.patch
View File

@ -1,150 +0,0 @@
From 89f99834ba183284a7d75835932a0c0ea4eb9007 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Mon, 17 May 2021 08:40:17 +0200
Subject: [PATCH] oval/yamlfilecontent: Add 'null' values handling
For now null values would be represented as string '(null)' as
record's field could not be attributed as nil="true" yet.
---
.../independent/yamlfilecontent_probe.c | 9 ++++
.../test_probes_yamlfilecontent_types.sh | 5 ++
.../test_probes_yamlfilecontent_types.xml | 52 +++++++++++++++++++
tests/probes/yamlfilecontent/types.yaml | 4 ++
4 files changed, 70 insertions(+)
diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c
index 62a8f4ff29..2d0cac6991 100644
--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c
+++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c
@@ -41,6 +41,7 @@
#define OSCAP_YAML_BOOL_TAG "tag:yaml.org,2002:bool"
#define OSCAP_YAML_FLOAT_TAG "tag:yaml.org,2002:float"
#define OSCAP_YAML_INT_TAG "tag:yaml.org,2002:int"
+#define OSCAP_YAML_NULL_TAG "tag:yaml.org,2002:null"
#define OVECCOUNT 30 /* should be a multiple of 3 */
@@ -135,6 +136,14 @@ static SEXP_t *yaml_scalar_event_to_sexp(yaml_event_t *event)
return NULL;
}
}
+ if (question || !strcmp(tag, OSCAP_YAML_NULL_TAG)) {
+ if (match_regex("^(null|Null|NULL|~|)$", value)) {
+ // TODO: Return real NULL when record's field will support nil="true"
+ return SEXP_string_new("(null)", strlen("(null)"));
+ } else if (!question) {
+ return NULL;
+ }
+ }
return SEXP_string_new(value, strlen(value));
}
diff --git a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.sh b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.sh
index 4f110f6eb7..e445771d03 100755
--- a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.sh
+++ b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.sh
@@ -60,6 +60,11 @@ function test_probes_yamlfilecontent_types {
assert_exists 1 $sd'/ind-sys:yamlfilecontent_item/ind-sys:value/field[@name="#" and @datatype!="boolean" and text()="true"]'
# string_number
assert_exists 1 $sd'/ind-sys:yamlfilecontent_item/ind-sys:value/field[@name="#" and @datatype!="int" and text()="81"]'
+ # string_null
+ assert_exists 1 $sd'/ind-sys:yamlfilecontent_item/ind-sys:value/field[@name="#" and text()="null"]'
+
+ # null_1_2_3
+ assert_exists 3 $sd'/ind-sys:yamlfilecontent_item/ind-sys:value/field[@name="#" and text()="(null)"]'
# bool_error_cast, int_error_cast, float_error_cast
co='/oval_results/results/system/oval_system_characteristics/collected_objects'
diff --git a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml
index adf96571b8..503ec2d4a4 100644
--- a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml
+++ b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_types.xml
@@ -262,6 +262,19 @@
</criteria>
</definition>
+ <definition class="compliance" version="1" id="oval:0:def:26">
+ <metadata>
+ <title></title>
+ <description></description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion comment="comment" test_ref="oval:0:tst:26"/>
+ <criterion comment="comment" test_ref="oval:0:tst:27"/>
+ <criterion comment="comment" test_ref="oval:0:tst:28"/>
+ <criterion comment="comment" test_ref="oval:0:tst:29"/>
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -364,6 +377,21 @@
<ind-def:object object_ref="oval:0:obj:25"/>
</ind-def:yamlfilecontent_test>
+ <ind-def:yamlfilecontent_test version="1" id="oval:0:tst:26" check="all" comment="true">
+ <ind-def:object object_ref="oval:0:obj:26"/>
+ </ind-def:yamlfilecontent_test>
+
+ <ind-def:yamlfilecontent_test version="1" id="oval:0:tst:27" check="all" comment="true">
+ <ind-def:object object_ref="oval:0:obj:27"/>
+ </ind-def:yamlfilecontent_test>
+
+ <ind-def:yamlfilecontent_test version="1" id="oval:0:tst:28" check="all" comment="true">
+ <ind-def:object object_ref="oval:0:obj:28"/>
+ </ind-def:yamlfilecontent_test>
+
+ <ind-def:yamlfilecontent_test version="1" id="oval:0:tst:29" check="all" comment="true">
+ <ind-def:object object_ref="oval:0:obj:29"/>
+ </ind-def:yamlfilecontent_test>
</tests>
<objects>
@@ -517,6 +545,30 @@
<ind-def:filename>types.yaml</ind-def:filename>
<ind-def:yamlpath>.float_error_cast</ind-def:yamlpath>
</ind-def:yamlfilecontent_object>
+
+ <ind-def:yamlfilecontent_object version="1" id="oval:0:obj:26">
+ <ind-def:path>/tmp</ind-def:path>
+ <ind-def:filename>types.yaml</ind-def:filename>
+ <ind-def:yamlpath>.null_1</ind-def:yamlpath>
+ </ind-def:yamlfilecontent_object>
+
+ <ind-def:yamlfilecontent_object version="1" id="oval:0:obj:27">
+ <ind-def:path>/tmp</ind-def:path>
+ <ind-def:filename>types.yaml</ind-def:filename>
+ <ind-def:yamlpath>.null_2</ind-def:yamlpath>
+ </ind-def:yamlfilecontent_object>
+
+ <ind-def:yamlfilecontent_object version="1" id="oval:0:obj:28">
+ <ind-def:path>/tmp</ind-def:path>
+ <ind-def:filename>types.yaml</ind-def:filename>
+ <ind-def:yamlpath>.null_3</ind-def:yamlpath>
+ </ind-def:yamlfilecontent_object>
+
+ <ind-def:yamlfilecontent_object version="1" id="oval:0:obj:29">
+ <ind-def:path>/tmp</ind-def:path>
+ <ind-def:filename>types.yaml</ind-def:filename>
+ <ind-def:yamlpath>.string_null</ind-def:yamlpath>
+ </ind-def:yamlfilecontent_object>
</objects>
</oval_definitions>
diff --git a/tests/probes/yamlfilecontent/types.yaml b/tests/probes/yamlfilecontent/types.yaml
index f05fa3a967..fb26eab5f0 100644
--- a/tests/probes/yamlfilecontent/types.yaml
+++ b/tests/probes/yamlfilecontent/types.yaml
@@ -19,7 +19,11 @@ bool_false_cast: !!bool "false"
int_cast: !!int "369"
float_cast: !!float "978.65"
string_true: "true"
+string_null: "null"
string_number: "81"
bool_error_cast: !!bool "falsee"
int_error_cast: !!int "50%"
float_error_cast: !!float "58.41$"
+null_1: null
+null_2:
+null_3: !!null "null"

