From f5190d61d52105364bfca8e6189f5cab21c3ec3a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 3 Nov 2020 06:56:57 -0500 Subject: [PATCH] import openscap-1.3.3-5.el8 --- .gitignore | 2 +- .openscap.metadata | 2 +- SOURCES/01-add-test-fix-type-anaconda.patch | 36 -- ...ord-operator-as-a-function-parameter.patch | 38 -- ...03-fix-cmake-test-for-libcap-xattr-h.patch | 48 --- ...scap-podman-detect-ambiguous-targets.patch | 56 --- SOURCES/openscap-1.3.2-covscan_ux_fix.patch | 389 ------------------ .../openscap-1.3.3-fix-cmake-findacl.patch | 45 -- ....3.4-add_compression_support-PR_1557.patch | 70 ++++ ...p-1.3.4-add_compression_test-PR_1564.patch | 168 ++++++++ ....3.4-add_compression_tracing-PR_1561.patch | 76 ++++ ...4-detect_remote_file_systems-PR_1573.patch | 94 +++++ ...fix-environmentvariable58-regression.patch | 59 +++ ...openscap-1.3.4-fix-no-more-recursion.patch | 177 ++++++++ ...cap-1.3.4-rpmverifyfile_leak-PR_1565.patch | 103 +++++ SPECS/openscap.spec | 66 ++- 16 files changed, 804 insertions(+), 625 deletions(-) delete mode 100644 SOURCES/01-add-test-fix-type-anaconda.patch delete mode 100644 SOURCES/02-do-not-use-keyword-operator-as-a-function-parameter.patch delete mode 100644 SOURCES/03-fix-cmake-test-for-libcap-xattr-h.patch delete mode 100644 SOURCES/04-oscap-podman-detect-ambiguous-targets.patch delete mode 100644 SOURCES/openscap-1.3.2-covscan_ux_fix.patch delete mode 100644 SOURCES/openscap-1.3.3-fix-cmake-findacl.patch create mode 100644 SOURCES/openscap-1.3.4-add_compression_support-PR_1557.patch create mode 100644 SOURCES/openscap-1.3.4-add_compression_test-PR_1564.patch create mode 100644 SOURCES/openscap-1.3.4-add_compression_tracing-PR_1561.patch create mode 100644 SOURCES/openscap-1.3.4-detect_remote_file_systems-PR_1573.patch create mode 100644 SOURCES/openscap-1.3.4-fix-environmentvariable58-regression.patch create mode 100644 SOURCES/openscap-1.3.4-fix-no-more-recursion.patch create mode 100644 SOURCES/openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch diff --git a/.gitignore b/.gitignore index fc9c1e0..b759384 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openscap-1.3.2.tar.gz +SOURCES/openscap-1.3.3.tar.gz diff --git a/.openscap.metadata b/.openscap.metadata index 2413801..36498f3 100644 --- a/.openscap.metadata +++ b/.openscap.metadata @@ -1 +1 @@ -5fe71454faff8cdcbd0e13e7c7343daf04069ca9 SOURCES/openscap-1.3.2.tar.gz +6988d1ea7b86669d410ab5defc1be394cba5b017 SOURCES/openscap-1.3.3.tar.gz diff --git a/SOURCES/01-add-test-fix-type-anaconda.patch b/SOURCES/01-add-test-fix-type-anaconda.patch deleted file mode 100644 index a1c2b73..0000000 --- a/SOURCES/01-add-test-fix-type-anaconda.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 712000a675103393045fde191856ce1dd306f1ca Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 13 Jan 2020 17:28:09 +0100 -Subject: [PATCH] Add a test to check --fix-type Anaconda - -There should be 2 equal ways of generating Anaconda remediations: -"oscap xccdf generate fix --fix-type anaconda" and -"oscap xccdf generate fix --template urn:redhat:anaconda:pre" -Both commands should give the same output. -This tests a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1736850 -introduced by b1448ec95a957a76eb8be6d439531c532d97ff3c ---- - .../API/XCCDF/unittests/test_report_anaconda_fixes.sh | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh b/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh -index d4e86e657..650f3d75b 100755 ---- a/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh -+++ b/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh -@@ -23,6 +23,16 @@ grep -v "$line1" $result | grep -v "$line2" | grep -v "$line3" - [ "`grep -v "$line1" $result | grep -v "$line2" | sed 's/\W//g'`"x == x ] - :> $result - -+# use --fix-type instead of URN template to generate the same fix -+$OSCAP xccdf generate fix --fix-type anaconda \ -+ --output $result $srcdir/${name}.xccdf.xml 2>&1 > $stderr -+[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr -+grep "$line1" $result -+grep "$line2" $result -+grep -v "$line1" $result | grep -v "$line2" | grep -v "$line3" -+[ "`grep -v "$line1" $result | grep -v "$line2" | sed 's/\W//g'`"x == x ] -+:> $result -+ - $OSCAP xccdf generate fix --template urn:redhat:anaconda:pre \ - --profile xccdf_moc.elpmaxe.www_profile_1 \ - --output $result $srcdir/${name}.xccdf.xml 2>&1 > $stderr diff --git a/SOURCES/02-do-not-use-keyword-operator-as-a-function-parameter.patch b/SOURCES/02-do-not-use-keyword-operator-as-a-function-parameter.patch deleted file mode 100644 index e6dbdca..0000000 --- a/SOURCES/02-do-not-use-keyword-operator-as-a-function-parameter.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 0ba7c9423f64a88ceef50318f1a382059484f737 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 15 Jan 2020 13:54:45 +0100 -Subject: [PATCH] Do not use C++ keyword operator as a function parameter name -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This fixes SCAP Workbench build. - -Addressing: -[ 37%] Building CXX object CMakeFiles/scap-workbench.dir/scap-workbench_autogen/mocs_compilation.cpp.o -In file included from /usr/local/include/openscap/xccdf_policy.h:39, - from /home/jcerny/work/git/scap-workbench/include/TailoringDockWidgets.h:31, - from /home/jcerny/work/git/scap-workbench/build/scap-workbench_autogen/6YEA5652QU/moc_TailoringDockWidgets.cpp:10, - from /home/jcerny/work/git/scap-workbench/build/scap-workbench_autogen/mocs_compilation.cpp:18: -/usr/local/include/openscap/oval_definitions.h:1676:117: error: declaration of ‘operator,’ as parameter - 1676 | restriction *oval_variable_possible_restriction_new(oval_operator_t operator, const char *hint); - | ^ - -Fixes: #1462 ---- - src/OVAL/public/oval_definitions.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/OVAL/public/oval_definitions.h b/src/OVAL/public/oval_definitions.h -index ea9d3aaf8..b5fe77154 100644 ---- a/src/OVAL/public/oval_definitions.h -+++ b/src/OVAL/public/oval_definitions.h -@@ -1669,7 +1669,7 @@ OSCAP_API void oval_variable_possible_value_iterator_free(struct oval_variable_p - * @param hint A short description of what the value means or represents. - * @memberof oval_variable_possible_restriction - */ --OSCAP_API struct oval_variable_possible_restriction *oval_variable_possible_restriction_new(oval_operator_t operator, const char *hint); -+OSCAP_API struct oval_variable_possible_restriction *oval_variable_possible_restriction_new(oval_operator_t, const char *); - - - /** diff --git a/SOURCES/03-fix-cmake-test-for-libcap-xattr-h.patch b/SOURCES/03-fix-cmake-test-for-libcap-xattr-h.patch deleted file mode 100644 index 6ea2560..0000000 --- a/SOURCES/03-fix-cmake-test-for-libcap-xattr-h.