rpms/openscap
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import openscap-1.3.4-5.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-05-18 02:42:24 -04:00 committed by Andrew Lukoshko
parent 9459b72a12
commit f738090cf9
23 changed files with 583 additions and 5535 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/openscap-1.3.3.tar.gz
SOURCES/openscap-1.3.4.tar.gz

2
.openscap.metadata
View File

@ -1 +1 @@
6988d1ea7b86669d410ab5defc1be394cba5b017 SOURCES/openscap-1.3.3.tar.gz
3e303f06aa00e5c2616db606b980389ee0b73883 SOURCES/openscap-1.3.4.tar.gz

70
SOURCES/openscap-1.3.4-add_compression_support-PR_1557.patch
View File

@ -1,70 +0,0 @@
From d8518b70b912aa55fc47400173bf6229e40b71d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Wed, 8 Jul 2020 15:17:31 +0200
Subject: [PATCH] Make a use of HTTP header content-encoding: gzip if available
When fetching remote resources, some servers/CDNs may be able to serve us
compressed http response even in cases when the original file is not compressed
XML. libcurl is able to process encoded html for us with no added maintenance
costs.
Attached please find a CURL log of fetching plain XML file from Red Hat CDN:
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml
...
* Trying 104.90.105.254:443...
* Connected to www.redhat.com (104.90.105.254) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=2945436; C=US; ST=North Carolina; L=Raleigh; O=Red Hat, Inc.; CN=www.redhat.com
* start date: Feb 24 00:00:00 2020 GMT
* expire date: May 24 12:00:00 2022 GMT
* subjectAltName: host "www.redhat.com" matched cert's "www.redhat.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x776c3b0)
> GET /security/data/oval/com.redhat.rhsa-RHEL7.xml HTTP/2
Host: www.redhat.com
accept: */*
accept-encoding: gzip
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< server: Apache
< last-modified: Wed, 08 Jul 2020 12:41:28 GMT
< etag: "7f694279-fca5e0-5a9ed6d376a08"
< accept-ranges: bytes
< content-type: text/xml
< content-encoding: gzip
< content-length: 1766376
< date: Wed, 08 Jul 2020 13:15:29 GMT
< vary: Accept-Encoding
< strict-transport-security: max-age=31536000
<
* Connection #0 to host www.redhat.com left intact
---
src/common/oscap_acquire.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
index 60ab62c05..551da43f0 100644
--- a/src/common/oscap_acquire.c
+++ b/src/common/oscap_acquire.c
@@ -302,6 +302,7 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
curl_easy_setopt(curl, CURLOPT_URL, url);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer);
+ curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, "");
curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
CURLcode res = curl_easy_perform(curl);

168
SOURCES/openscap-1.3.4-add_compression_test-PR_1564.patch
View File

@ -1,168 +0,0 @@
From 12ccadd9f9cd30143b3af6feced58f8da636e9d2 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Mon, 20 Jul 2020 07:45:05 +0200
Subject: [PATCH] Add test for cURL "Accept-Encoding" header
---
tests/CMakeLists.txt | 1 +
tests/curl/CMakeLists.txt | 1 +
tests/curl/ds.xml | 99 ++++++++++++++++++++++++++++++++
tests/curl/test_curl_encoding.sh | 23 ++++++++
4 files changed, 124 insertions(+)
create mode 100644 tests/curl/CMakeLists.txt
create mode 100644 tests/curl/ds.xml
create mode 100755 tests/curl/test_curl_encoding.sh
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index b7ca6cd79..6948cd260 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -26,6 +26,7 @@ add_subdirectory("API")
add_subdirectory("bindings")
add_subdirectory("bz2")
add_subdirectory("codestyle")
+add_subdirectory("curl")
add_subdirectory("CPE")
add_subdirectory("DS")
add_subdirectory("mitre")
diff --git a/tests/curl/CMakeLists.txt b/tests/curl/CMakeLists.txt
new file mode 100644
index 000000000..9c3d90d74
--- /dev/null
+++ b/tests/curl/CMakeLists.txt
@@ -0,0 +1 @@
+add_oscap_test("test_curl_encoding.sh")
diff --git a/tests/curl/ds.xml b/tests/curl/ds.xml
new file mode 100644
index 000000000..f33cb475d
--- /dev/null
+++ b/tests/curl/ds.xml
@@ -0,0 +1,99 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" id="scap_org.open-scap_collection_from_xccdf_test_single_rule.xccdf.xml" schematron-version="1.3">
+<ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_test_single_rule.xccdf.xml" scap-version="1.3" use-case="OTHER">
+ <ds:checklists>
+ <ds:component-ref id="scap_org.open-scap_cref_test_single_rule.xccdf.xml" xlink:href="#scap_org.open-scap_comp_test_single_rule.xccdf.xml">
+ <cat:catalog>
+ <cat:uri name="test_single_rule.oval.xml" uri="#scap_org.open-scap_cref_test_single_rule.oval.xml"/>
+ <cat:uri name="security-data-oval.xml.bz2" uri="#scap_org.open-scap_cref_security-data-oval.xml.bz2"/>
+ </cat:catalog>
+ </ds:component-ref>
+ </ds:checklists>
+ <ds:checks>
+ <ds:component-ref id="scap_org.open-scap_cref_test_single_rule.oval.xml" xlink:href="#scap_org.open-scap_comp_test_single_rule.oval.xml"/>
+<!--
+ <ds:component-ref id="scap_org.open-scap_cref_security-data-oval.xml.bz2" xlink:href="https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml"/>
+-->
+ <ds:component-ref id="scap_org.open-scap_cref_security-data-oval.xml.bz2" xlink:href="https://github.com/"/>
+ </ds:checks>
+</ds:data-stream>
+
+<ds:component id="scap_org.open-scap_comp_test_single_rule.oval.xml" timestamp="2017-06-09T07:07:38">
+<oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd">
+ <generator>
+ <oval:schema_version>5.11</oval:schema_version>
+ <oval:timestamp>2009-01-12T10:41:00-05:00</oval:timestamp>
+ </generator>
+
+ <definitions>
+ <definition class="compliance" id="oval:test-pass:def:1" version="1">
+ <metadata>
+ <title>PASS</title>
+ <description>pass</description>
+ </metadata>
+ <criteria>
+ <criterion comment="PASS test" test_ref="oval:x:tst:1"/>
+ </criteria>
+ </definition>
+ </definitions>
+
+ <tests>
+ <variable_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:x:tst:1" check="all" comment="always pass" version="1">
+ <object object_ref="oval:x:obj:1"/>
+ </variable_test>
+ </tests>
+
+ <objects>
+ <variable_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:x:obj:1" version="1" comment="x">
+ <var_ref>oval:x:var:1</var_ref>
+ </variable_object>
+ </objects>
+
+ <variables>
+ <constant_variable id="oval:x:var:1" version="1" comment="x" datatype="int">
+ <value>100</value>
+ </constant_variable>
+ </variables>
+
+</oval_definitions>
+</ds:component>
+
+<ds:component id="scap_org.open-scap_comp_test_single_rule.xccdf.xml" timestamp="2017-06-09T09:15:45">
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_com.example.www_benchmark_dummy" xml:lang="en-US">
+ <status>accepted</status>
+ <version>1.0</version>
+
+ <Profile id="xccdf_com.example.www_profile_test_remote_res">
+ <title>xccdf_test_profile</title>
+ <description>This profile is for testing.</description>
+ <select idref="xccdf_com.example.www_rule_test-pass" selected="true"/>
+ <select idref="xccdf_com.example.www_rule_test-remote_res" selected="true"/>
+ </Profile>
+
+ <Value id="xccdf_com.example.www_value_val1" type="number" operator="equals" interactive="0">
+ <title>test value</title>
+ <description>foo</description>
+ <value selector="bar_1">50</value>
+ <value selector="bar_2">100</value>
+ </Value>
+ <Rule selected="true" id="xccdf_com.example.www_rule_test-pass">
+ <title>This rule always pass</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref href="test_single_rule.oval.xml" name="oval:test-pass:def:1"/>
+ </check>
+ </Rule>
+ <Rule selected="true" id="xccdf_com.example.www_rule_test-remote_res">
+ <title>This rule checks remote resource</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" multi-check="true">
+ <check-content-ref href="security-data-oval.xml.bz2"/>
+ </check>
+ </Rule>
+ <Rule selected="true" id="xccdf_com.example.www_rule_test-pass2">
+ <title>This rule always pass</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref href="test_single_rule.oval.xml" name="oval:test-pass:def:1"/>
+ </check>
+ </Rule>
+</Benchmark>
+</ds:component>
+</ds:data-stream-collection>
diff --git a/tests/curl/test_curl_encoding.sh b/tests/curl/test_curl_encoding.sh
new file mode 100755
index 000000000..6d82f9569
--- /dev/null
+++ b/tests/curl/test_curl_encoding.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e -o pipefail
+
+. $builddir/tests/test_common.sh
+
+function curl_accept_encoding {
+ local DF="${srcdir}/ds.xml"
+ local RF="results.xml"
+ local LOG="verbose.log"
+
+ $OSCAP xccdf --verbose=DEVEL eval --fetch-remote-resources --results $RF $DF 2>$LOG || echo "OK"
+
+ grep -P "Accept-Encoding.*gzip" $LOG
+
+ return 0
+}
+
+test_init
+
+test_run "cURL: Accept-Encoding" curl_accept_encoding
+
+test_exit