136
SOURCES/openscap-1.3.6-PR-1779-initialize-crapi-once.patch
View File

@ -1,136 +0,0 @@
From 5c422226df442855a7dc9834eb4ff74865394a92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 8 Jul 2021 14:28:16 +0200
Subject: [PATCH 1/3] Initialize crypto API only once
The function `crapi_init` calls `gcry_check_version` which must be
called before any other function from the Libgcrypt library. That might
be violated when multiple threads executing multiple probes are running.
The mitigation proposed in this PR is to call `crapi_init` only once
when the session is initialized which means before any threads are
spawned.
See also: https://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading
Resolves: RHBZ#1959570
---
src/OVAL/oval_probe_session.c | 5 +++++
src/OVAL/probes/independent/filehash58_probe.c | 6 ------
src/OVAL/probes/independent/filehash_probe.c | 6 ------
src/OVAL/probes/independent/filemd5_probe.c | 6 ------
4 files changed, 5 insertions(+), 18 deletions(-)
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
index 435ca148fd..6f6d7ad426 100644
--- a/src/OVAL/oval_probe_session.c
+++ b/src/OVAL/oval_probe_session.c
@@ -93,6 +93,11 @@ static void oval_probe_session_libinit(void)
SEXP_free((SEXP_t *)exp);
ncache_libinit();
+ /*
+ * Initialize crypto API
+ */
+ if (crapi_init (NULL) != 0)
+ return (NULL);
}
/**
diff --git a/src/OVAL/probes/independent/filehash58_probe.c b/src/OVAL/probes/independent/filehash58_probe.c
index ff1e065746..32a38562bd 100644
--- a/src/OVAL/probes/independent/filehash58_probe.c
+++ b/src/OVAL/probes/independent/filehash58_probe.c
@@ -210,12 +210,6 @@ int filehash58_probe_offline_mode_supported()
void *filehash58_probe_init(void)
{
- /*
- * Initialize crypto API
- */
- if (crapi_init (NULL) != 0)
- return (NULL);
-
/*
* Initialize mutex.
*/
diff --git a/src/OVAL/probes/independent/filehash_probe.c b/src/OVAL/probes/independent/filehash_probe.c
index 522d976512..6d8780dc95 100644
--- a/src/OVAL/probes/independent/filehash_probe.c
+++ b/src/OVAL/probes/independent/filehash_probe.c
@@ -190,12 +190,6 @@ int filehash_probe_offline_mode_supported()
void *filehash_probe_init(void)
{
- /*
- * Initialize crypto API
- */
- if (crapi_init (NULL) != 0)
- return (NULL);
-
/*
* Initialize mutex.
*/
diff --git a/src/OVAL/probes/independent/filemd5_probe.c b/src/OVAL/probes/independent/filemd5_probe.c
index d0de402d8b..99913581f0 100644
--- a/src/OVAL/probes/independent/filemd5_probe.c
+++ b/src/OVAL/probes/independent/filemd5_probe.c
@@ -163,12 +163,6 @@ int probe_offline_mode_supported()
void *probe_init (void)
{
- /*
- * Initialize crypto API
- */
- if (crapi_init (NULL) != 0)
- return (NULL);
-
/*
* Initialize mutex.
*/
From c4c26d99a59205d744befe52be4e81bcf5f55d9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 13 Jul 2021 13:03:21 +0200
Subject: [PATCH 2/3] Add a missing include
---
src/OVAL/oval_probe_session.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
index 6f6d7ad426..295782b536 100644
--- a/src/OVAL/oval_probe_session.c
+++ b/src/OVAL/oval_probe_session.c
@@ -48,6 +48,7 @@
#include "oval_probe_ext.h"
#include "probe-table.h"
#include "oval_types.h"
+#include "crapi/crapi.h"
#if defined(OSCAP_THREAD_SAFE)
#include <pthread.h>
From 6241a8835574429a787e0dd48d2c0ac2a71499b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 15 Jul 2021 14:21:00 +0200
Subject: [PATCH 3/3] Don't initialize crypto on Windows
---
src/OVAL/oval_probe_session.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
index 295782b536..b443cbcc80 100644
--- a/src/OVAL/oval_probe_session.c
+++ b/src/OVAL/oval_probe_session.c
@@ -97,8 +97,10 @@ static void oval_probe_session_libinit(void)
/*
* Initialize crypto API
*/
+#ifndef OS_WINDOWS
if (crapi_init (NULL) != 0)
return (NULL);
+#endif
}
/**