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 3fbf36004eec55b9a88916559029332d7f356bae Mon Sep 17 00:00:00 2001 -From: Gabe -Date: Wed, 15 Jan 2020 15:02:32 -0700 -Subject: [PATCH] Fix case where CMake couldn't find libacl or xattr.h - ---- - CMakeLists.txt | 2 +- - cmake/FindACL.cmake | 6 +++--- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 720d8d8eb..fe20992a5 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -238,7 +238,7 @@ cmake_dependent_option(OPENSCAP_PROBE_INDEPENDENT_XMLFILECONTENT "Independent xm - # UNIX PROBES - cmake_dependent_option(OPENSCAP_PROBE_UNIX_DNSCACHE "Unix dnscache probe" ON "ENABLE_PROBES_UNIX" OFF) - cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILE "Unix file probe" ON "ENABLE_PROBES_UNIX" OFF) --cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILEEXTENDEDATTRIBUTE "Unix fileextendedattribute probe" ON "ENABLE_PROBES_UNIX; (HAVE_SYS_XATTR_H OR HAVE_ATTR_XATTR_H)" OFF) -+cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILEEXTENDEDATTRIBUTE "Unix fileextendedattribute probe" ON "ENABLE_PROBES_UNIX; HAVE_SYS_XATTR_H OR HAVE_ATTR_XATTR_H" OFF) - cmake_dependent_option(OPENSCAP_PROBE_UNIX_GCONF "Unix gconf probe" ON "ENABLE_PROBES_UNIX; GCONF_FOUND" OFF) - cmake_dependent_option(OPENSCAP_PROBE_UNIX_INTERFACE "Unix interface probe" ON "ENABLE_PROBES_UNIX" OFF) - cmake_dependent_option(OPENSCAP_PROBE_UNIX_PASSWORD "Unix password probe" ON "ENABLE_PROBES_UNIX" OFF) -diff --git a/cmake/FindACL.cmake b/cmake/FindACL.cmake -index 1753b0dd3..2d4a3027c 100644 ---- a/cmake/FindACL.cmake -+++ b/cmake/FindACL.cmake -@@ -8,17 +8,17 @@ - include(LibFindMacros) - - # Use pkg-config to get hints about paths --libfind_pkg_check_modules(ACL_PKGCONF acl) -+libfind_pkg_check_modules(ACL_PKGCONF libacl) - - # Include dir - find_path(ACL_INCLUDE_DIR -- NAMES acl/libacl.h -+ NAMES "acl/libacl.h sys/libacl.h" - PATHS ${ACL_PKGCONF_INCLUDE_DIRS} - ) - - # Finally the library itself - find_library(ACL_LIBRARY -- NAMES acl -+ NAMES libacl - PATHS ${ACL_PKGCONF_LIBRARY_DIRS} - ) - diff --git a/SOURCES/04-oscap-podman-detect-ambiguous-targets.patch b/SOURCES/04-oscap-podman-detect-ambiguous-targets.patch deleted file mode 100644 index ed3b9ff..0000000 --- a/SOURCES/04-oscap-podman-detect-ambiguous-targets.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 532a6c77f388d2e06ec12338df9ea97d955f5edc Mon Sep 17 00:00:00 2001 -From: Matus Marhefka -Date: Thu, 16 Jan 2020 15:39:37 +0100 -Subject: [PATCH] utils/oscap-podman: Detect ambiguous scan target - -In case that a container image and a running container have the same -name, `oscap-podman` scans container image and a running container is -skipped. This might be unexpected and might cause a confusion for user. -Therefore, this commit adds a code which detects such situation and -rather informs user about ambiguous scan target and terminates. -In such cases the unique container image/container ID should be used -for specifying the target of the scan. ---- - utils/oscap-podman | 23 ++++++++++++++++++----- - 1 file changed, 18 insertions(+), 5 deletions(-) - -diff --git a/utils/oscap-podman b/utils/oscap-podman -index 272afd988..32ec0cfcb 100755 ---- a/utils/oscap-podman -+++ b/utils/oscap-podman -@@ -65,17 +65,30 @@ if grep -q "\-\-remediate" <<< "$@"; then - die - fi - -+IMAGE_NAME=$(podman image exists "$1" \ -+ && podman image inspect --format "{{.Id}} {{.RepoTags}}" "$1") -+CONTAINER_NAME=$(podman container exists "$1" \ -+ && podman container inspect --format "{{.Id}} {{.Name}}" "$1") -+ -+if [ -n "$IMAGE_NAME" ] && [ -n "$CONTAINER_NAME" ]; then -+ echo "Ambiguous target, container image and container with the same name detected: '$1'." >&2 -+ echo "Please rather use an unique ID to specify the target of the scan." >&2 -+ die -+fi -+ - # Check if the target of scan is image or container. - CLEANUP=0 --if podman images | grep -q $1; then -+if [ -n "$IMAGE_NAME" ]; then - ID=$(podman create $1) || die -- IMG_NAME=$(podman images --format "{{.ID}} ({{.Repository}}:{{.Tag}})" | grep -m1 $1) -- TARGET="podman-image://$IMG_NAME" -+ TARGET="podman-image://$IMAGE_NAME" - CLEANUP=1 --else -+elif [ -n "$CONTAINER_NAME" ]; then - # If the target was not found in images we suppose it is a container. - ID=$1 -- TARGET="podman-container://$1" -+ TARGET="podman-container://$CONTAINER_NAME" -+else -+ echo "Target of the scan not found: '$1'." >&2 -+ die - fi - - # podman init creates required files such as: /run/.containerenv - we don't care about output and exit code diff --git a/SOURCES/openscap-1.3.2-covscan_ux_fix.patch b/SOURCES/openscap-1.3.2-covscan_ux_fix.patch deleted file mode 100644 index 637aaf6..0000000 --- a/SOURCES/openscap-1.3.2-covscan_ux_fix.patch +++ /dev/null @@ -1,389 +0,0 @@ -From 47a2662bccb8e6f2f192acf46c26d862fe3bbcfb Mon Sep 17 00:00:00 2001 -From: Evgeny Kolesnikov -Date: Fri, 17 Jan 2020 10:24:07 +0100 -Subject: [PATCH 1/2] Covscan fixes - -Error: FORWARD_NULL (CWE-476): [#def17] -xccdf_policy_remediate.c:383: var_compare_op: Comparing "rr" to null implies that "rr" might be null. -xccdf_policy_remediate.c:384: var_deref_model: Passing null pointer "rr" to "_rule_add_info_message", which dereferences it. - -Error: FORWARD_NULL (CWE-476): [#def18] -test_fsdev_is_local_fs.c:35: assign_zero: Assigning: "ment.mnt_fsname" = "NULL". -test_fsdev_is_local_fs.c:37: var_deref_model: Passing "&ment" to "is_local_fs", which dereferences null "ment.mnt_fsname". ---- - src/OVAL/probes/fsdev.c | 4 ++++ - src/XCCDF_POLICY/xccdf_policy_remediate.c | 12 ++++++++++-- - 2 files changed, 14 insertions(+), 2 deletions(-) - -diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c -index bd8e52fbf..a6b36f5e0 100644 ---- a/src/OVAL/probes/fsdev.c -+++ b/src/OVAL/probes/fsdev.c -@@ -97,6 +97,10 @@ static int is_local_fs(struct mntent *ment) - return 0; - } - -+ if (ment->mnt_fsname == NULL) { -+ return 0; -+ } -+ - s = ment->mnt_fsname; - /* If the fsname begins with "//", it is probably CIFS. */ - if (s[0] == '/' && s[1] == '/') -diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c -index 389a7d1bd..f59737727 100644 ---- a/src/XCCDF_POLICY/xccdf_policy_remediate.c -+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c -@@ -380,7 +380,11 @@ static inline int _xccdf_fix_decode_xml(struct xccdf_fix *fix, char **result) - #if defined(unix) || defined(__unix__) || defined(__unix) - static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_fix *fix) - { -- if (fix == NULL || rr == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) { -+ if (rr == NULL) { -+ return 1; -+ } -+ -+ if (fix == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) { - _rule_add_info_message(rr, "No fix available."); - return 1; - } -@@ -481,7 +485,11 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_ - #else - static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_fix *fix) - { -- if (fix == NULL || rr == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) { -+ if (rr == NULL) { -+ return 1; -+ } -+ -+ if (fix == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) { - _rule_add_info_message(rr, "No fix available."); - return 1; - } else { - -From 7bccc09eabd30e0581cf0fdf4f20fa481db12e91 Mon Sep 17 00:00:00 2001 -From: Evgeny Kolesnikov -Date: Fri, 17 Jan 2020 11:04:13 +0100 -Subject: [PATCH 2/2] Covscan fixes (SHELLCHECK), small refactoring in Shell - wrappers - -Error: SHELLCHECK_WARNING: -warning: die references arguments, but none are ever passed. [SC2120] - -Error: SHELLCHECK_WARNING: -warning: Use 'cd ... || exit' or 'cd ... || return' in case cd fails. [SC2164] - -Error: SHELLCHECK_WARNING: -warning: Declare and assign separately to avoid masking return values. [SC2155] ---- - utils/oscap-chroot | 20 ++++++++++++-------- - utils/oscap-podman | 42 +++++++++++++++++++++--------------------- - utils/oscap-ssh | 39 ++++++++++++++++++++++----------------- - utils/oscap-vm | 19 +++++++++++-------- - 4 files changed, 66 insertions(+), 54 deletions(-) - -diff --git a/utils/oscap-chroot b/utils/oscap-chroot -index 6518d7a2c..318f55a91 100755 ---- a/utils/oscap-chroot -+++ b/utils/oscap-chroot -@@ -25,6 +25,13 @@ function die() - exit 1 - } - -+function invalid() -+{ -+ echo -e "$*\n" >&2 -+ usage -+ exit 1 -+} -+ - function usage() - { - echo "oscap-chroot -- Tool for offline SCAP evaluation of filesystems mounted in arbitrary paths." -@@ -74,26 +81,23 @@ function usage() - } - - if [ $# -lt 1 ]; then -- echo "No arguments provided." -- usage -- die -+ invalid "No arguments provided." - elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then - usage -- die -+ exit 0 - elif [ "$#" -gt 1 ]; then - true - else -- echo "Invalid arguments provided." -- usage -- die -+ invalid "Invalid arguments provided." - fi - - # Learn more at https://www.redhat.com/archives/open-scap-list/2013-July/msg00000.html - export OSCAP_PROBE_ROOT --OSCAP_PROBE_ROOT="$(cd "$1"; pwd)" -+OSCAP_PROBE_ROOT="$(cd "$1" && pwd)" || die "Invalid CHROOT_PATH argument." - export OSCAP_EVALUATION_TARGET="chroot://$OSCAP_PROBE_ROOT" - shift 1 - - oscap "$@" - EXIT_CODE=$? -+ - exit $EXIT_CODE -diff --git a/utils/oscap-podman b/utils/oscap-podman -index 32ec0cfcb..6b9f4a3de 100755 ---- a/utils/oscap-podman -+++ b/utils/oscap-podman -@@ -16,13 +16,19 @@ - # License along with this library; if not, write to the Free Software - # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - -- - function die() - { - echo "$*" >&2 - exit 1 - } - -+function invalid() -+{ -+ echo -e "$*\n" >&2 -+ usage -+ exit 1 -+} -+ - function usage() - { - echo "oscap-podman -- Tool for SCAP evaluation of Podman images and containers." -@@ -39,30 +45,24 @@ function usage() - OSCAP_BINARY=oscap - - if [ $# -lt 1 ]; then -- echo "No arguments provided." -- usage -- die -+ invalid "No arguments provided." - elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then - usage -- die -+ exit 0 - elif [[ "$1" == --oscap=* ]] && [ $# -gt 2 ]; then - OSCAP_BINARY=${1#"--oscap="} - shift - elif [ "$#" -gt 1 ]; then - true - else -- echo "Invalid arguments provided." -- usage -- die -+ invalid "Invalid arguments provided." - fi - - if [ $(id -u) -ne 0 ]; then -- echo "This script cannot run in rootless mode." >&2 -- die -+ die "This script cannot run in rootless mode." - fi - if grep -q "\-\-remediate" <<< "$@"; then -- echo "This script does not support '--remediate' option." >&2 -- die -+ die "This script does not support '--remediate' option." - fi - - IMAGE_NAME=$(podman image exists "$1" \ -@@ -72,14 +72,13 @@ CONTAINER_NAME=$(podman container exists "$1" \ - - if [ -n "$IMAGE_NAME" ] && [ -n "$CONTAINER_NAME" ]; then - echo "Ambiguous target, container image and container with the same name detected: '$1'." >&2 -- echo "Please rather use an unique ID to specify the target of the scan." >&2 -- die -+ die "Please rather use an unique ID to specify the target of the scan." - fi - - # Check if the target of scan is image or container. - CLEANUP=0 - if [ -n "$IMAGE_NAME" ]; then -- ID=$(podman create $1) || die -+ ID=$(podman create $1) || die "Unable to create a container." - TARGET="podman-image://$IMAGE_NAME" - CLEANUP=1 - elif [ -n "$CONTAINER_NAME" ]; then -@@ -87,14 +86,13 @@ elif [ -n "$CONTAINER_NAME" ]; then - ID=$1 - TARGET="podman-container://$CONTAINER_NAME" - else -- echo "Target of the scan not found: '$1'." >&2 -- die -+ die "Target of the scan not found: '$1'." - fi - - # podman init creates required files such as: /run/.containerenv - we don't care about output and exit code - podman init $ID &> /dev/null || true - --DIR=$(podman mount $ID) || die -+DIR=$(podman mount $ID) || die "Failed to mount." - - if [ ! -f "$DIR/run/.containerenv" ]; then - # ubi8-init image does not create .containerenv when running podman init, but we need to make sure that the file is there -@@ -105,14 +103,16 @@ for VAR in `podman inspect $ID --format '{{join .Config.Env " "}}'`; do - eval "export OSCAP_OFFLINE_$VAR" - done - --export OSCAP_PROBE_ROOT="$(cd "$DIR"; pwd)" -+export OSCAP_PROBE_ROOT -+OSCAP_PROBE_ROOT="$(cd "$DIR" && pwd)" || die "Unable to change current directory to OSCAP_PROBE_ROOT (DIR)." - export OSCAP_EVALUATION_TARGET="$TARGET" - shift 1 - - $OSCAP_BINARY "$@" - EXIT_CODE=$? --podman umount $ID > /dev/null || die -+ -+podman umount $ID > /dev/null || die "Failed to unmount." - if [ $CLEANUP -eq 1 ]; then -- podman rm $ID > /dev/null || die -+ podman rm $ID > /dev/null || die "Failed to clean up." - fi - exit $EXIT_CODE -diff --git a/utils/oscap-ssh b/utils/oscap-ssh -index 08c8bcd2b..cd3600180 100755 ---- a/utils/oscap-ssh -+++ b/utils/oscap-ssh -@@ -22,9 +22,12 @@ function