76
SOURCES/openscap-1.3.4-add_compression_tracing-PR_1561.patch
View File

@ -1,76 +0,0 @@
From aab536acdd4b08e2e8c3d4ac43981dfcaf1cc9f8 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Mon, 13 Jul 2020 14:09:52 +0200
Subject: [PATCH] Add CURLOPT_TRANSFER_ENCODING, enable CURLOPT_VERBOSE with
CURLOPT_DEBUGFUNCTION
Adds a request for compressed Transfer Encoding in the outgoing
HTTP request. If the server supports this and so desires, it can
respond with the HTTP response sent using a compressed
Transfer-Encoding that will be automatically uncompressed by
libcurl on reception.
The CURLOPT_DEBUGFUNCTION callback is used for printing headers and
connection information on VERBOSE level (dD).
---
src/common/oscap_acquire.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
index 551da43f0..666f4f5c9 100644
--- a/src/common/oscap_acquire.c
+++ b/src/common/oscap_acquire.c
@@ -49,6 +49,7 @@
#include "common/_error.h"
#include "oscap_string.h"
#include "oscap_helpers.h"
+#include "debug_priv.h"
#ifndef OSCAP_TEMP_DIR
#define OSCAP_TEMP_DIR "/tmp"
@@ -288,6 +289,34 @@ oscap_acquire_url_to_filename(const char *url)
return filename;
}
+static int _curl_trace(CURL *handle, curl_infotype type, char *data, size_t size, void *userp)
+{
+ const char *title;
+
+ switch (type) {
+ case CURLINFO_TEXT:
+ title = "== cURL info";
+ break;
+ case CURLINFO_HEADER_OUT:
+ title = "=> cURL header (out)";
+ break;
+ case CURLINFO_HEADER_IN:
+ title = "<= cURL header (in)";
+ break;
+ case CURLINFO_DATA_OUT:
+ case CURLINFO_SSL_DATA_OUT:
+ case CURLINFO_DATA_IN:
+ case CURLINFO_SSL_DATA_IN:
+ default:
+ return 0;
+ break;
+ }
+
+ dD("%s: %s", title, data);
+
+ return 0;
+}
+
char* oscap_acquire_url_download(const char *url, size_t* memory_size)
{
CURL *curl;
@@ -303,7 +332,10 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer);
curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, "");
+ curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true);
curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
+ curl_easy_setopt(curl, CURLOPT_VERBOSE, true);
+ curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace);
CURLcode res = curl_easy_perform(curl);
curl_easy_cleanup(curl);

59
SOURCES/openscap-1.3.4-bump-yamlfilter-fix-warnings-PR_1530.patch
View File

@ -1,59 +0,0 @@
From 31f2aa5729f9d6e9c1d8c06e3b979e89ff4e8e9e Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Tue, 19 May 2020 07:26:25 +0200
Subject: [PATCH 1/3] Update yaml-filter to the latest version (fixes minor
warnings)
yaml-path.c:342:61: warning: comparison of integer expressions of different signedness: 'int' and 'size_t' {aka 'long unsigned int'} [-Wsign-compare]
yaml-path.c:251:27: warning: unused variable 'sec' [-Wunused-variable]
---
CMakeLists.txt | 4 ++--
yaml-filter | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 65d674140..8752d66c8 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -545,7 +545,7 @@ include_directories(
"src/XCCDF/public/"
"src/XCCDF_POLICY/"
"src/XCCDF_POLICY/public/"
- "yaml-filter"
+ "yaml-filter/src/"
${CMAKE_BINARY_DIR} # config.h is generated to build directory
${LIBXML2_INCLUDE_DIR}
${PCRE_INCLUDE_DIRS}
@@ -570,7 +570,7 @@ function(set_oscap_generic_properties TARGET_OBJECT)
endfunction()
if(OPENSCAP_PROBE_INDEPENDENT_YAMLFILECONTENT)
- add_library(yamlfilter_object OBJECT yaml-filter/yaml-path.c yaml-filter/yaml-path.h)
+ add_library(yamlfilter_object OBJECT yaml-filter/src/yaml-path.c yaml-filter/src/yaml-path.h)
set_oscap_generic_properties(yamlfilter_object)
endif()
From 69111f40e24a44241609f485034420bac666e756 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Tue, 19 May 2020 07:28:53 +0200
Subject: [PATCH 2/3] probes/yamlfilecontent: Properly destroy yaml_path before
bailing out
yamlfilecontent_probe.c:163: leaked_storage: Variable "yaml_path" going out of scope leaks the storage it points to.
---
src/OVAL/probes/independent/yamlfilecontent_probe.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c
index 8fc4b32b2..b8a379313 100644
--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c
+++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c
@@ -159,6 +159,7 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str
probe_cobj_add_msg(probe_ctx_getresult(ctx), msg);
SEXP_free(msg);
probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_ERROR);
+ yaml_path_destroy(yaml_path);
fclose(yaml_file);
return -1;
};