97
SOURCES/openscap-1.3.6-PR-1788-test-rhbz1959570.patch
View File

@ -1,97 +0,0 @@
From 05faede8f6602b7b71d71fd965276225a986fb1f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 28 Jul 2021 13:06:25 +0200
Subject: [PATCH] Add a regression test for rhbz#1959570
The bug was a segmentation fault in filehash58 probe which happened
in openscap-1.3.3-6.el8_3.
The bug was fixed by https://github.com/OpenSCAP/openscap/pull/1779
and this patch adds a very small test.
---
tests/probes/filehash58/CMakeLists.txt | 1 +
.../probes/filehash58/rhbz1959570_segfault.sh | 19 +++++++++
.../rhbz1959570_segfault_reproducer.xml | 39 +++++++++++++++++++
3 files changed, 59 insertions(+)
create mode 100755 tests/probes/filehash58/rhbz1959570_segfault.sh
create mode 100644 tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
diff --git a/tests/probes/filehash58/CMakeLists.txt b/tests/probes/filehash58/CMakeLists.txt
index b26d8171fb..cdec0792eb 100644
--- a/tests/probes/filehash58/CMakeLists.txt
+++ b/tests/probes/filehash58/CMakeLists.txt
@@ -1,3 +1,4 @@
if(ENABLE_PROBES_INDEPENDENT)
add_oscap_test("test_probes_filehash58.sh")
+ add_oscap_test("rhbz1959570_segfault.sh")
endif()
diff --git a/tests/probes/filehash58/rhbz1959570_segfault.sh b/tests/probes/filehash58/rhbz1959570_segfault.sh
new file mode 100755
index 0000000000..0c32cc79f1
--- /dev/null
+++ b/tests/probes/filehash58/rhbz1959570_segfault.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 Red Hat Inc., Durham, North Carolina.
+# All Rights Reserved.
+#
+# OpenSCAP Probes Test Suite.
+#
+# Authors:
+# Jan Černý, <jcerny@redhat.com>
+
+set -e -o pipefail
+. $builddir/tests/test_common.sh
+
+# Test Cases
+
+stderr="$(mktemp)"
+$OSCAP oval eval --id oval:x:def:1 "$srcdir/rhbz1959570_segfault_reproducer.xml" 2> "$stderr"
+[ ! -s "$stderr" ]
+rm "$stderr"
diff --git a/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
new file mode 100644
index 0000000000..4b3fc4863a
--- /dev/null
+++ b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0"?>
+<oval-def:oval_definitions xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
+ <oval-def:generator>
+ <oval:product_name>jcerny</oval:product_name>
+ <oval:product_version>1</oval:product_version>
+ <oval:schema_version>5.11</oval:schema_version>
+ <oval:timestamp>2021-07-28T07:40:55</oval:timestamp>
+ </oval-def:generator>
+ <oval-def:definitions>
+ <oval-def:definition class="compliance" id="oval:x:def:1" version="1">
+ <oval-def:metadata>
+ <oval-def:title>title</oval-def:title>
+ <oval-def:description>description</oval-def:description>
+ </oval-def:metadata>
+ <oval-def:criteria>
+ <oval-def:criterion comment="comment" test_ref="oval:x:tst:1"/>
+ </oval-def:criteria>
+ </oval-def:definition>
+ </oval-def:definitions>
+ <oval-def:tests>
+ <ind:filehash58_test check="all" check_existence="all_exist" comment="comment" id="oval:x:tst:1" version="1">
+ <ind:object object_ref="oval:x:obj:1"/>
+ <ind:state state_ref="oval:x:ste:1"/>
+ </ind:filehash58_test>
+ </oval-def:tests>
+ <oval-def:objects>
+ <ind:filehash58_object id="oval:x:obj:1" version="1">
+ <ind:filepath>/etc/os-release</ind:filepath>
+ <ind:hash_type>SHA-256</ind:hash_type>
+ </ind:filehash58_object>
+ </oval-def:objects>
+ <oval-def:states>
+ <ind:filehash58_state id="oval:x:ste:1" version="1">
+ <ind:filepath>/etc/os-release</ind:filepath>
+ <ind:hash_type>SHA-256</ind:hash_type>
+ <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
+ </ind:filehash58_state>
+ </oval-def:states>
+</oval-def:oval_definitions>

104
SOURCES/openscap-1.3.7-PR-1841-coverity.patch Normal file
View File

@ -0,0 +1,104 @@
From f141dfd0311ec2be4c4c27814d9d6693551cfd76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 27 Jan 2022 15:00:33 +0100
Subject: [PATCH 1/3] Fix shellcheck warning
Addressing:
Error: SHELLCHECK_WARNING (CWE-138): [#def1]
/usr/libexec/oscap-remediate:110:12: error[SC2145]: Argument mixes string and array. Use * or separate argument.
108| args+=( "--remediate" )
109| args+=( "${OSCAP_REMEDIATE_DS}" )
110|-> log "Args: ${args[@]}"
111|
112| # Now we are good to go
---
utils/oscap-remediate | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/utils/oscap-remediate b/utils/oscap-remediate
index fc0b7715f..52e29aa66 100755
--- a/utils/oscap-remediate
+++ b/utils/oscap-remediate
@@ -107,7 +107,7 @@ args+=( ${OSCAP_REMEDIATE_HTML_REPORT:+"--report=${OSCAP_REMEDIATE_HTML_REPORT}"
args+=( "--progress-full" )
args+=( "--remediate" )
args+=( "${OSCAP_REMEDIATE_DS}" )
-log "Args: ${args[@]}"
+log "Args: ${args[*]}"
# Now we are good to go
header="OpenSCAP is checking the system for compliance using"$'\n'"${profile_title}"$'\n\n'"Evaluating..."
From d3e7d5be1fcd55ef396de6070f877df0f2c2c58e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 27 Jan 2022 15:09:02 +0100
Subject: [PATCH 2/3] Remove superfluous strdup
We can do this because xccdf_session_set_rule calls strdup on the rule
parameter internally.
Addressing:
Error: RESOURCE_LEAK (CWE-772): [#def2] [important]
openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4148: alloc_fn: Storage is returned from allocation function "strdup".
openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4148: var_assign: Assigning: "n_rule" = storage returned from "strdup(rule)".
openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4149: noescape: Resource "n_rule" is not freed or pointed-to in "xccdf_session_set_rule".
openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4150: leaked_storage: Variable "n_rule" going out of scope leaks the storage it points to.
4148| char *n_rule = strdup(rule);
4149| xccdf_session_set_rule(sess, n_rule);
4150|-> }
4151|
4152| void xccdf_session_free_py(struct xccdf_session *sess){
---
swig/openscap.i | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/swig/openscap.i b/swig/openscap.i
index 2fe1cce99..158a22675 100644
--- a/swig/openscap.i
+++ b/swig/openscap.i
@@ -559,8 +559,7 @@ struct xccdf_session {
};
void xccdf_session_set_rule_py(struct xccdf_session *sess, char *rule) {
- char *n_rule = strdup(rule);
- xccdf_session_set_rule(sess, n_rule);
+ xccdf_session_set_rule(sess, rule);
}
void xccdf_session_free_py(struct xccdf_session *sess){
From 6ef54336a018566a32f6a95177635ada7f20794e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 27 Jan 2022 15:16:02 +0100
Subject: [PATCH 3/3] Add a missing free
Addressing:
Error: RESOURCE_LEAK (CWE-772): [#def4] [important]
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2144: alloc_fn: Storage is returned from allocation function "oscap_htable_iterator_new".
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2144: var_assign: Assigning: "rit" = storage returned from "oscap_htable_iterator_new(policy->rules)".
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2145: noescape: Resource "rit" is not freed or pointed-to in "oscap_htable_iterator_has_more".
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2146: noescape: Resource "rit" is not freed or pointed-to in "oscap_htable_iterator_next_key".
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2150: leaked_storage: Variable "rit" going out of scope leaks the storage it points to.
2148| oscap_seterr(OSCAP_EFAMILY_XCCDF,
2149| "Rule '%s' not found in selected profile.", rule_id);
2150|-> return NULL;
2151| }
2152| }
---
src/XCCDF_POLICY/xccdf_policy.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/XCCDF_POLICY/xccdf_policy.c b/src/XCCDF_POLICY/xccdf_policy.c
index b63853a38..4d4b7ad0a 100644
--- a/src/XCCDF_POLICY/xccdf_policy.c
+++ b/src/XCCDF_POLICY/xccdf_policy.c
@@ -2147,6 +2147,7 @@ struct xccdf_result * xccdf_policy_evaluate(struct xccdf_policy * policy)
if (oscap_htable_get(policy->rules_found, rule_id) == NULL) {
oscap_seterr(OSCAP_EFAMILY_XCCDF,
"Rule '%s' not found in selected profile.", rule_id);
+ oscap_htable_iterator_free(rit);
return NULL;
}
}