die() - exit 1 - } - --hash ssh 2> /dev/null || die "Cannot find ssh, please install the OpenSSH client." --hash scp 2> /dev/null || die "Cannot find scp, please install the OpenSSH client." --hash mktemp 2> /dev/null || die "Cannot find mktemp, please install coreutils." -+function invalid() -+{ -+ echo -e "$*\n" >&2 -+ usage -+ exit 1 -+} - - function usage() - { -@@ -87,10 +90,6 @@ function usage() - echo "See \`man oscap\` to learn more about semantics of these options." - } - --OSCAP_SUDO="" --# SSH_ADDITIONAL_OPTIONS may be defined in the calling shell --SSH_TTY_ALLOCATION_OPTION="" -- - # $1, $2, ... SSH options (pass them as separate arguments) - function ssh_execute_with_options { - ssh -o ControlPath="$MASTER_SOCKET" $SSH_ADDITIONAL_OPTIONS "$@" -p "$SSH_PORT" "$SSH_HOST" -@@ -118,22 +117,20 @@ function scp_retreive_from_temp_dir { - # Returns: String, where individual command components are double-quoted, so they are not interpreted by the shell. - # For example, an array ('-p' '(all)') will be transformed to "\"-p\" \"(all)\"", so after the shell expansion, it will end up as "-p" "(all)". - function command_array_to_string { -- eval "printf '\"%s\" ' \"\${$1[@]}\"" -+ eval "printf '\"%s\" ' \"\${$1[@]}\"" - } - - function first_argument_is_sudo { -- [ "$1" == "sudo" ] || [ "$1" == "--sudo" ] -- return $? -+ [ "$1" == "sudo" ] || [ "$1" == "--sudo" ] -+ return $? - } - - function sanity_check_arguments { - if [ $# -lt 1 ]; then -- echo "No arguments provided." -- usage -- die -+ invalid "No arguments provided." - elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then - usage -- die -+ exit 0 - elif first_argument_is_sudo "$@"; then - OSCAP_SUDO="sudo" - # force pseudo-tty allocation so that users can type their password if necessary -@@ -141,9 +138,7 @@ function sanity_check_arguments { - shift - fi - if [ $# -lt 2 ]; then -- echo "Missing ssh host and ssh port." -- usage -- die -+ invalid "Missing ssh host and ssh port." - fi - } - -@@ -165,6 +160,16 @@ function check_oscap_arguments { - fi - } - -+ -+hash ssh 2> /dev/null || die "Cannot find ssh, please install the OpenSSH client." -+hash scp 2> /dev/null || die "Cannot find scp, please install the OpenSSH client." -+hash mktemp 2> /dev/null || die "Cannot find mktemp, please install coreutils." -+ -+ -+OSCAP_SUDO="" -+# SSH_ADDITIONAL_OPTIONS may be defined in the calling shell -+SSH_TTY_ALLOCATION_OPTION="" -+ - sanity_check_arguments "$@" - first_argument_is_sudo "$@" && shift - -diff --git a/utils/oscap-vm b/utils/oscap-vm -index 02f8c6396..6557eb3a7 100755 ---- a/utils/oscap-vm -+++ b/utils/oscap-vm -@@ -22,6 +22,13 @@ function die() - exit 1 - } - -+function invalid() -+{ -+ echo -e "$*\n" >&2 -+ usage -+ exit 1 -+} -+ - function usage() - { - echo "oscap-vm -- Tool for offline SCAP evaluation of virtual machines." -@@ -76,12 +83,10 @@ function usage() - OSCAP_BINARY=oscap - - if [ $# -lt 1 ]; then -- echo "No arguments provided." -- usage -- die -+ invalid "No arguments provided." - elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then - usage -- die -+ exit 0 - elif [[ "$1" == --oscap=* ]] && [ $# -gt 3 ]; then - OSCAP_BINARY=${1#"--oscap="} - shift -@@ -90,9 +95,7 @@ elif [ "$1" == "image" ] && [ $# -gt 2 ]; then - elif [ "$1" == "domain" ] && [ $# -gt 2 ]; then - true - else -- echo "Invalid arguments provided." -- usage -- die -+ invalid "Invalid arguments provided." - fi - - hash guestmount 2> /dev/null || die "Cannot find guestmount, please install libguestfs utilities." -@@ -128,7 +131,7 @@ fi - - # Learn more at https://www.redhat.com/archives/open-scap-list/2013-July/msg00000.html - export OSCAP_PROBE_ROOT --OSCAP_PROBE_ROOT="$(cd "$MOUNTPOINT"; pwd)" -+OSCAP_PROBE_ROOT="$(cd "$MOUNTPOINT" && pwd)" || die "Unable to change current directory to OSCAP_PROBE_ROOT (MOUNTPOINT)." - export OSCAP_EVALUATION_TARGET="oscap-vm $1 $2" - shift 2 - diff --git a/SOURCES/openscap-1.3.3-fix-cmake-findacl.patch b/SOURCES/openscap-1.3.3-fix-cmake-findacl.patch deleted file mode 100644 index e5c00b3..0000000 --- a/SOURCES/openscap-1.3.3-fix-cmake-findacl.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 4982aa3da7ae00cd3656db7f47ac3706e85ab7d4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 23 Jan 2020 16:24:37 +0100 -Subject: [PATCH] Fix FindACL.cmake - -find_path parameter `NAMES` values should be separated. According to -https://cmake.org/cmake/help/latest/command/find_path.html it should be: -`NAMES name1 [name2 ...]` - -find_library parameter `NAMES` either should not contain `lib` or should -contain both `lib` and `.so.` The documentation at -https://cmake.org/cmake/help/latest/command/find_library.html says: Each -library name given to the `NAMES` option is first considered as a -library file name and then considered with platform-specific prefixes -(e.g. `lib`) and suffixes (e.g. `.so`). - -This bug caused that even if cmake reported that libacl was found, the -library wasn't linked to the built `libopenscap.so`. Also, -`HAVE_ACL_EXTENDED_FILE`, `HAVE_ACL_LIBACL_H` and `HAVE_SYS_ACL_H` were -undefined in `config.h`, which caused some guarded pieces of code to not -compile, which means features missing. ---- - cmake/FindACL.cmake | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/cmake/FindACL.cmake b/cmake/FindACL.cmake -index 2d4a3027c..a41f2c13a 100644 ---- a/cmake/FindACL.cmake -+++ b/cmake/FindACL.cmake -@@ -12,13 +12,13 @@ libfind_pkg_check_modules(ACL_PKGCONF libacl) - - # Include dir - find_path(ACL_INCLUDE_DIR -- NAMES "acl/libacl.h sys/libacl.h" -+ NAMES "acl/libacl.h" "sys/libacl.h" - PATHS ${ACL_PKGCONF_INCLUDE_DIRS} - ) - - # Finally the library itself - find_library(ACL_LIBRARY -- NAMES libacl -+ NAMES acl - PATHS ${ACL_PKGCONF_LIBRARY_DIRS} - ) - diff --git a/SOURCES/openscap-1.3.4-add_compression_support-PR_1557.patch b/SOURCES/openscap-1.3.4-add_compression_support-PR_1557.patch new file mode 100644 index 0000000..a80fe11 --- /dev/null +++ b/SOURCES/openscap-1.3.4-add_compression_support-PR_1557.patch @@ -0,0 +1,70 @@ +From d8518b70b912aa55fc47400173bf6229e40b71d0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= +Date: Wed, 8 Jul 2020 15:17:31 +0200 +Subject: [PATCH] Make a use of HTTP header content-encoding: gzip if available + +When fetching remote resources, some servers/CDNs may be able to serve us +compressed http response even in cases when the original file is not compressed +XML. libcurl is able to process encoded