1611
SOURCES/openscap-1.3.4-bump-yamlfilter-upgrade-probe-schemas-PR_1552.patch
View File

File diff suppressed because it is too large Load Diff

2641
SOURCES/openscap-1.3.4-bump-yamlfilter-upgrade-probe-schemas-submodule-PR_1552.patch
View File

File diff suppressed because it is too large Load Diff

94
SOURCES/openscap-1.3.4-detect_remote_file_systems-PR_1573.patch
View File

@ -1,94 +0,0 @@
diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c
index 82356d5e0..983675098 100644
--- a/src/OVAL/probes/fsdev.c
+++ b/src/OVAL/probes/fsdev.c
@@ -62,6 +62,7 @@
#endif
#include "fsdev.h"
+#include "common/util.h"
/**
* Compare two dev_t variables.
@@ -79,10 +80,6 @@ static int fsdev_cmp(const void *a, const void *b)
#if defined(OS_LINUX)
static int is_local_fs(struct mntent *ment)
{
-// todo: would it be usefull to provide the choice during build-time?
-#if 1
- char *s;
-
/*
* When type of the filesystem is autofs, it means the mtab entry
* describes the autofs configuration, which means ment->mnt_fsname
@@ -97,37 +94,42 @@ static int is_local_fs(struct mntent *ment)
return 0;
}
- if (ment->mnt_fsname == NULL) {
- return 0;
- }
-
- s = ment->mnt_fsname;
- /* If the fsname begins with "//", it is probably CIFS. */
- if (s[0] == '/' && s[1] == '/')
- return 0;
-
- /* If there's a ':' in the fsname and it occurs before any
- * '/', then this is probably NFS and the file system is
- * considered "remote".
+ /*
+ * The following code is inspired by systemd, function fstype_is_network:
+ * https://github.com/systemd/systemd/blob/21fd6bc263f49b57867d90d2e1f9f255e5509134/src/basic/mountpoint-util.c#L290
*/
- s = strpbrk(s, "/:");
- if (s && *s == ':')
- return 0;
+ const char *fstype = ment->mnt_type;
+ if (oscap_str_startswith(fstype, "fuse.")) {
+ fstype += strlen("fuse.");
+ }
+ const char *network_fs[] = {
+ "afs",
+ "ceph",
+ "cifs",
+ "smb3",
+ "smbfs",
+ "sshfs",
+ "ncpfs",
+ "ncp",
+ "nfs",
+ "nfs4",
+ "gfs",
+ "gfs2",
+ "glusterfs",
+ "gpfs",
+ "pvfs2", /* OrangeFS */
+ "ocfs2",
+ "lustre",
+ "davfs",
+ NULL
+ };
+ for (int i = 0; network_fs[i]; i++) {
+ if (!strcmp(network_fs[i], fstype)) {
+ return 0;
+ }
+ }
return 1;
-#else
- struct stat st;
-
- /* If the file system is not backed-up by a real file, it is
- considered remote. A notable exception is "tmpfs" to allow
- traversal of /tmp et al. */
- if (strcmp(ment->mnt_fsname, "tmpfs") != 0
- && (stat(ment->mnt_fsname, &st) != 0
- || !(S_ISBLK(st.st_mode))))
- return 0;
- else
- return 1;
-#endif
}
#elif defined(OS_AIX)

107
SOURCES/openscap-1.3.4-export-profile-platform-PR_1609.patch
View File

@ -1,107 +0,0 @@
From cca0af9f2260a34aa4c2e57a7a418ce2b4732e16 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 28 Sep 2020 12:40:16 +0200
Subject: [PATCH 1/2] Test resolving a Profile with platform
---
tests/API/XCCDF/unittests/CMakeLists.txt | 1 +
.../test_xccdf_resolve_profile_platform.sh | 31 +++++++++++++++++++
...t_xccdf_resolve_profile_platform.xccdf.xml | 13 ++++++++
3 files changed, 45 insertions(+)
create mode 100755 tests/API/XCCDF/unittests/test_xccdf_resolve_profile_platform.sh
create mode 100644 tests/API/XCCDF/unittests/test_xccdf_resolve_profile_platform.xccdf.xml
diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
index 05ddea219..153a1c321 100644
--- a/tests/API/XCCDF/unittests/CMakeLists.txt
+++ b/tests/API/XCCDF/unittests/CMakeLists.txt
@@ -62,6 +62,7 @@ add_oscap_test("test_default_selector.sh")
add_oscap_test("test_inherit_selector.sh")
add_oscap_test("test_xccdf_refine_value_bad.sh")
add_oscap_test("test_xccdf_resolve.sh")
+add_oscap_test("test_xccdf_resolve_profile_platform.sh")
add_oscap_test("test_xccdf_results_arf_no_oval.sh")
add_oscap_test("test_xccdf_sub_title.sh")
add_oscap_test("test_xccdf_test_system.sh")
diff --git a/tests/API/XCCDF/unittests/test_xccdf_resolve_profile_platform.sh b/tests/API/XCCDF/unittests/test_xccdf_resolve_profile_platform.sh
new file mode 100755
index 000000000..95f8ce4b4
--- /dev/null
+++ b/tests/API/XCCDF/unittests/test_xccdf_resolve_profile_platform.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+. $builddir/tests/test_common.sh
+
+########################################################################
+### Test "oscap xccdf resolve" command on a Profile with platform
+########################################################################
+
+set -e
+set -o pipefail
+
+name=$(basename $0 .sh)
+
+result=$(mktemp -t ${name}.res.XXXXXX)
+stderr=$(mktemp -t ${name}.out.XXXXXX)
+stdout=$(mktemp -t ${name}.out.XXXXXX)
+
+
+echo "Stderr file = $stderr"
+echo "Result file = $result"
+
+$OSCAP xccdf resolve --output $result $srcdir/${name}.xccdf.xml > $stdout
+$OSCAP xccdf validate $result >> $stdout
+
+assert_exists 1 '//Benchmark[@resolved="1"]'
+
+# Resolve Profile Platform
+assert_exists 2 '//Profile[@id="xccdf_resolve_profile_platform"]/select'
+assert_exists 1 '//Profile[@id="xccdf_resolve_profile_platform"]/platform[@idref="cpe:/a:open-scap:oscap"]'
+
+[ -f $stderr ]; [ ! -s $stderr ]; rm $stderr
+rm $result
diff --git a/tests/API/XCCDF/unittests/test_xccdf_resolve_profile_platform.xccdf.xml b/tests/API/XCCDF/unittests/test_xccdf_resolve_profile_platform.xccdf.xml
new file mode 100644
index 000000000..f4773bef7
--- /dev/null
+++ b/tests/API/XCCDF/unittests/test_xccdf_resolve_profile_platform.xccdf.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_resolve_benchmark_1" resolved="false">
+ <status>incomplete</status>
+ <version>1.0</version>
+
+ <Profile id="xccdf_resolve_profile_platform">
+ <title>Profile with platform</title>
+ <platform idref="cpe:/a:open-scap:oscap"/>
+ <select idref="xccdf_test_rule_inherited" selected="true" />
+ <select idref="xccdf_test_rule_overridden" selected="true" />
+ </Profile>
+</Benchmark>
+
From 46b78146db6ba1fa57926068c4400d876423126b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 28 Sep 2020 13:03:46 +0200
Subject: [PATCH 2/2] Fix export of platform profile to DOM
The xccdf:platform should reference the ID of a CPE name or a CPE
applicability language expression.
---
src/XCCDF/profile.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/XCCDF/profile.c b/src/XCCDF/profile.c
index 776ef616a..b8a3f4749 100644
--- a/src/XCCDF/profile.c
+++ b/src/XCCDF/profile.c
@@ -319,7 +319,8 @@ void xccdf_profile_to_dom(struct xccdf_profile *profile, xmlNode *profile_node,
struct oscap_string_iterator *platforms = xccdf_profile_get_platforms(profile);
while (oscap_string_iterator_has_more(platforms)) {
const char *platform = oscap_string_iterator_next(platforms);
- xmlNewTextChild(profile_node, ns_xccdf, BAD_CAST "platform", BAD_CAST platform);
+ xmlNode *platform_node = xmlNewTextChild(profile_node, ns_xccdf, BAD_CAST "platform", NULL);
+ xmlNewProp(platform_node, BAD_CAST "idref", BAD_CAST platform);
}
oscap_string_iterator_free(platforms);