32
SOURCES/openscap-1.3.7-PR-1843-fix-test-ds-misc.patch Normal file
View File

@ -0,0 +1,32 @@
From e49669a0dde7e3a9123925347fbf3234602371ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 31 Jan 2022 13:45:15 +0100
Subject: [PATCH] Prevent fails of test_ds_misc.sh
The SOURCE_DATE_EPOCH environment variable is effective only when it's
set to a value that's older than mtime of the processed file. See the
implementation in ds_sds_compose_add_component_internal in src/DS/sds.c.
However, the file in our test suite has originally been created before
(in 2019) and this mtime can be used when a tarball is produced. To
avoid the test failing, we can modify the mtime using the touch command
just before we run the tests.
---
tests/DS/test_ds_misc.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tests/DS/test_ds_misc.sh b/tests/DS/test_ds_misc.sh
index 159007518..cffbef303 100755
--- a/tests/DS/test_ds_misc.sh
+++ b/tests/DS/test_ds_misc.sh
@@ -269,6 +269,8 @@ function test_source_date_epoch() {
local timestamp="2020-03-05T12:09:37"
export SOURCE_DATE_EPOCH="1583410177"
export TZ=UTC
+ # ensure the file mtime is always newer than the $timestamp
+ touch -c "$xccdf"
$OSCAP ds sds-compose "$xccdf" "$result"
assert_exists 3 '//ds:component[@timestamp="'$timestamp'"]'
rm -f "$result"
--
2.34.1

27
SOURCES/openscap-1.3.7-PR-1844-fix-test-ds-misc-2.patch Normal file
View File

@ -0,0 +1,27 @@
From 650656bdac5e8e4df30c11bb4dbc830aab8baa78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 1 Feb 2022 15:06:33 +0100
Subject: [PATCH] Prevent fails of test_ds_misc.sh
Other files from which the datastream is composed might also
affect the timestamp attributes in result document depending
on their mtime.
---
tests/DS/test_ds_misc.sh | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/DS/test_ds_misc.sh b/tests/DS/test_ds_misc.sh
index cffbef303..1777c44f4 100755
--- a/tests/DS/test_ds_misc.sh
+++ b/tests/DS/test_ds_misc.sh
@@ -270,7 +270,9 @@ function test_source_date_epoch() {
export SOURCE_DATE_EPOCH="1583410177"
export TZ=UTC
# ensure the file mtime is always newer than the $timestamp
- touch -c "$xccdf"
+ touch -c "$srcdir/sds_multiple_oval/first-oval.xml"
+ touch -c "$srcdir/sds_multiple_oval/multiple-oval-xccdf.xml"
+ touch -c "$srcdir/sds_multiple_oval/second-oval.xml"
$OSCAP ds sds-compose "$xccdf" "$result"
assert_exists 3 '//ds:component[@timestamp="'$timestamp'"]'
rm -f "$result"

22
SOURCES/openscap-1.3.7-PR-1861-failed-to-check-available-memory.patch Normal file
View File

@ -0,0 +1,22 @@
From 12f9c02a612bb1687676b74a4739126b1913b1fe Mon Sep 17 00:00:00 2001
From: Ajay Nair <ajaynair59@gmail.com>
Date: Mon, 9 May 2022 13:31:47 -0400
Subject: [PATCH] Reset errno before call to strtoll
---
src/common/memusage.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/common/memusage.c b/src/common/memusage.c
index c6755f21f1..ffa70b662b 100644
--- a/src/common/memusage.c
+++ b/src/common/memusage.c
@@ -71,6 +71,8 @@ static int read_common_sizet(void *szp, char *strval)
return (-1);
*end = '\0';
+
+ errno = 0;
*(size_t *)szp = strtoll(strval, NULL, 10);
if (errno == EINVAL ||