html for us with no added maintenance +costs. + +Attached please find a CURL log of fetching plain XML file from Red Hat CDN: + +Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml +... +* Trying 104.90.105.254:443... +* Connected to www.redhat.com (104.90.105.254) port 443 (#0) +* ALPN, offering h2 +* ALPN, offering http/1.1 +* successfully set certificate verify locations: +* CAfile: /etc/pki/tls/certs/ca-bundle.crt + CApath: none +* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 +* ALPN, server accepted to use h2 +* Server certificate: +* subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=2945436; C=US; ST=North Carolina; L=Raleigh; O=Red Hat, Inc.; CN=www.redhat.com +* start date: Feb 24 00:00:00 2020 GMT +* expire date: May 24 12:00:00 2022 GMT +* subjectAltName: host "www.redhat.com" matched cert's "www.redhat.com" +* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA +* SSL certificate verify ok. +* Using HTTP2, server supports multi-use +* Connection state changed (HTTP/2 confirmed) +* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 +* Using Stream ID: 1 (easy handle 0x776c3b0) +> GET /security/data/oval/com.redhat.rhsa-RHEL7.xml HTTP/2 +Host: www.redhat.com +accept: */* +accept-encoding: gzip + +* old SSL session ID is stale, removing +* Connection state changed (MAX_CONCURRENT_STREAMS == 100)! +< HTTP/2 200 +< server: Apache +< last-modified: Wed, 08 Jul 2020 12:41:28 GMT +< etag: "7f694279-fca5e0-5a9ed6d376a08" +< accept-ranges: bytes +< content-type: text/xml +< content-encoding: gzip +< content-length: 1766376 +< date: Wed, 08 Jul 2020 13:15:29 GMT +< vary: Accept-Encoding +< strict-transport-security: max-age=31536000 +< +* Connection #0 to host www.redhat.com left intact +--- + src/common/oscap_acquire.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c +index 60ab62c05..551da43f0 100644 +--- a/src/common/oscap_acquire.c ++++ b/src/common/oscap_acquire.c +@@ -302,6 +302,7 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size) + curl_easy_setopt(curl, CURLOPT_URL, url); + curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback); + curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer); ++ curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); + curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true); + + CURLcode res = curl_easy_perform(curl); diff --git a/SOURCES/openscap-1.3.4-add_compression_test-PR_1564.patch b/SOURCES/openscap-1.3.4-add_compression_test-PR_1564.patch new file mode 100644 index 0000000..e35e0f3 --- /dev/null +++ b/SOURCES/openscap-1.3.4-add_compression_test-PR_1564.patch @@ -0,0 +1,168 @@ +From 12ccadd9f9cd30143b3af6feced58f8da636e9d2 Mon Sep 17 00:00:00 2001 +From: Evgeny Kolesnikov +Date: Mon, 20 Jul 2020 07:45:05 +0200 +Subject: [PATCH] Add test for cURL "Accept-Encoding" header + +--- + tests/CMakeLists.txt | 1 + + tests/curl/CMakeLists.txt | 1 + + tests/curl/ds.xml | 99 ++++++++++++++++++++++++++++++++ + tests/curl/test_curl_encoding.sh | 23 ++++++++ + 4 files changed, 124 insertions(+) + create mode 100644 tests/curl/CMakeLists.txt + create mode 100644 tests/curl/ds.xml + create mode 100755 tests/curl/test_curl_encoding.sh + +diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt +index b7ca6cd79..6948cd260 100644 +--- a/tests/CMakeLists.txt ++++ b/tests/CMakeLists.txt +@@ -26,6 +26,7 @@ add_subdirectory("API") + add_subdirectory("bindings") + add_subdirectory("bz2") + add_subdirectory("codestyle") ++add_subdirectory("curl") + add_subdirectory("CPE") + add_subdirectory("DS") + add_subdirectory("mitre") +diff --git a/tests/curl/CMakeLists.txt b/tests/curl/CMakeLists.txt +new file mode 100644 +index 000000000..9c3d90d74 +--- /dev/null ++++ b/tests/curl/CMakeLists.txt +@@ -0,0 +1 @@ ++add_oscap_test("test_curl_encoding.sh") +diff --git a/tests/curl/ds.xml b/tests/curl/ds.xml +new file mode 100644 +index 000000000..f33cb475d +--- /dev/null ++++ b/tests/curl/ds.xml +@@ -0,0 +1,99 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ 5.11 ++ 2009-01-12T10:41:00-05:00 ++ ++ ++ ++ ++ ++ PASS ++ pass ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ oval:x:var:1 ++ ++ ++ ++ ++ ++ 100 ++ ++ ++ ++ ++ ++ ++ ++ ++ accepted ++ 1.0 ++ ++ ++ xccdf_test_profile ++ This profile is for testing. ++ ++ ++ ++ ++ test value ++ foo ++ 50 ++ 100 ++ ++ ++ This rule always pass ++ ++ ++ ++ ++ ++ This rule checks remote resource ++ ++ ++ ++ ++ ++ This rule always pass ++ ++ ++ ++ ++ ++ ++ +diff --git a/tests/curl/test_curl_encoding.sh b/tests/curl/test_curl_encoding.sh +new file mode 100755 +index 000000000..6d82f9569 +--- /dev/null ++++ b/tests/curl/test_curl_encoding.sh +@@ -0,0 +1,23 @@ ++#!/bin/bash ++ ++set -e -o pipefail ++ ++. $builddir/tests/test_common.sh ++ ++function curl_accept_encoding { ++ local DF="${srcdir}/ds.xml" ++ local RF="results.xml" ++ local LOG="verbose.log" ++ ++ $OSCAP xccdf --verbose=DEVEL eval --fetch-remote-resources --results $RF $DF 2>$LOG || echo "OK" ++ ++ grep -P "Accept-Encoding.*gzip" $LOG ++ ++ return 0 ++} ++ ++test_init ++ ++test_run "cURL: Accept-Encoding" curl_accept_encoding ++ ++test_exit diff --git a/SOURCES/openscap-1.3.4-add_compression_tracing-PR_1561.patch b/SOURCES/openscap-1.3.4-add_compression_tracing-PR_1561.patch new file mode 100644 index 0000000..af4b663 --- /dev/null +++ b/SOURCES/openscap-1.3.4-add_compression_tracing-PR_1561.patch @@ -0,0 +1,76 @@ +From aab536acdd4b08e2e8c3d4ac43981dfcaf1cc9f8 Mon Sep 17 00:00:00 2001 +From: Evgeny Kolesnikov +Date: Mon, 13 Jul 2020 14:09:52 +0200 +Subject: [PATCH] Add CURLOPT_TRANSFER_ENCODING, enable CURLOPT_VERBOSE with + CURLOPT_DEBUGFUNCTION + +Adds a request for compressed Transfer Encoding in the outgoing +HTTP request. If the server supports this and so desires, it can +respond with the HTTP response sent using a compressed +Transfer-Encoding that will be automatically uncompressed by +libcurl on reception. + +The CURLOPT_DEBUGFUNCTION callback is used for printing headers and +connection information on VERBOSE level (dD). +--- + src/common/oscap_acquire.