59
SOURCES/openscap-1.3.4-fix-environmentvariable58-regression.patch
View File

@ -1,59 +0,0 @@
diff --git a/src/OVAL/probes/independent/environmentvariable58_probe.c b/src/OVAL/probes/independent/environmentvariable58_probe.c
index 552ce6700..77233aeeb 100644
--- a/src/OVAL/probes/independent/environmentvariable58_probe.c
+++ b/src/OVAL/probes/independent/environmentvariable58_probe.c
@@ -96,32 +96,32 @@ static int read_environment(SEXP_t *pid_ent, SEXP_t *name_ent, probe_ctx *ctx)
ssize_t buffer_used;
size_t buffer_size;
+ const char *extra_vars = getenv("OSCAP_CONTAINER_VARS");
+ if (extra_vars && *extra_vars) {
+ char *vars = strdup(extra_vars);
+ char *tok, *eq_chr, *str, *strp;
+
+ for (str = vars; ; str = NULL) {
+ tok = strtok_r(str, "\n", &strp);
+ if (tok == NULL)
+ break;
+ eq_chr = strchr(tok, '=');
+ if (eq_chr == NULL)
+ continue;
+ PROBE_ENT_I32VAL(pid_ent, pid, pid = -1;, pid = 0;);
+ collect_variable(tok, eq_chr - tok, pid, name_ent, ctx);
+ }
+
+ free(vars);
+ return 0;
+ }
+
const char *prefix = getenv("OSCAP_PROBE_ROOT");
snprintf(path, PATH_MAX, "%s/proc", prefix ? prefix : "");
d = opendir(path);
if (d == NULL) {
- const char *extra_vars = getenv("OSCAP_CONTAINER_VARS");
- if (!extra_vars) {
- dE("Can't read %s/proc: errno=%d, %s.", prefix ? prefix : "", errno, strerror(errno));
- return PROBE_EACCESS;
- } else {
- char *vars = strdup(extra_vars);
- char *tok, *eq_chr, *str, *strp;
-
- for (str = vars; ; str = NULL) {
- tok = strtok_r(str, "\n", &strp);
- if (tok == NULL)
- break;
- eq_chr = strchr(tok, '=');
- if (eq_chr == NULL)
- continue;
- PROBE_ENT_I32VAL(pid_ent, pid, pid = -1;, pid = 0;);
- collect_variable(tok, eq_chr - tok, pid, name_ent, ctx);
- }
-
- free(vars);
- return 0;
- }
+ dE("Can't read %s/proc: errno=%d, %s.", prefix ? prefix : "", errno, strerror(errno));
+ return PROBE_EACCESS;
}
if ((buffer = realloc(NULL, BUFFER_SIZE)) == NULL) {

177
SOURCES/openscap-1.3.4-fix-no-more-recursion.patch
View File

@ -1,177 +0,0 @@
From c8fc880a672afbfdbd384dc6afa4b7fbdd666b73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 27 May 2020 10:38:56 +0200
Subject: [PATCH 1/3] Add a regression test for RHBZ#1686370
There is a non-optimal behavior of file probe. It happens when file path
is specified using a variable with 2 values with `operation="equals"`
and `var_check="all"`. The probe recurses into a file system tree even
if it's obvious that it won't find any match. If one of values is a big
tree (for example `/`) it eventually runs out of memory and crashes. The
OVAL doesn't make sense because it's impossible that a single file would
have 2 different paths. But despite that it's a valid OVAL document.
The test is expected to fail because the bug hasn't been fixed.
---
tests/probes/file/CMakeLists.txt | 1 +
.../test_probes_file_multiple_file_paths.sh | 39 +++++++++++++++++
.../test_probes_file_multiple_file_paths.xml | 42 +++++++++++++++++++
3 files changed, 82 insertions(+)
create mode 100755 tests/probes/file/test_probes_file_multiple_file_paths.sh
create mode 100644 tests/probes/file/test_probes_file_multiple_file_paths.xml
diff --git a/tests/probes/file/CMakeLists.txt b/tests/probes/file/CMakeLists.txt
index 12718603f..35b4c1169 100644
--- a/tests/probes/file/CMakeLists.txt
+++ b/tests/probes/file/CMakeLists.txt
@@ -1,3 +1,4 @@
if(ENABLE_PROBES_UNIX)
add_oscap_test("test_probes_file.sh")
+ add_oscap_test("test_probes_file_multiple_file_paths.sh")
endif()
diff --git a/tests/probes/file/test_probes_file_multiple_file_paths.sh b/tests/probes/file/test_probes_file_multiple_file_paths.sh
new file mode 100755
index 000000000..1cececbb0
--- /dev/null
+++ b/tests/probes/file/test_probes_file_multiple_file_paths.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+set -e -o pipefail
+
+. $builddir/tests/test_common.sh
+
+probecheck "file" || exit 255
+which strace || exit 255
+
+function check_strace_output {
+ strace_log="$1"
+ grep -q "/tmp/numbers/1" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2/3" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2/3/4" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2/3/4/5" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2/3/4/5/6" $strace_log && return 1
+ grep -q "/tmp/letters/a" $strace_log && return 1
+ grep -q "/tmp/letters/a/b" $strace_log && return 1
+ grep -q "/tmp/letters/a/b/c" $strace_log && return 1
+ grep -q "/tmp/letters/a/b/c/d" $strace_log && return 1
+ grep -q "/tmp/letters/a/b/c/d/e" $strace_log && return 1
+ grep -q "/tmp/letters/a/b/c/d/e/f" $strace_log && return 1
+ return 0
+}
+
+rm -rf /tmp/numbers
+mkdir -p /tmp/numbers/1/2/3/4/5/6
+rm -rf /tmp/letters
+mkdir -p /tmp/letters/a/b/c/d/e/f
+strace_log=$(mktemp)
+strace -f -e openat -o $strace_log $OSCAP oval eval --results results.xml "$srcdir/test_probes_file_multiple_file_paths.xml"
+ret=0
+check_strace_output $strace_log || ret=$?
+rm -f $strace_log
+rm -f results.xml
+rm -rf /tmp/numbers
+rm -rf /tmp/letters
+exit $ret
diff --git a/tests/probes/file/test_probes_file_multiple_file_paths.xml b/tests/probes/file/test_probes_file_multiple_file_paths.xml
new file mode 100644
index 000000000..893a3fe97
--- /dev/null
+++ b/tests/probes/file/test_probes_file_multiple_file_paths.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0"?>
+<oval_definitions xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
+ <generator>
+ <oval:schema_version>5.10</oval:schema_version>
+ <oval:timestamp>0001-01-01T00:00:00+00:00</oval:timestamp>
+ </generator>
+
+ <definitions>
+ <definition class="compliance" version="1" id="oval:x:def:1">
+ <metadata>
+ <title>Specify a file path using variable with two values</title>
+ <description>x</description>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ </metadata>
+ <criteria operator="AND">
+ <criterion comment="Check multiple paths" test_ref="oval:x:tst:1"/>
+ </criteria>
+ </definition>
+ </definitions>
+
+ <tests>
+ <file_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:x:tst:1" version="1" comment="Verify all paths exist" check_existence="all_exist" check="all">
+ <object object_ref="oval:x:obj:1"/>
+ </file_test>
+ </tests>
+
+ <objects>
+ <file_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:x:obj:1" version="1" comment="uses var_check=all together with operation=equals">
+ <path datatype="string" var_ref="oval:x:var:1" var_check="all" operation="equals"/>
+ <filename xsi:nil="true" datatype="string"/>
+ </file_object>
+ </objects>
+
+ <variables>
+ <constant_variable datatype="string" comment="2 file paths" version="1" id="oval:x:var:1">
+ <value>/tmp/numbers</value>
+ <value>/tmp/letters</value>
+ </constant_variable>
+ </variables>
+</oval_definitions>
From 569e0013ca83adef233ddecc78a052db9b3ccc5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 2 Jun 2020 15:11:37 +0200
Subject: [PATCH 2/3] Add strace to the list of test dependencies
---
docs/developer/developer.adoc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/developer/developer.adoc b/docs/developer/developer.adoc
index 823a1504e..0f01ace74 100644
--- a/docs/developer/developer.adoc
+++ b/docs/developer/developer.adoc
@@ -152,7 +152,7 @@ After building the library you might want to run library self-checks. To do
that you need to have these additional packages installed:
----
-wget lua which procps-ng initscripts chkconfig sendmail bzip2 rpm-build
+wget lua which procps-ng initscripts chkconfig sendmail bzip2 rpm-build strace
----
On Ubuntu 18.04, also install:
From a47604bf30c6574e570abde4fd01488ba120f82d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 17 Jun 2020 11:00:02 +0200
Subject: [PATCH 3/3] Terminate matching to prevent recursion
Fixes: RHBZ#1686370
---
src/OVAL/probes/oval_fts.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/OVAL/probes/oval_fts.c b/src/OVAL/probes/oval_fts.c
index 696997942..2b7314c38 100644
--- a/src/OVAL/probes/oval_fts.c
+++ b/src/OVAL/probes/oval_fts.c
@@ -1029,6 +1029,15 @@ static FTSENT *oval_fts_read_match_path(OVAL_FTS *ofts)
if (ores == OVAL_RESULT_TRUE)
break;
+ if (ofts->ofts_path_op == OVAL_OPERATION_EQUALS) {
+ /* At this point the comparison result isn't OVAL_RESULT_TRUE. Since
+ we passed the exact path (from filepath or path elements) to
+ fts_open() we surely know that we can't find other items that would
+ be equal. Therefore we can terminate the matching. This can happen
+ if the filepath or path element references a variable that has
+ multiple different values. */
+ return NULL;
+ }
} /* for (;;) */
/*