233
SOURCES/openscap-1.3.7-PR-1874-unit-test-read-common-sizet.patch Normal file
View File

@ -0,0 +1,233 @@
From 07486e9033d8cc1fd03962994b3359cb611a9ac9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 22 Jul 2022 16:50:01 +0200
Subject: [PATCH 1/3] Add unit test for read_common_sizet function
The unit test will cover the missing set errno
to 0 which was the root cause of:
https://github.com/OpenSCAP/openscap/issues/1867
Therefore, this test can be used during verification of:
https://bugzilla.redhat.com/show_bug.cgi?id=2109485
---
tests/API/probes/CMakeLists.txt | 9 +++++
tests/API/probes/test_memusage.c | 67 +++++++++++++++++++++++++++++++
tests/API/probes/test_memusage.sh | 9 +++++
3 files changed, 85 insertions(+)
create mode 100644 tests/API/probes/test_memusage.c
create mode 100755 tests/API/probes/test_memusage.sh
diff --git a/tests/API/probes/CMakeLists.txt b/tests/API/probes/CMakeLists.txt
index ae3c7212a0..2ac4081ac2 100644
--- a/tests/API/probes/CMakeLists.txt
+++ b/tests/API/probes/CMakeLists.txt
@@ -38,3 +38,12 @@ target_include_directories(oval_fts_list PUBLIC
)
target_link_libraries(oval_fts_list openscap)
add_oscap_test("fts.sh")
+
+add_oscap_test_executable(test_memusage
+ "test_memusage.c"
+ "${CMAKE_SOURCE_DIR}/src/common/bfind.c"
+)
+target_include_directories(test_memusage PUBLIC
+ "${CMAKE_SOURCE_DIR}/src/common"
+)
+add_oscap_test("test_memusage.sh")
diff --git a/tests/API/probes/test_memusage.c b/tests/API/probes/test_memusage.c
new file mode 100644
index 0000000000..5dced98f03
--- /dev/null
+++ b/tests/API/probes/test_memusage.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2022 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ * Authors:
+ * "Jan Černý" <jcerny@redhat.com>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include "memusage.h"
+#include "memusage.c"
+#define OS_LINUX
+
+static int test_basic()
+{
+ size_t size;
+ char *strval = strdup("17 MB");
+ read_common_sizet(&size, strval);
+ free(strval);
+ return (size == 17);
+}
+
+static int test_errno()
+{
+ size_t size;
+ char *strval = strdup("17 MB");
+
+ /* Test that setting errno outside of the read_common_sizet function
+ * doesn't influence the function and doesn't make the function fail.
+ */
+ errno = EINVAL;
+
+ int ret = read_common_sizet(&size, strval);
+ free(strval);
+ return (ret != -1);
+}
+
+int main(int argc, char *argv[])
+{
+ if (!test_basic()) {
+ fprintf(stderr, "test_basic has failed\n");
+ return 1;
+ }
+ if (!test_errno()) {
+ fprintf(stderr, "test_errno has failed\n");
+ return 1;
+ }
+ return 0;
+}
diff --git a/tests/API/probes/test_memusage.sh b/tests/API/probes/test_memusage.sh
new file mode 100755
index 0000000000..4c76bdc0ac
--- /dev/null
+++ b/tests/API/probes/test_memusage.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+. $builddir/tests/test_common.sh
+
+if [ -n "${CUSTOM_OSCAP+x}" ] ; then
+ exit 255
+fi
+
+./test_memusage
From 2cc649d5e9fbf337bbfca69c21313657a5b8a7cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Jul 2022 09:00:36 +0200
Subject: [PATCH 2/3] Replace license by SPDX ID
---
tests/API/probes/test_memusage.c | 22 +---------------------
1 file changed, 1 insertion(+), 21 deletions(-)
diff --git a/tests/API/probes/test_memusage.c b/tests/API/probes/test_memusage.c
index 5dced98f03..db2915f6d5 100644
--- a/tests/API/probes/test_memusage.c
+++ b/tests/API/probes/test_memusage.c
@@ -1,24 +1,4 @@
-/*
- * Copyright 2022 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
- * Authors:
- * "Jan Černý" <jcerny@redhat.com>
- */
+// SPDX-License-Identifier: LGPL-2.1-or-later
#ifdef HAVE_CONFIG_H
#include <config.h>
From caadd89e61f5d70e251180055686a3b52c763c66 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Jul 2022 09:00:45 +0200
Subject: [PATCH 3/3] Improve unit test for read_common_sizet
Check for multiple different situations.
---
tests/API/probes/test_memusage.c | 34 ++++++++++++++++++++++++++++----
1 file changed, 30 insertions(+), 4 deletions(-)
diff --git a/tests/API/probes/test_memusage.c b/tests/API/probes/test_memusage.c
index db2915f6d5..b9db865d45 100644
--- a/tests/API/probes/test_memusage.c
+++ b/tests/API/probes/test_memusage.c
@@ -12,16 +12,34 @@
static int test_basic()
{
size_t size;
- char *strval = strdup("17 MB");
- read_common_sizet(&size, strval);
+ char *strval = strdup("17 kB\n");
+ int ret = read_common_sizet(&size, strval);
free(strval);
- return (size == 17);
+ return (size == 17 && ret == 0);
+}
+
+static int test_no_unit()
+{
+ size_t size;
+ char *strval = strdup("42");
+ int ret = read_common_sizet(&size, strval);
+ free(strval);
+ return (ret == -1);
+}
+
+static int test_invalid_number()
+{
+ size_t size;
+ char *strval = strdup("www kB\n");
+ int ret = read_common_sizet(&size, strval);
+ free(strval);
+ return (size == 0 && ret == 0);
}
static int test_errno()
{
size_t size;
- char *strval = strdup("17 MB");
+ char *strval = strdup("17 kB\n");
/* Test that setting errno outside of the read_common_sizet function
* doesn't influence the function and doesn't make the function fail.
@@ -39,6 +57,14 @@ int main(int argc, char *argv[])
fprintf(stderr, "test_basic has failed\n");
return 1;
}
+ if (!test_no_unit()) {
+ fprintf(stderr, "test_no_unit has failed\n");
+ return 1;
+ }
+ if (!test_invalid_number()) {
+ fprintf(stderr, "test_invalid_number has failed\n");
+ return 1;
+ }
if (!test_errno()) {
fprintf(stderr, "test_errno has failed\n");
return 1;