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c +index 551da43f0..666f4f5c9 100644 +--- a/src/common/oscap_acquire.c ++++ b/src/common/oscap_acquire.c +@@ -49,6 +49,7 @@ + #include "common/_error.h" + #include "oscap_string.h" + #include "oscap_helpers.h" ++#include "debug_priv.h" + + #ifndef OSCAP_TEMP_DIR + #define OSCAP_TEMP_DIR "/tmp" +@@ -288,6 +289,34 @@ oscap_acquire_url_to_filename(const char *url) + return filename; + } + ++static int _curl_trace(CURL *handle, curl_infotype type, char *data, size_t size, void *userp) ++{ ++ const char *title; ++ ++ switch (type) { ++ case CURLINFO_TEXT: ++ title = "== cURL info"; ++ break; ++ case CURLINFO_HEADER_OUT: ++ title = "=> cURL header (out)"; ++ break; ++ case CURLINFO_HEADER_IN: ++ title = "<= cURL header (in)"; ++ break; ++ case CURLINFO_DATA_OUT: ++ case CURLINFO_SSL_DATA_OUT: ++ case CURLINFO_DATA_IN: ++ case CURLINFO_SSL_DATA_IN: ++ default: ++ return 0; ++ break; ++ } ++ ++ dD("%s: %s", title, data); ++ ++ return 0; ++} ++ + char* oscap_acquire_url_download(const char *url, size_t* memory_size) + { + CURL *curl; +@@ -303,7 +332,10 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size) + curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback); + curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer); + curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); ++ curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true); + curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true); ++ curl_easy_setopt(curl, CURLOPT_VERBOSE, true); ++ curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace); + + CURLcode res = curl_easy_perform(curl); + curl_easy_cleanup(curl); diff --git a/SOURCES/openscap-1.3.4-detect_remote_file_systems-PR_1573.patch b/SOURCES/openscap-1.3.4-detect_remote_file_systems-PR_1573.patch new file mode 100644 index 0000000..77d8b01 --- /dev/null +++ b/SOURCES/openscap-1.3.4-detect_remote_file_systems-PR_1573.patch @@ -0,0 +1,94 @@ +diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c +index 82356d5e0..983675098 100644 +--- a/src/OVAL/probes/fsdev.c ++++ b/src/OVAL/probes/fsdev.c +@@ -62,6 +62,7 @@ + #endif + + #include "fsdev.h" ++#include "common/util.h" + + /** + * Compare two dev_t variables. +@@ -79,10 +80,6 @@ static int fsdev_cmp(const void *a, const void *b) + #if defined(OS_LINUX) + static int is_local_fs(struct mntent *ment) + { +-// todo: would it be usefull to provide the choice during build-time? +-#if 1 +- char *s; +- + /* + * When type of the filesystem is autofs, it means the mtab entry + * describes the autofs configuration, which means ment->mnt_fsname +@@ -97,37 +94,42 @@ static int is_local_fs(struct mntent *ment) + return 0; + } + +- if (ment->mnt_fsname == NULL) { +- return 0; +- } +- +- s = ment->mnt_fsname; +- /* If the fsname begins with "//", it is probably CIFS. */ +- if (s[0] == '/' && s[1] == '/') +- return 0; +- +- /* If there's a ':' in the fsname and it occurs before any +- * '/', then this is probably NFS and the file system is +- * considered "remote". ++ /* ++ * The following code is inspired by systemd, function fstype_is_network: ++ * https://github.com/systemd/systemd/blob/21fd6bc263f49b57867d90d2e1f9f255e5509134/src/basic/mountpoint-util.c#L290 + */ +- s = strpbrk(s, "/:"); +- if (s && *s == ':') +- return 0; + ++ const char *fstype = ment->mnt_type; ++ if (oscap_str_startswith(fstype, "fuse.")) { ++ fstype += strlen("fuse."); ++ } ++ const char *network_fs[] = { ++ "afs", ++ "ceph", ++ "cifs", ++ "smb3", ++ "smbfs", ++ "sshfs", ++ "ncpfs", ++ "ncp", ++ "nfs", ++ "nfs4", ++ "gfs", ++ "gfs2", ++ "glusterfs", ++ "gpfs", ++ "pvfs2", /* OrangeFS */ ++ "ocfs2", ++ "lustre", ++ "davfs", ++ NULL ++ }; ++ for (int i = 0; network_fs[i]; i++) { ++ if (!strcmp(network_fs[i], fstype)) { ++ return 0; ++ } ++ } + return 1; +-#else +- struct stat st; +- +- /* If the file system is not backed-up by a real file, it is +- considered remote. A notable exception is "tmpfs" to allow +- traversal of /tmp et al. */ +- if (strcmp(ment->mnt_fsname, "tmpfs") != 0 +- && (stat(ment->mnt_fsname, &st) != 0 +- || !(S_ISBLK(st.st_mode)))) +- return 0; +- else +- return 1; +-#endif + } + + #elif defined(OS_AIX) diff --git a/SOURCES/openscap-1.3.4-fix-environmentvariable58-regression.patch b/SOURCES/openscap-1.3.4-fix-environmentvariable58-regression.patch new file mode 100644 index 0000000..2c1b2db --- /dev/null +++ b/SOURCES/openscap-1.3.4-fix-environmentvariable58-regression.patch @@ -0,0 +1,59 @@ +diff --git a/src/OVAL/probes/independent/environmentvariable58_probe.c b/src/OVAL/probes/independent/environmentvariable58_probe.c +index 552ce6700..77233aeeb 100644 +--- a/src/OVAL/probes/independent/environmentvariable58_probe.c ++++ b/src/OVAL/probes/independent/environmentvariable58_probe.c +@@ -96,32 +96,32 @@ static int read_environment(SEXP_t *pid_ent, SEXP_t *name_ent, probe_ctx *ctx) + ssize_t buffer_used; + size_t buffer_size; + ++ const char *extra_vars = getenv("OSCAP_CONTAINER_VARS"); ++ if (extra_vars && *extra_vars) { ++ char *vars = strdup(extra_vars); ++ char *tok, *eq_chr, *str, *strp; ++ ++ for (str = vars; ; str = NULL) { ++ tok = strtok_r(str, "\n", &strp); ++ if (tok == NULL) ++ break; ++ eq_chr = strchr(tok, '='); ++ if (eq_chr == NULL) ++ continue; ++ PROBE_ENT_I32VAL(pid_ent, pid, pid = -1;, pid = 0;); ++ collect_variable(tok, eq_chr - tok, pid, name_ent, ctx); ++ } ++ ++ free(vars); ++ return 0; ++ } ++ + const char *prefix = getenv("OSCAP_PROBE_ROOT"); + snprintf(path, PATH_MAX, "%s/proc", prefix ? prefix : ""); + d = opendir(path); + if (d == NULL) { +- const char *extra_vars = getenv("OSCAP_CONTAINER_VARS"); +- if (!extra_vars) { +- dE("Can't read %s/proc: errno=%d, %s.", prefix ? prefix : "", errno, strerror(errno)); +- return PROBE_EACCESS; +- } else { +- char *vars = strdup(extra_vars); +- char *tok, *eq_chr, *str, *strp; +- +- for (str = vars; ; str = NULL) { +- tok = strtok_r(str, "\n", &strp); +- if (tok == NULL) +- break; +- eq_chr = strchr(tok, '='); +- if (eq_chr == NULL) +- continue; +- PROBE_ENT_I32VAL(pid_ent, pid, pid = -1;, pid = 0;); +- collect_variable(tok, eq_chr - tok, pid, name_ent, ctx); +- } +- +- free(vars); +- return 0; +- } ++ dE("Can't read %s/proc: errno=%d, %s.", prefix ? prefix : "", errno, strerror(errno)); ++ return PROBE_EACCESS; + } + + if ((buffer = realloc(NULL, BUFFER_SIZE)) == NULL) { diff --git a/SOURCES/openscap-1.3.4-fix-no-more-recursion.patch b/SOURCES/openscap-1.3.4-fix-no-more-recursion.patch new file mode 100644 index 0000000..ebc20ca --- /dev/null +++ b/SOURCES/openscap-1.3.4-fix-no-more-recursion.patch @@ -0,0 +1,177 @@ +From c8fc880a672afbfdbd384dc6afa4b7fbdd666b73 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 27 May 2020 10:38:56 +0200 +Subject: [PATCH 1/3] Add a regression test for RHBZ#1686370 + +There is a non-optimal behavior of file probe. It