103
SOURCES/openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch
View File

@ -1,103 +0,0 @@
From 4ef60df7edfdd7a49a565494142f86d93f9268b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 31 Jul 2020 10:38:17 +0200
Subject: [PATCH] Plug a memory leak
==12029== at 0x483A809: malloc (vg_replace_malloc.c:307)
==12029== by 0x51F1386: realpath@@GLIBC_2.3 (in /usr/lib64/libc-2.31.so)
==12029== by 0x489F8CA: oscap_realpath (util.c:251)
==12029== by 0x495E6EF: rpmverify_collect (rpmverifyfile_probe.c:248)
==12029== by 0x495F461: rpmverifyfile_probe_main (rpmverifyfile_probe.c:543)
==12029== by 0x4935598: probe_worker (worker.c:1090)
==12029== by 0x4932F10: probe_worker_runfn (worker.c:81)
==12029== by 0x4CDA431: start_thread (in /usr/lib64/libpthread-2.31.so)
==12029== by 0x52A8912: clone (in /usr/lib64/libc-2.31.so)
==12029== at 0x483CCE8: realloc (vg_replace_malloc.c:834)
==12029== by 0x4D9DCD8: rrealloc (in /usr/lib64/librpmio.so.9.0.1)
==12029== by 0x4D25B88: headerFormat (in /usr/lib64/librpm.so.9.0.1)
==12029== by 0x495E467: rpmverify_collect (rpmverifyfile_probe.c:230)
==12029== by 0x495F461: rpmverifyfile_probe_main
(rpmverifyfile_probe.c:543)
==12029== by 0x4935598: probe_worker (worker.c:1090)
==12029== by 0x4932F10: probe_worker_runfn (worker.c:81)
==12029== by 0x4CDA431: start_thread (in
/usr/lib64/libpthread-2.31.so)
==12029== by 0x52A8912: clone (in /usr/lib64/libc-2.31.so)
Resolves: RHBZ#1861301
---
.../probes/unix/linux/rpmverifyfile_probe.c | 24 ++++++++++++++-----
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
index c86818e72..57d69f552 100644
--- a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
+++ b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
@@ -61,10 +61,10 @@
struct rpmverify_res {
char *name; /**< package name */
- const char *epoch;
- const char *version;
- const char *release;
- const char *arch;
+ char *epoch;
+ char *version;
+ char *release;
+ char *arch;
char *file; /**< filepath */
char extended_name[1024];
rpmVerifyAttrs vflags; /**< rpm verify flags */
@@ -272,14 +272,14 @@ static int rpmverify_collect(probe_ctx *ctx,
free(current_file_realpath);
continue;
}
- res.file = current_file_realpath ? current_file_realpath : strdup(current_file);
+ res.file = current_file_realpath ? oscap_strdup(current_file_realpath) : oscap_strdup(current_file);
break;
case OVAL_OPERATION_PATTERN_MATCH:
ret = pcre_exec(re, NULL, current_file, strlen(current_file), 0, 0, NULL, 0);
switch(ret) {
case 0: /* match */
- res.file = strdup(current_file);
+ res.file = oscap_strdup(current_file);
break;
case -1:
/* mismatch */
@@ -299,12 +299,18 @@ static int rpmverify_collect(probe_ctx *ctx,
free(current_file_realpath);
goto ret;
}
+ free(current_file_realpath);
if (rpmVerifyFile(g_rpm->rpmts, fi, &res.vflags, omit) != 0)
res.vflags = RPMVERIFY_FAILURES;
if (callback(ctx, &res) != 0) {
ret = 0;
+ free(res.name);
+ free(res.epoch);
+ free(res.version);
+ free(res.release);
+ free(res.arch);
free(res.file);
goto ret;
}
@@ -313,6 +319,12 @@ static int rpmverify_collect(probe_ctx *ctx,
rpmfiFree(fi);
}
+
+ free(res.name);
+ free(res.epoch);
+ free(res.version);
+ free(res.release);
+ free(res.arch);
}
match = rpmdbFreeIterator (match);
--
2.26.2

20
SOURCES/openscap-1.3.5-bump-yamlfilter-covscan-fix-PR_1620.patch
View File

@ -1,20 +0,0 @@
diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c
index 6f18abf83..e7e6cb3f5 100644
--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c
+++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c
@@ -216,12 +216,13 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str
result_error("YAML parser error: %s", parser.problem);
goto cleanup;
}
+
+ event_type = event.type;
+
if (yaml_path_filter_event(yaml_path, &parser, &event) == YAML_PATH_FILTER_RESULT_OUT) {
goto next;
}
- event_type = event.type;
-
if (sequence) {
if (event_type == YAML_SEQUENCE_END_EVENT) {
sequence = false;