71
SOURCES/openscap-1.3.7-PR-1875-reset-errno-strtol.patch Normal file
View File

@ -0,0 +1,71 @@
From 55b09ba184c1803a5e1454c44e9e9a5c578dd741 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Jul 2022 17:10:17 +0200
Subject: [PATCH] Reset errno before strtol
This sets errno to 0 before strotol calls after which the errno
is being checked.
Per man 3 strtol:
Since strtol() can legitimately return 0, LONG_MAX, or
LONG_MIN (LLONG_MAX or LLONG_MIN for strtoll()) on both success and
failure, the calling program should set errno to 0 before the call, and
then determine if an error occurred by checking whether errno has a
nonzero value after the call.
This is inspired by https://github.com/OpenSCAP/openscap/pull/1861.
---
src/OVAL/probes/independent/sql57_probe.c | 1 +
src/OVAL/probes/independent/sql_probe.c | 1 +
src/OVAL/probes/oval_fts.c | 1 +
src/OVAL/probes/unix/xinetd_probe.c | 1 +
4 files changed, 4 insertions(+)
diff --git a/src/OVAL/probes/independent/sql57_probe.c b/src/OVAL/probes/independent/sql57_probe.c
index ce1466635c..2b35750ee2 100644
--- a/src/OVAL/probes/independent/sql57_probe.c
+++ b/src/OVAL/probes/independent/sql57_probe.c
@@ -216,6 +216,7 @@ static int dbURIInfo_parse(dbURIInfo_t *info, const char *conn)
matchitem1(tok, 'c',
"onnecttimeout", tmp);
if (tmp != NULL) {
+ errno = 0;
info->conn_timeout = strtol(tmp, NULL, 10);
if (errno == ERANGE || errno == EINVAL)
diff --git a/src/OVAL/probes/independent/sql_probe.c b/src/OVAL/probes/independent/sql_probe.c
index 2ede89d031..71ba3c08c3 100644
--- a/src/OVAL/probes/independent/sql_probe.c
+++ b/src/OVAL/probes/independent/sql_probe.c
@@ -216,6 +216,7 @@ static int dbURIInfo_parse(dbURIInfo_t *info, const char *conn)
matchitem1(tok, 'c',
"onnecttimeout", tmp);
if (tmp != NULL) {
+ errno = 0;
info->conn_timeout = strtol(tmp, NULL, 10);
if (errno == ERANGE || errno == EINVAL)
diff --git a/src/OVAL/probes/oval_fts.c b/src/OVAL/probes/oval_fts.c
index 1364159c90..f9d0a0c1fd 100644
--- a/src/OVAL/probes/oval_fts.c
+++ b/src/OVAL/probes/oval_fts.c
@@ -729,6 +729,7 @@ OVAL_FTS *oval_fts_open_prefixed(const char *prefix, SEXP_t *path, SEXP_t *filen
/* max_depth */
PROBE_ENT_AREF(behaviors, r0, "max_depth", return NULL;);
SEXP_string_cstr_r(r0, cstr_buff, sizeof cstr_buff - 1);
+ errno = 0;
max_depth = strtol(cstr_buff, NULL, 10);
if (errno == EINVAL || errno == ERANGE) {
dE("Invalid value of the `%s' attribute: %s", "recurse_direction", cstr_buff);
diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c
index b3375500db..703a07f513 100644
--- a/src/OVAL/probes/unix/xinetd_probe.c
+++ b/src/OVAL/probes/unix/xinetd_probe.c
@@ -1280,6 +1280,7 @@ int op_assign_bool(void *var, char *val)
*((bool *)(var)) = false;
} else {
char *endptr = NULL;
+ errno = 0;
*((bool *)(var)) = (bool) strtol (val, &endptr, 2);
if (errno == EINVAL || errno == ERANGE) {
return -1;

82
SOURCES/openscap-1.3.7-PR-1876-disable-oscap-remediate.patch Normal file
View File

@ -0,0 +1,82 @@
From 140d60bc751e6c0e4138ab3a2e8e9b130264f905 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 27 Jul 2022 09:40:29 +0200
Subject: [PATCH] Add CMake option to disable oscap-remediate service
This patch introduces a new CMake build option
ENABLE_OSCAP_REMEDIATE_SERVICE which can be used to disable the
installation of the files related to the oscap-remediate systemd
service. Downstream packagers can use this option to disable shipping
the oscap-remediate service in their RPM spec files.
Resolves: rhbz#2111358
Resolves: rhbz#2111360
---
CMakeLists.txt | 15 +++++++++------
utils/CMakeLists.txt | 20 +++++++++++---------
2 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 61c57d7a3e..48e19e5203 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -327,6 +327,7 @@ cmake_dependent_option(ENABLE_OSCAP_UTIL_VM "enables the oscap-vm utility, this
cmake_dependent_option(ENABLE_OSCAP_UTIL_PODMAN "enables the oscap-podman utility, this lets you scan Podman containers and container images" ON "NOT WIN32" OFF)
cmake_dependent_option(ENABLE_OSCAP_UTIL_CHROOT "enables the oscap-chroot utility, this lets you scan entire chroots using offline scanning" ON "NOT WIN32" OFF)
option(ENABLE_OSCAP_UTIL_AUTOTAILOR "enables the autotailor utility that is able to perform command-line tailoring" TRUE)
+option(ENABLE_OSCAP_REMEDIATE_SERVICE "enables the oscap-remediate service" TRUE)
# ---------- TEST-SUITE SWITCHES
@@ -609,12 +610,14 @@ if(NOT WIN32)
DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
)
if(WITH_SYSTEMD)
- # systemd service for offline (boot-time) remediation
- configure_file("oscap-remediate.service.in" "oscap-remediate.service" @ONLY)
- install(FILES
- ${CMAKE_CURRENT_BINARY_DIR}/oscap-remediate.service
- DESTINATION ${SYSTEMD_UNITDIR}
- )
+ if(ENABLE_OSCAP_REMEDIATE_SERVICE)
+ # systemd service for offline (boot-time) remediation
+ configure_file("oscap-remediate.service.in" "oscap-remediate.service" @ONLY)
+ install(FILES
+ ${CMAKE_CURRENT_BINARY_DIR}/oscap-remediate.service
+ DESTINATION ${SYSTEMD_UNITDIR}
+ )
+ endif()
endif()
endif()
diff --git a/utils/CMakeLists.txt b/utils/CMakeLists.txt
index 3f199eaabc..93ce1f2a9d 100644
--- a/utils/CMakeLists.txt
+++ b/utils/CMakeLists.txt
@@ -59,15 +59,17 @@ if(ENABLE_OSCAP_UTIL)
)
if(WITH_SYSTEMD)
- install(PROGRAMS "oscap-remediate"
- DESTINATION ${CMAKE_INSTALL_LIBEXECDIR}
- )
- install(PROGRAMS "oscap-remediate-offline"
- DESTINATION ${CMAKE_INSTALL_BINDIR}
- )
- install(FILES "oscap-remediate-offline.8"
- DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"
- )
+ if (ENABLE_OSCAP_REMEDIATE_SERVICE)
+ install(PROGRAMS "oscap-remediate"
+ DESTINATION ${CMAKE_INSTALL_LIBEXECDIR}
+ )
+ install(PROGRAMS "oscap-remediate-offline"
+ DESTINATION ${CMAKE_INSTALL_BINDIR}
+ )
+ install(FILES "oscap-remediate-offline.8"
+ DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"
+ )
+ endif()
endif()
endif()
endif()