happens when file path +is specified using a variable with 2 values with `operation="equals"` +and `var_check="all"`. The probe recurses into a file system tree even +if it's obvious that it won't find any match. If one of values is a big +tree (for example `/`) it eventually runs out of memory and crashes. The +OVAL doesn't make sense because it's impossible that a single file would +have 2 different paths. But despite that it's a valid OVAL document. +The test is expected to fail because the bug hasn't been fixed. +--- + tests/probes/file/CMakeLists.txt | 1 + + .../test_probes_file_multiple_file_paths.sh | 39 +++++++++++++++++ + .../test_probes_file_multiple_file_paths.xml | 42 +++++++++++++++++++ + 3 files changed, 82 insertions(+) + create mode 100755 tests/probes/file/test_probes_file_multiple_file_paths.sh + create mode 100644 tests/probes/file/test_probes_file_multiple_file_paths.xml + +diff --git a/tests/probes/file/CMakeLists.txt b/tests/probes/file/CMakeLists.txt +index 12718603f..35b4c1169 100644 +--- a/tests/probes/file/CMakeLists.txt ++++ b/tests/probes/file/CMakeLists.txt +@@ -1,3 +1,4 @@ + if(ENABLE_PROBES_UNIX) + add_oscap_test("test_probes_file.sh") ++ add_oscap_test("test_probes_file_multiple_file_paths.sh") + endif() +diff --git a/tests/probes/file/test_probes_file_multiple_file_paths.sh b/tests/probes/file/test_probes_file_multiple_file_paths.sh +new file mode 100755 +index 000000000..1cececbb0 +--- /dev/null ++++ b/tests/probes/file/test_probes_file_multiple_file_paths.sh +@@ -0,0 +1,39 @@ ++#!/bin/bash ++ ++set -e -o pipefail ++ ++. $builddir/tests/test_common.sh ++ ++probecheck "file" || exit 255 ++which strace || exit 255 ++ ++function check_strace_output { ++ strace_log="$1" ++ grep -q "/tmp/numbers/1" $strace_log && return 1 ++ grep -q "/tmp/numbers/1/2" $strace_log && return 1 ++ grep -q "/tmp/numbers/1/2/3" $strace_log && return 1 ++ grep -q "/tmp/numbers/1/2/3/4" $strace_log && return 1 ++ grep -q "/tmp/numbers/1/2/3/4/5" $strace_log && return 1 ++ grep -q "/tmp/numbers/1/2/3/4/5/6" $strace_log && return 1 ++ grep -q "/tmp/letters/a" $strace_log && return 1 ++ grep -q "/tmp/letters/a/b" $strace_log && return 1 ++ grep -q "/tmp/letters/a/b/c" $strace_log && return 1 ++ grep -q "/tmp/letters/a/b/c/d" $strace_log && return 1 ++ grep -q "/tmp/letters/a/b/c/d/e" $strace_log && return 1 ++ grep -q "/tmp/letters/a/b/c/d/e/f" $strace_log && return 1 ++ return 0 ++} ++ ++rm -rf /tmp/numbers ++mkdir -p /tmp/numbers/1/2/3/4/5/6 ++rm -rf /tmp/letters ++mkdir -p /tmp/letters/a/b/c/d/e/f ++strace_log=$(mktemp) ++strace -f -e openat -o $strace_log $OSCAP oval eval --results results.xml "$srcdir/test_probes_file_multiple_file_paths.xml" ++ret=0 ++check_strace_output $strace_log || ret=$? ++rm -f $strace_log ++rm -f results.xml ++rm -rf /tmp/numbers ++rm -rf /tmp/letters ++exit $ret +diff --git a/tests/probes/file/test_probes_file_multiple_file_paths.xml b/tests/probes/file/test_probes_file_multiple_file_paths.xml +new file mode 100644 +index 000000000..893a3fe97 +--- /dev/null ++++ b/tests/probes/file/test_probes_file_multiple_file_paths.xml +@@ -0,0 +1,42 @@ ++ ++ ++ ++ 5.10 ++ 0001-01-01T00:00:00+00:00 ++ ++ ++ ++ ++ ++ Specify a file path using variable with two values ++ x ++ ++ multi_platform_all ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /tmp/numbers ++ /tmp/letters ++ ++ ++ + +From 569e0013ca83adef233ddecc78a052db9b3ccc5c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 2 Jun 2020 15:11:37 +0200 +Subject: [PATCH 2/3] Add strace to the list of test dependencies + +--- + docs/developer/developer.adoc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs/developer/developer.adoc b/docs/developer/developer.adoc +index 823a1504e..0f01ace74 100644 +--- a/docs/developer/developer.adoc ++++ b/docs/developer/developer.adoc +@@ -152,7 +152,7 @@ After building the library you might want to run library self-checks. To do + that you need to have these additional packages installed: + + ---- +-wget lua which procps-ng initscripts chkconfig sendmail bzip2 rpm-build ++wget lua which procps-ng initscripts chkconfig sendmail bzip2 rpm-build strace + ---- + + On Ubuntu 18.04, also install: + +From a47604bf30c6574e570abde4fd01488ba120f82d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 17 Jun 2020 11:00:02 +0200 +Subject: [PATCH 3/3] Terminate matching to prevent recursion + +Fixes: RHBZ#1686370 +--- + src/OVAL/probes/oval_fts.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/OVAL/probes/oval_fts.c b/src/OVAL/probes/oval_fts.c +index 696997942..2b7314c38 100644 +--- a/src/OVAL/probes/oval_fts.c ++++ b/src/OVAL/probes/oval_fts.c +@@ -1029,6 +1029,15 @@ static FTSENT *oval_fts_read_match_path(OVAL_FTS *ofts) + + if (ores == OVAL_RESULT_TRUE) + break; ++ if (ofts->ofts_path_op == OVAL_OPERATION_EQUALS) { ++ /* At this point the comparison result isn't OVAL_RESULT_TRUE. Since ++ we passed the exact path (from filepath or path elements) to ++ fts_open() we surely know that we can't find other items that would ++ be equal. Therefore we can terminate the matching. This can happen ++ if the filepath or path element references a variable that has ++ multiple different values. */ ++ return NULL; ++ } + } /* for (;;) */ + + /* diff --git a/SOURCES/openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch b/SOURCES/openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch new file mode 100644 index 0000000..1cb6e65 --- /dev/null +++ b/SOURCES/openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch @@ -0,0 +1,103 @@ +From 4ef60df7edfdd7a49a565494142f86d93f9268b3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 31 Jul 2020 10:38:17 +0200 +Subject: [PATCH] Plug a memory leak + +==12029== at 0x483A809: malloc (vg_replace_malloc.c:307) +==12029== by 0x51F1386: realpath@@GLIBC_2.3 (in /usr/lib64/libc-2.31.so) +==12029== by 0x489F8CA: oscap_realpath (util.c:251) +==12029== by 0x495E6EF: rpmverify_collect (rpmverifyfile_probe.c:248) +==12029== by 0x495F461: rpmverifyfile_probe_main (rpmverifyfile_probe.c:543) +==12029== by 0x4935598: probe_worker (worker.c:1090) +==12029== by 0x4932F10: probe_worker_runfn (worker.c:81) +==12029== by 0x4CDA431: start_thread (in /usr/lib64/libpthread-2.31.so) +==12029== by 0x52A8912: clone (in /usr/lib64/libc-2.31.so) + +==12029== at 0x483CCE8: realloc (vg_replace_malloc.c:834) +==12029== by 0x4D9DCD8: rrealloc (in /usr/lib64/librpmio.so.9.0.1) +==12029== by 0x4D25B88: headerFormat (in /usr/lib64/librpm.so.9.0.1) +==12029== by 0x495E467: rpmverify_collect (rpmverifyfile_probe.c:230) +==12029== by 0x495F461: rpmverifyfile_probe_main +(rpmverifyfile_probe.c:543) +==12029== by 0x4935598: probe_worker (worker.c:1090) +==12029== by 0x4932F10: probe_worker_runfn (worker.c:81) +==12029== by 0x4CDA431: start_thread (in +/usr/lib64/libpthread-2.31.so) +==12029== by 0x52A8912: clone (in /usr/lib64/libc-2.31.so) + +Resolves: RHBZ#1861301 +--- + .../probes/unix/linux/rpmverifyfile_probe.c | 24 ++++++++++++++----- + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c +index c86818e72..57d69f552 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c ++++ b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c +@@ -61,10 +61,10 @@ + + struct rpmverify_res { + char *name; /**< package name */ +- const char *epoch; +- const char *version; +- const char *release; +- const char *arch; ++ char *epoch; ++ char *version; ++ char *release; ++ char *arch; + char *file; /**< filepath */ + char extended_name[1024]; + rpmVerifyAttrs vflags; /**< rpm verify flags */ +@@ -272,14 +272,14 @@ static int rpmverify_collect(probe_ctx *ctx, + free(current_file_realpath); + continue; + } +- res.file = current_file_realpath ? current_file_realpath : strdup(current_file); ++ res.file = current_file_realpath ? oscap_strdup(current_file_realpath) : oscap_strdup(current_file); + break; + case OVAL_OPERATION_PATTERN_MATCH: + ret = pcre_exec(re, NULL, current_file, strlen(current_file), 0, 0, NULL, 0); + + switch(ret) { + case 0: /* match */ +- res.file = strdup(current_file); ++ res.file = oscap_strdup(current_file); + break; + case -1: + /* mismatch */ +@@ -299,12 +299,18 @@ static int rpmverify_collect(probe_ctx *ctx, + free(current_file_realpath); + goto ret; + } ++ free(current_file_realpath); + + if (rpmVerifyFile(g_rpm->rpmts, fi, &res.vflags, omit) != 0) + res.vflags = RPMVERIFY_FAILURES; + + if (callback(ctx, &res) != 0) { + ret = 0; ++ free(res.name); ++ free(res.epoch); ++ free(res.version); ++ free(res.release); ++ free(res.arch); + free(res.file); + goto ret; + } +@@ -313,6 +319,12 @@ static int rpmverify_collect(probe_ctx *ctx, + + rpmfiFree(fi); + } ++ ++ free(res.name); ++ free(res.epoch); ++ free(res.version); ++ free(res.release); ++ free(res.arch); + } + + match = rpmdbFreeIterator (match); +-- +2.26.2 + diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index c1e87db..2536e77 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -1,19 +1,19 @@ Name: openscap -Version: 1.3.2 -Release: 6%{?dist} +Version: 1.3.3 +Release: 5%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ URL: http://www.open-scap.org/ Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz -# PATCHES FOR 1.3.2 -Patch1: 01-add-test-fix-type-anaconda.patch -Patch2: 02-do-not-use-keyword-operator-as-a-function-parameter.patch -Patch3: 03-fix-cmake-test-for-libcap-xattr-h.patch -Patch4: 04-oscap-podman-detect-ambiguous-targets.patch -Patch5: openscap-1.3.2-covscan_ux_fix.patch -Patch6: openscap-1.3.3-fix-cmake-findacl.patch -# END PATCHES FOR 1.3.2 +Patch1: openscap-1.3.4-fix-environmentvariable58-regression.patch +Patch2: openscap-1.3.4-fix-no-more-recursion.patch +Patch3: openscap-1.3.4-add_compression_support-PR_1557.patch +Patch4: openscap-1.3.4-add_compression_test-PR_1564.patch +Patch5: openscap-1.3.4-add_compression_tracing-PR_1561.patch +Patch6: openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch +Patch7: openscap-1.3.4-detect_remote_file_systems-PR_1573.patch + BuildRequires: cmake >= 2.6 BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser BuildRequires: rpm-devel @@ -29,6 +29,7 @@ BuildRequires: openldap-devel BuildRequires: GConf2-devel BuildRequires: glib2-devel BuildRequires: dbus-devel +BuildRequires: libyaml-devel %if %{?_with_check:1}%{!?_with_check:0} BuildRequires: perl-XML-XPath BuildRequires: bzip2 @@ -36,6 +37,7 @@ BuildRequires: bzip2 Requires: bash Requires: bzip2-libs Requires: dbus +Requires: libyaml Requires: GConf2 Requires: glib2 Requires: libacl @@ -137,6 +139,7 @@ for developing applications that use %{name}-engine-sce. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 mkdir build %build @@ -216,12 +219,54 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/oscap-vm %{_mandir}/man8/scap-as-rpm.8.gz %{_bindir}/scap-as-rpm +%{_mandir}/man8/autotailor.8.gz +%{_bindir}/autotailor %files engine-sce %{_libdir}/libopenscap_sce.so.* %{_bindir}/oscap-run-sce-script %changelog +* Wed Aug 19 2020 Jan Černý - 1.3.3-5 +- Detect remote file systems correctly (RHBZ#1870087) + +* Mon Aug 03 2020 Jan Černý - 1.3.3-4 +- Fix memory leaks in rpmverifyfile probe (RHBZ#1861301) + +* Tue Jul 21 2020 Matěj Týč - 1.3.3-3 +- Added support for fetching remote content with compression (RHBZ#1855708) + +* Thu Jun 25 2020 Matěj Týč - 1.3.3-2 +- Prevent unwanted recursion that could crash the scanner (RHBZ#1686370) + +* Mon May 04 2020 Evgeny Kolesnikov - 1.3.3-1 +- Upgrade to the latest upstream release (rhbz#1829761) +- Added a Python script that can be used for CLI tailoring (autotailor) +- Added timezone to XCCDF TestResult start/end time +- Added yamlfilecontent independent probe (proposal/draft implementation) +- Added ability to generate `machineconfig` fix +- Introduced `urn:xccdf:fix:script:kubernetes` fix type in XCCDF +- Fixed filepath pattern matching in offline mode in textfilecontent58 probe +- Fixed #170: The rpmverifyfile probe can't verify files from '/bin' directory +- Fixed #1512: Severity refinement lost in generated guide +- Fixed #1453: Pointer lost in Swig API +- The data system_info probe return for offline and online modes is consistent and actual +- Evaluation Characteristics of the XCCDF report are now consistent with OVAL entities + from system_info probe + +* Fri Mar 27 2020 Jan Černý - 1.3.2-9 +- Generate HTML guides from tailored profiles (RHBZ#1743835) + +* Wed Mar 18 2020 Jan Černý - 1.3.2-8 +- Fix tests for rpmverifyfileprobe (RHBZ#1814726) + +* Thu Mar 12 2020 Jan Černý - 1.3.2-7 +- Fix segmentation fault in systemdunitdependency_probe (RHBZ#1793050) +- Fix crash in textfilecontent probe (RHBZ#1686467) +- Do not drop empty lines from Ansible remediations (RHBZ#1795563) +- Fix oscap-ssh --sudo (RHBZ#1803116) +- Remove useless warnings (RHBZ#1764139) + * Thu Jan 23 2020 Jan Černý - 1.3.2-6 - Fix FindACL.cmake @@ -702,4 +747,3 @@ rm -rf $RPM_BUILD_ROOT * Thu Jan 15 2009 Tomas Heinrich 0.1.1-1 - Initial rpm -