315
SOURCES/openscap-1.3.5-bump-yamlfilter-fix-field-names-PR_1619.patch
View File

@ -1,315 +0,0 @@
From 81ab472c579072229a61df32969cc027b0fa4b7f Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Tue, 20 Oct 2020 08:55:32 +0200
Subject: [PATCH] probes/yamfilecontent: Fix field names for cases where key
selection section is followed by a set section
$.foo[:].bar[:], $.foo[:][:] and alike.
---
.../independent/yamlfilecontent_probe.c | 31 ++++++++--
.../yamlfilecontent/openshift-logging.yaml | 12 ++++
.../test_probes_yamlfilecontent_array.sh | 2 +-
.../test_probes_yamlfilecontent_array.xml | 45 ++++++++++++++
.../test_probes_yamlfilecontent_key.sh | 2 +-
.../test_probes_yamlfilecontent_key.xml | 59 ++++++++++++++++++-
6 files changed, 143 insertions(+), 8 deletions(-)
diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c
index 6f18abf83..17741a240 100644
--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c
+++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c
@@ -206,6 +206,7 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str
yaml_event_type_t event_type;
bool sequence = false;
bool mapping = false;
+ bool fake_mapping = false;
int index = 0;
char *key = strdup("#");
@@ -224,21 +225,39 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str
if (sequence) {
if (event_type == YAML_SEQUENCE_END_EVENT) {
- sequence = false;
+ if (fake_mapping) {
+ fake_mapping = false;
+ if (record && record->itemcount > 0) {
+ oscap_list_add(values, record);
+ } else {
+ // Do not collect empty records
+ oscap_htable_free0(record);
+ }
+ record = NULL;
+ } else {
+ sequence = false;
+ }
} else if (event_type == YAML_SEQUENCE_START_EVENT) {
- result_error("YAML path '%s' points to a multi-dimensional structure (sequence containing another sequence)", yaml_path_cstr);
- goto cleanup;
+ if (mapping || fake_mapping) {
+ result_error("YAML path '%s' points to a multi-dimensional structure (a map or a sequence containing other sequences)", yaml_path_cstr);
+ goto cleanup;
+ } else {
+ fake_mapping = true;
+ record = oscap_htable_new();
+ }
}
} else {
if (event_type == YAML_SEQUENCE_START_EVENT) {
sequence = true;
+ if (mapping)
+ index++;
}
}
if (mapping) {
if (event_type == YAML_MAPPING_END_EVENT) {
mapping = false;
- if (record->itemcount > 0) {
+ if (record && record->itemcount > 0) {
oscap_list_add(values, record);
} else {
// Do not collect empty records
@@ -255,6 +274,10 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str
result_error("YAML path '%s' points to an invalid structure (map containing another map)", yaml_path_cstr);
goto cleanup;
}
+ if (fake_mapping) {
+ result_error("YAML path '%s' points to a multi-dimensional structure (two-dimensional sequence containing a map)", yaml_path_cstr);
+ goto cleanup;
+ }
mapping = true;
sequence = false;
index = 0;
diff --git a/tests/probes/yamlfilecontent/openshift-logging.yaml b/tests/probes/yamlfilecontent/openshift-logging.yaml
index fb6a9d8b6..581a700a3 100644
--- a/tests/probes/yamlfilecontent/openshift-logging.yaml
+++ b/tests/probes/yamlfilecontent/openshift-logging.yaml
@@ -3,6 +3,18 @@ kind: "LogForwarding"
metadata:
name: instance
namespace: openshift-logging
+arrs:
+- [1, 2, 3]
+- [4, 5, 6]
+items:
+- allowHostDirVolumePlugin: false
+ defaultAddCapabilities: null
+ requiredDropCapabilities: ['KILL', 'ALL']
+ name: ['Name', 'Oth']
+- allowHostDirVolumePlugin: false
+ defaultAddCapabilities: null
+ requiredDropCapabilities: ['OPS', 'KILL', 'ALL']
+ name: ['2 Name', '2 Oth']
spec:
disableDefaultForwarding: true
outputs:
diff --git a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_array.sh b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_array.sh
index fd5e47538..695a247b3 100755
--- a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_array.sh
+++ b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_array.sh
@@ -19,7 +19,7 @@ function test_probes_yamlfilecontent_array {
$OSCAP oval eval --results $RF $DF
if [ -f $RF ]; then
- verify_results "def" $DF $RF 2 && verify_results "tst" $DF $RF 3
+ verify_results "def" $DF $RF 3 && verify_results "tst" $DF $RF 5
ret_val=$?
else
ret_val=1
diff --git a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_array.xml b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_array.xml
index c05c5fbb9..77f57cd47 100644
--- a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_array.xml
+++ b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_array.xml
@@ -31,6 +31,17 @@
</criteria>
</definition>
+ <definition class="compliance" version="1" id="oval:0:def:3"> <!-- comment="true" -->
+ <metadata>
+ <title></title>
+ <description></description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion comment="get_2_dim_array" test_ref="oval:0:tst:4"/>
+ <criterion comment="get_2_dim_array_set" test_ref="oval:0:tst:5"/>
+ </criteria>
+ </definition>
+
</definitions>
<tests>
@@ -49,6 +60,16 @@
<ind-def:object object_ref="oval:0:obj:3"/>
</ind-def:yamlfilecontent_test>
+ <ind-def:yamlfilecontent_test version="1" id="oval:0:tst:4" check="all" comment="true">
+ <ind-def:object object_ref="oval:0:obj:4"/>
+ <ind-def:state state_ref="oval:0:ste:3"/>
+ </ind-def:yamlfilecontent_test>
+
+ <ind-def:yamlfilecontent_test version="1" id="oval:0:tst:5" check="all" comment="true">
+ <ind-def:object object_ref="oval:0:obj:5"/>
+ <ind-def:state state_ref="oval:0:ste:3"/>
+ </ind-def:yamlfilecontent_test>
+
</tests>
<objects>
@@ -71,6 +92,18 @@
<ind-def:yamlpath>.spec.outputs[0]</ind-def:yamlpath>
</ind-def:yamlfilecontent_object>
+ <ind-def:yamlfilecontent_object version="1" id="oval:0:obj:4">
+ <ind-def:path>/tmp</ind-def:path>
+ <ind-def:filename>openshift-logging.yaml</ind-def:filename>
+ <ind-def:yamlpath>.arrs[:][:]</ind-def:yamlpath>
+ </ind-def:yamlfilecontent_object>
+
+ <ind-def:yamlfilecontent_object version="1" id="oval:0:obj:5">
+ <ind-def:path>/tmp</ind-def:path>
+ <ind-def:filename>openshift-logging.yaml</ind-def:filename>
+ <ind-def:yamlpath>.arrs</ind-def:yamlpath>
+ </ind-def:yamlfilecontent_object>
+
</objects>
<states>
@@ -87,6 +120,12 @@
</ind-def:value>
</ind-def:yamlfilecontent_state>
+ <ind-def:yamlfilecontent_state version="1" id="oval:0:ste:3">
+ <ind-def:value datatype="record">
+ <field name="#" datatype="int" var_ref="oval:0:var:3" var_check="at least one" entity_check="at least one"/>
+ </ind-def:value>
+ </ind-def:yamlfilecontent_state>
+
</states>
<variables>
@@ -99,5 +138,11 @@
</split>
</local_variable>
+ <local_variable comment="variable with three values" datatype="int" version="1" id="oval:0:var:3">
+ <split delimiter="|">
+ <literal_component>1|2|3|4|5|6</literal_component>
+ </split>
+ </local_variable>
+
</variables>
</oval_definitions>
diff --git a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_key.sh b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_key.sh
index fc1e0ae7e..a942552e9 100755
--- a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_key.sh
+++ b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_key.sh
@@ -19,7 +19,7 @@ function test_probes_yamlfilecontent_key {
$OSCAP oval eval --results $RF $DF
if [ -f $RF ]; then
- verify_results "def" $DF $RF 6 && verify_results "tst" $DF $RF 7
+ verify_results "def" $DF $RF 9 && verify_results "tst" $DF $RF 10
ret_val=$?
else
ret_val=1
diff --git a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_key.xml b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_key.xml
index 05757d0c8..1697b54fd 100644
--- a/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_key.xml
+++ b/tests/probes/yamlfilecontent/test_probes_yamlfilecontent_key.xml
@@ -71,7 +71,7 @@
</criteria>
</definition>
- <definition class="compliance" version="1" id="oval:0:def:7"> <!-- comment="true" -->
+ <definition class="compliance" version="1" id="oval:0:def:7"> <!-- comment="error" -->
<metadata>
<title></title>
<description></description>
@@ -80,6 +80,26 @@
<criterion comment="array_of_maps" test_ref="oval:0:tst:8"/>
</criteria>
</definition>
+
+ <definition class="compliance" version="1" id="oval:0:def:8"> <!-- comment="true" -->
+ <metadata>
+ <title></title>
+ <description></description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion comment="array_of_maps_of_array" test_ref="oval:0:tst:9"/>
+ </criteria>
+ </definition>
+
+ <definition class="compliance" version="1" id="oval:0:def:9"> <!-- comment="true" -->
+ <metadata>
+ <title></title>
+ <description></description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion comment="array_of_maps_of_array_2" test_ref="oval:0:tst:10"/>
+ </criteria>
+ </definition>
</definitions>
<tests>
@@ -116,9 +136,19 @@
<ind-def:object object_ref="oval:0:obj:7"/>
</ind-def:yamlfilecontent_test>
- <ind-def:yamlfilecontent_test version="1" id="oval:0:tst:8" check="all" comment="true">
+ <ind-def:yamlfilecontent_test version="1" id="oval:0:tst:8" check="all" comment="error">
<ind-def:object object_ref="oval:0:obj:8"/>
</ind-def:yamlfilecontent_test>
+
+ <ind-def:yamlfilecontent_test version="1" id="oval:0:tst:9" check="all" comment="true">
+ <ind-def:object object_ref="oval:0:obj:9"/>
+ <ind-def:state state_ref="oval:0:ste:9"/>
+ </ind-def:yamlfilecontent_test>
+
+ <ind-def:yamlfilecontent_test version="1" id="oval:0:tst:10" check="all" comment="true">
+ <ind-def:object object_ref="oval:0:obj:10"/>
+ <ind-def:state state_ref="oval:0:ste:10"/>
+ </ind-def:yamlfilecontent_test>
</tests>
<objects>
@@ -170,6 +200,18 @@
<ind-def:filename>openshift-logging.yaml</ind-def:filename>
<ind-def:yamlpath>.spec.outputs</ind-def:yamlpath>
</ind-def:yamlfilecontent_object>
+
+ <ind-def:yamlfilecontent_object version="1" id="oval:0:obj:9">
+ <ind-def:path>/tmp</ind-def:path>
+ <ind-def:filename>openshift-logging.yaml</ind-def:filename>
+ <ind-def:yamlpath>.items[:]['requiredDropCapabilities','name','q','z'][:]</ind-def:yamlpath>
+ </ind-def:yamlfilecontent_object>
+
+ <ind-def:yamlfilecontent_object version="1" id="oval:0:obj:10">
+ <ind-def:path>/tmp</ind-def:path>
+ <ind-def:filename>openshift-logging.yaml</ind-def:filename>
+ <ind-def:yamlpath>.items[:].requiredDropCapabilities[:]</ind-def:yamlpath>
+ </ind-def:yamlfilecontent_object>
</objects>
<states>
@@ -202,6 +244,19 @@
</ind-def:value>
</ind-def:yamlfilecontent_state>
+ <ind-def:yamlfilecontent_state version="1" id="oval:0:ste:9">
+ <ind-def:value datatype="record" entity_check="at least one">
+ <field name="required^drop^capabilities" operation="pattern match" entity_check="at least one">^KILL$</field>
+ <field name="name" entity_check="at least one">Name</field>
+ </ind-def:value>
+ </ind-def:yamlfilecontent_state>
+
+ <ind-def:yamlfilecontent_state version="1" id="oval:0:ste:10">
+ <ind-def:value datatype="record" entity_check="at least one">
+ <field name="#" operation="pattern match" entity_check="at least one">^KILL$</field>
+ </ind-def:value>
+ </ind-def:yamlfilecontent_state>
+
</states>
</oval_definitions>