132
SOURCES/openscap-1.3.7-PR-1891-xmlfilecontent.patch Normal file
View File

@ -0,0 +1,132 @@
From 9c2052febe494ca5fe8e3fef7996fd2c2c736785 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 2 Nov 2022 09:04:25 +0100
Subject: [PATCH] Don't emit items if XPath doesn't match
This commit fixes the behavior of the xmlfilecontent probe in situation
when the XPath query in xmlfilecontent_object doesn't match any node in
the given XML file and the query returns an empty node set. Currently,
in this situation, we emit an item in which we add an empty value_of
element. However, this value_of element has its datatype attribute set
to an empty string, which is invalid according to the OVAL schema. When
we try to make the OVAL results valid, we face the problem that it isn't
clear what should be the value of the datatype attribute for empty
elements. But as we can realize the XPath doesn't match anything means
that the requested object doesn't exist on the system, so a better
behavior would be to not produce a xmlfilecontent54_item. That is
consistent with eg. situation when a regular expression matched nothing
in textfilecontent54_object. This commit therefore stops the item
generation in this situation.
This commit also extends the existing test to cover the situation
of XPath queries for nonexistent element and nonexistent attribute.
Fixes: #1890, rhbz#2138884, rhbz#2139060
---
.../probes/independent/xmlfilecontent_probe.c | 5 +--
.../test_xmlfilecontent_probe.sh | 6 +++
.../test_xmlfilecontent_probe.xml | 38 +++++++++++++++++++
3 files changed, 46 insertions(+), 3 deletions(-)
diff --git a/src/OVAL/probes/independent/xmlfilecontent_probe.c b/src/OVAL/probes/independent/xmlfilecontent_probe.c
index 6c70b359ba..5d56afa0d4 100644
--- a/src/OVAL/probes/independent/xmlfilecontent_probe.c
+++ b/src/OVAL/probes/independent/xmlfilecontent_probe.c
@@ -296,10 +296,9 @@ static int process_file(const char *prefix, const char *path, const char *filena
node_cnt = nodes->nodeNr;
dD("node_cnt: %d.", node_cnt);
- if (node_cnt == 0) {
- probe_item_setstatus(item, SYSCHAR_STATUS_DOES_NOT_EXIST);
- probe_item_ent_add(item, "value_of", NULL, NULL);
- probe_itement_setstatus(item, "value_of", 1, SYSCHAR_STATUS_DOES_NOT_EXIST);
+ if (node_cnt <= 0) {
+ ret = -5;
+ goto cleanup;
} else {
node_tab = nodes->nodeTab;
for (i = 0; i < node_cnt; ++i) {
diff --git a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
index e3c56a8606..68138dad75 100755
--- a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
+++ b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.sh
@@ -6,9 +6,15 @@ set -e -o pipefail
cp $srcdir/example.xml /tmp/
result=$(mktemp)
$OSCAP oval eval --results $result $srcdir/test_xmlfilecontent_probe.xml
+# Even if OSCAP_FULL_VALIDATION is set, an invalid OVAL result doesn't cause
+# the "oscap oval eval" to return a non-zero value, so let's run validation
+# as a separate command
+$OSCAP oval validate "$result"
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:1" and @result="true"]'
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:2" and @result="true"]'
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:3" and @result="true"]'
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:4" and @result="true"]'
assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:5" and @result="true"]'
+assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:6" and @result="true"]'
+assert_exists 1 '/oval_results/results/system/definitions/definition[@definition_id="oval:x:def:7" and @result="true"]'
rm -f $result
\ No newline at end of file
diff --git a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
index 3350df0c49..0a9708d4b6 100644
--- a/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
+++ b/tests/probes/xmlfilecontent/test_xmlfilecontent_probe.xml
@@ -66,6 +66,30 @@
<criterion test_ref="oval:x:tst:5" comment="test"/>
</criteria>
</definition>
+ <definition class="compliance" version="1" id="oval:x:def:6">
+ <metadata>
+ <title>A simple test OVAL for xmlfilecontent test - check nonexisting attribute</title>
+ <description>x</description>
+ <affected family="unix">
+ <platform>x</platform>
+ </affected>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:x:tst:6" comment="test"/>
+ </criteria>
+ </definition>
+ <definition class="compliance" version="1" id="oval:x:def:7">
+ <metadata>
+ <title>A simple test OVAL for xmlfilecontent test - check nonexisting element</title>
+ <description>x</description>
+ <affected family="unix">
+ <platform>x</platform>
+ </affected>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:x:tst:7" comment="test"/>
+ </criteria>
+ </definition>
</definitions>
<tests>
@@ -89,6 +113,12 @@
<ind:object object_ref="oval:x:obj:5"/>
<ind:state state_ref="oval:x:ste:5"/>
</ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_test id="oval:x:tst:6" version="1" comment="test an xpath expression" check="all" check_existence="none_exist">
+ <ind:object object_ref="oval:x:obj:6"/>
+ </ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_test id="oval:x:tst:7" version="1" comment="test an xpath expression" check="all" check_existence="none_exist">
+ <ind:object object_ref="oval:x:obj:7"/>
+ </ind:xmlfilecontent_test>
</tests>
<objects>
@@ -112,6 +142,14 @@
<ind:filepath>/tmp/example.xml</ind:filepath>
<ind:xpath>//*[@regid="mycoyote.com"]/@name</ind:xpath>
</ind:xmlfilecontent_object>
+ <ind:xmlfilecontent_object id="oval:x:obj:6" version="1" comment="xpath query">
+ <ind:filepath>/tmp/example.xml</ind:filepath>
+ <ind:xpath>/SoftwareIdentity/@thisattributedoesnotexist</ind:xpath>
+ </ind:xmlfilecontent_object>
+ <ind:xmlfilecontent_object id="oval:x:obj:7" version="1" comment="xpath query">
+ <ind:filepath>/tmp/example.xml</ind:filepath>
+ <ind:xpath>/SoftwareIdentity/thiselementdoesnotexist</ind:xpath>
+ </ind:xmlfilecontent_object>
</objects>
<states>