162
SOURCES/openscap-1.3.5-coverity1-PR_1617.patch Normal file
View File

@ -0,0 +1,162 @@
From 0311ac9d8368acd5baac8b7fc6f753bd895ea3fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 6 Oct 2020 13:32:19 +0200
Subject: [PATCH 1/2] Fix Coverity warnings
Addressing multiple Coverity defects similar to this one:
Defect type: CHECKED_RETURN
check_return: Calling "curl_easy_setopt(curl, _curl_opt, _curl_trace)"
without checking return value. This library function may fail and return
an error code.
---
src/common/oscap_acquire.c | 65 +++++++++++++++++++++++++++++++-------
1 file changed, 53 insertions(+), 12 deletions(-)
diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
index 666f4f5c9..34a92fa19 100644
--- a/src/common/oscap_acquire.c
+++ b/src/common/oscap_acquire.c
@@ -326,18 +326,59 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
return NULL;
}
- struct oscap_buffer* buffer = oscap_buffer_new();
-
- curl_easy_setopt(curl, CURLOPT_URL, url);
- curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback);
- curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer);
- curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, "");
- curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true);
- curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
- curl_easy_setopt(curl, CURLOPT_VERBOSE, true);
- curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace);
-
- CURLcode res = curl_easy_perform(curl);
+ CURLcode res;
+
+ res = curl_easy_setopt(curl, CURLOPT_URL, url);
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_URL to '%s': %s", url, curl_easy_strerror(res));
+ return NULL;
+ }
+
+ res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback);
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_WRITEFUNCTION to write_to_memory_callback: %s", curl_easy_strerror(res));
+ return NULL;
+ }
+
+ res = curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, "");
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_ACCEPT_ENCODING to an empty string: %s", curl_easy_strerror(res));
+ return NULL;
+ }
+
+ res = curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true);
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_TRANSFER_ENCODING to true: %s", curl_easy_strerror(res));
+ return NULL;
+ }
+
+ res = curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_FOLLOWLOCATION to true: %s", curl_easy_strerror(res));
+ return NULL;
+ }
+
+ res = curl_easy_setopt(curl, CURLOPT_VERBOSE, true);
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_VERBOSE to true: %s", curl_easy_strerror(res));
+ return NULL;
+ }
+
+ res = curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace);
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_DEBUGFUNCTION to _curl_trace: %s", curl_easy_strerror(res));
+ return NULL;
+ }
+
+ struct oscap_buffer *buffer = oscap_buffer_new();
+ res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer);
+ if (res != 0) {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_WRITEDATA as buffer: %s", curl_easy_strerror(res));
+ oscap_buffer_free(buffer);
+ return NULL;
+ }
+
+ res = curl_easy_perform(curl);
curl_easy_cleanup(curl);
if (res != 0) {
From 34af1348b6ff6e4710aeb6e383b1a50c4751c16e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 26 Oct 2020 11:12:04 +0100
Subject: [PATCH 2/2] Add curl_easy_cleanup everywhere
---
src/common/oscap_acquire.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
index 34a92fa19..cd9bfc36f 100644
--- a/src/common/oscap_acquire.c
+++ b/src/common/oscap_acquire.c
@@ -330,42 +330,49 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
res = curl_easy_setopt(curl, CURLOPT_URL, url);
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_URL to '%s': %s", url, curl_easy_strerror(res));
return NULL;
}
res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback);
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_WRITEFUNCTION to write_to_memory_callback: %s", curl_easy_strerror(res));
return NULL;
}
res = curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, "");
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_ACCEPT_ENCODING to an empty string: %s", curl_easy_strerror(res));
return NULL;
}
res = curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true);
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_TRANSFER_ENCODING to true: %s", curl_easy_strerror(res));
return NULL;
}
res = curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_FOLLOWLOCATION to true: %s", curl_easy_strerror(res));
return NULL;
}
res = curl_easy_setopt(curl, CURLOPT_VERBOSE, true);
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_VERBOSE to true: %s", curl_easy_strerror(res));
return NULL;
}
res = curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace);
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_DEBUGFUNCTION to _curl_trace: %s", curl_easy_strerror(res));
return NULL;
}
@@ -373,6 +380,7 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
struct oscap_buffer *buffer = oscap_buffer_new();
res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer);
if (res != 0) {
+ curl_easy_cleanup(curl);
oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_WRITEDATA as buffer: %s", curl_easy_strerror(res));
oscap_buffer_free(buffer);
return NULL;