61
SPECS/openscap.spec
View File

@ -1,20 +1,25 @@
Name: openscap
Version: 1.3.5
Release: 6%{?dist}.alma
Version: 1.3.6
Release: 5%{?dist}.alma
Summary: Set of open source libraries enabling integration of the SCAP line of standards
Group: System Environment/Libraries
License: LGPLv2+
URL: http://www.open-scap.org/
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
Patch1: openscap-1.3.7-PR-1841-coverity.patch
Patch2: openscap-1.3.7-PR-1843-fix-test-ds-misc.patch
Patch3: openscap-1.3.7-PR-1844-fix-test-ds-misc-2.patch
Patch4: openscap-1.3.7-PR-1861-failed-to-check-available-memory.patch
Patch5: openscap-1.3.7-PR-1874-unit-test-read-common-sizet.patch
Patch6: openscap-1.3.7-PR-1875-reset-errno-strtol.patch
Patch7: openscap-1.3.7-PR-1876-disable-oscap-remediate.patch
Patch8: openscap-1.3.7-PR-1891-xmlfilecontent.patch
# Add AlmaLinux definitions
Patch100: openscap-1.3.5-almalinux.patch
Patch1: openscap-1.3.6-PR-1745-waive-hugepages.patch
Patch2: openscap-1.3.6-PR-1748-covscan.patch
Patch3: openscap-1.3.6-PR-1749-blueprint-fix.patch
Patch4: openscap-1.3.6-PR-1753-getlogin.patch
Patch5: openscap-1.3.6-PR-1756-yaml-nulls.patch
Patch6: openscap-1.3.6-PR-1779-initialize-crapi-once.patch
Patch7: openscap-1.3.6-PR-1788-test-rhbz1959570.patch
BuildRequires: cmake >= 2.6
BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
BuildRequires: rpm-devel
@ -146,6 +151,7 @@ cd build
-DENABLE_OSCAP_UTIL_CHROOT=ON \
-DENABLE_OSCAP_UTIL_PODMAN=ON \
-DENABLE_OSCAP_UTIL_VM=ON \
-DENABLE_OSCAP_REMEDIATE_SERVICE=OFF \
..
make %{?_smp_mflags}
make docs
@ -223,9 +229,44 @@ rm -rf $RPM_BUILD_ROOT
%{_bindir}/oscap-run-sce-script
%changelog
* Sat Oct 09 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 1.3.5-6.alma
* Tue Feb 21 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 1.3.6-5.alma
- Add AlmaLinux definitions
* Mon Jan 30 2023 Jan Černý <jcerny@redhat.com> - 1.3.6-5
- Don't emit xmlfilecontent items if XPath doesn't match (rhbz#2165577)
* Thu Jul 21 2022 Jan Černý <jcerny@redhat.com> - 1.3.6-4
- Fix potential invalid scan results in OpenSCAP (rhbz#2111040)
- Remove oscap-remediate service (rhbz#2111360)
* Wed Feb 02 2022 Jan Černý <jcerny@redhat.com> - 1.3.6-3
- Prevent fails of test_ds_misc.sh
* Mon Jan 31 2022 Jan Černý <jcerny@redhat.com> - 1.3.6-2
- Fix coverity issues
- Prevent fails of test_ds_misc.sh
* Thu Jan 20 2022 Jan Černý <jcerny@redhat.com> - 1.3.6-1
- Upgrade to the latest upstream release (rhbz#2041781)
- Select and exclude groups of rules on the command line
- The boot-time remediation service for systemd's Offline Update mode
* Fri Nov 19 2021 Jan Černý <jcerny@redhat.com> - 1.3.5-10
- Print warning for local files
* Wed Nov 10 2021 Jan Černý <jcerny@redhat.com> - 1.3.5-9
- Lower memory limits and improve their checking (rhbz#2021851)
- Remove timestamp from the user manual (rhbz#2022364)
* Tue Nov 09 2021 Jan Černý <jcerny@redhat.com> - 1.3.5-8
- Allow local DS components (rhbz#1970529)
- Fix hostname detection in offline scan of UBI 9 images (rhbz#1893888)
- Add an alternative source of hostname (rhbz#1977668)
- Fix oscap-chroot errors in process58_probe caused by empty /proc (rhbz#2008922)
* Thu Nov 04 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.5-7
- Introduce support for Image Builder's Blueprint remediation type (rhbz#2020050)
* Wed Jul 28 2021 Jan Černý <jcerny@redhat.com> - 1.3.5-6
- Initialize crypto API only once (rhbz#1959570)