147
SOURCES/openscap-1.3.5-coverity2-PR_1620.patch Normal file
View File

@ -0,0 +1,147 @@
From 538c70780b49a36a4d2420ef93b87b78817dc14c Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Mon, 26 Oct 2020 08:31:53 +0100
Subject: [PATCH] Covscan fixes
---
src/OVAL/probes/fsdev.c | 2 +-
src/OVAL/probes/independent/yamlfilecontent_probe.c | 5 +++--
src/OVAL/probes/unix/fileextendedattribute_probe.c | 2 +-
src/OVAL/probes/unix/linux/partition_probe.c | 2 +-
src/OVAL/probes/unix/xinetd_probe.c | 7 ++++++-
src/XCCDF/xccdf_session.c | 4 ++--
utils/oscap-tool.c | 6 +++++-
utils/oscap-xccdf.c | 3 +--
8 files changed, 20 insertions(+), 11 deletions(-)
diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c
index b2b984441..c82ab620b 100644
--- a/src/OVAL/probes/fsdev.c
+++ b/src/OVAL/probes/fsdev.c
@@ -219,7 +219,7 @@ static fsdev_t *__fsdev_init(fsdev_t *lfs)
endmntent(fp);
void *new_ids = realloc(lfs->ids, sizeof(dev_t) * i);
- if (new_ids == NULL) {
+ if (new_ids == NULL && i > 0) {
e = errno;
free(lfs->ids);
free(lfs);
diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c
index 6f18abf83..e7e6cb3f5 100644
--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c
+++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c
@@ -216,12 +216,13 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str
result_error("YAML parser error: %s", parser.problem);
goto cleanup;
}
+
+ event_type = event.type;
+
if (yaml_path_filter_event(yaml_path, &parser, &event) == YAML_PATH_FILTER_RESULT_OUT) {
goto next;
}
- event_type = event.type;
-
if (sequence) {
if (event_type == YAML_SEQUENCE_END_EVENT) {
sequence = false;
diff --git a/src/OVAL/probes/unix/fileextendedattribute_probe.c b/src/OVAL/probes/unix/fileextendedattribute_probe.c
index b442ea540..ee853886a 100644
--- a/src/OVAL/probes/unix/fileextendedattribute_probe.c
+++ b/src/OVAL/probes/unix/fileextendedattribute_probe.c
@@ -298,7 +298,7 @@ static int file_cb(const char *prefix, const char *p, const char *f, void *ptr,
// Allocate buffer, '+1' is for trailing '\0'
void *new_xattr_val = realloc(xattr_val, sizeof(char) * (xattr_vallen + 1));
- if (xattr_val == NULL) {
+ if (new_xattr_val == NULL) {
dE("Failed to allocate memory for xattr_val");
free(xattr_val);
goto exit;
diff --git a/src/OVAL/probes/unix/linux/partition_probe.c b/src/OVAL/probes/unix/linux/partition_probe.c
index a74c0323a..adb244b04 100644
--- a/src/OVAL/probes/unix/linux/partition_probe.c
+++ b/src/OVAL/probes/unix/linux/partition_probe.c
@@ -207,7 +207,7 @@ static int collect_item(probe_ctx *ctx, oval_schema_version_t over, struct mnten
mnt_ocnt = add_mnt_opt(&mnt_opts, mnt_ocnt, "move");
}
- dD("mnt_ocnt = %d, mnt_opts[mnt_ocnt]=%p", mnt_ocnt, mnt_opts[mnt_ocnt]);
+ dD("mnt_ocnt = %d, mnt_opts[mnt_ocnt]=%p", mnt_ocnt, mnt_opts == NULL ? NULL : mnt_opts[mnt_ocnt]);
/*
* "Correct" the type (this won't be (hopefully) needed in a later version
diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c
index 75b12f95b..d61c7d547 100644
--- a/src/OVAL/probes/unix/xinetd_probe.c
+++ b/src/OVAL/probes/unix/xinetd_probe.c
@@ -566,7 +566,12 @@ static int xiconf_add_cfile(xiconf_t *xiconf, const char *path, int depth)
}
xifile->depth = depth;
- xiconf->cfile = realloc(xiconf->cfile, sizeof(xiconf_file_t *) * ++xiconf->count);
+ void *cfile = realloc(xiconf->cfile, sizeof(xiconf_file_t *) * ++xiconf->count);
+ if (cfile == NULL) {
+ dE("Failed re-allocate memory for cfile");
+ return (-1);
+ }
+ xiconf->cfile = cfile;
xiconf->cfile[xiconf->count - 1] = xifile;
dD("Added new file to the cfile queue: %s; fi=%zu", path, xiconf->count - 1);
diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c
index 8bd394e2f..f1b837959 100644
--- a/src/XCCDF/xccdf_session.c
+++ b/src/XCCDF/xccdf_session.c
@@ -286,9 +286,9 @@ static struct oscap_source *xccdf_session_extract_arf_source(struct xccdf_sessio
}
struct tm *tm_mtime = malloc(sizeof(struct tm));
#ifdef OS_WINDOWS
- tm_mtime = localtime_s(tm_mtime, &file_stat.st_mtime);
+ localtime_s(tm_mtime, &file_stat.st_mtime);
#else
- tm_mtime = localtime_r(&file_stat.st_mtime, tm_mtime);
+ localtime_r(&file_stat.st_mtime, tm_mtime);
#endif
strftime(tailoring_doc_timestamp, max_timestamp_len,
"%Y-%m-%dT%H:%M:%S", tm_mtime);
diff --git a/utils/oscap-tool.c b/utils/oscap-tool.c
index 9bfe52697..660a19047 100644
--- a/utils/oscap-tool.c
+++ b/utils/oscap-tool.c
@@ -315,7 +315,10 @@ static void getopt_parse_env(struct oscap_module *module, int *argc, char ***arg
opt = oscap_strtok_r(opts, delim, &state);
while (opt != NULL) {
eargc++;
- eargv = realloc(eargv, eargc * sizeof(char *));
+ void *new_eargv = realloc(eargv, eargc * sizeof(char *));
+ if (new_eargv == NULL)
+ goto exit;
+ eargv = new_eargv;
eargv[eargc - 1] = strdup(opt);
opt = oscap_strtok_r(NULL, delim, &state);
}
@@ -334,6 +337,7 @@ static void getopt_parse_env(struct oscap_module *module, int *argc, char ***arg
*argc = nargc;
*argv = nargv;
+exit:
free(opts);
free(eargv);
}
diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
index af337b844..0a9ae5270 100644
--- a/utils/oscap-xccdf.c
+++ b/utils/oscap-xccdf.c
@@ -610,8 +610,7 @@ int app_evaluate_xccdf(const struct oscap_action *action)
/* syslog message */
#if defined(HAVE_SYSLOG_H)
- syslog(priority, "Evaluation finished. Return code: %d, Base score %f.", evaluation_result,
- session == NULL ? 0 : xccdf_session_get_base_score(session));
+ syslog(priority, "Evaluation finished. Return code: %d, Base score %f.", evaluation_result, xccdf_session_get_base_score(session));
#endif
xccdf_session_set_xccdf_export(session, action->f_results);

84
SOURCES/openscap-1.3.5-memory-PR_1627.patch Normal file
View File

@ -0,0 +1,84 @@
From 5eea79eaf426ac3e51a09d3f3fe72c2b385abc89 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 10 Nov 2020 11:16:00 +0100
Subject: [PATCH] Fix memory allocation
We can't assume that size of a structure is a sum of sizes of its
members because padding and alignment can be involved. In fact,
we need to allocate more bytes for the structure than the
sum of sizes of its members.
The wrong assumption caused invalid writes and invalid reads
which can be discovered by valgrind. Moreover, when run with
MALLOC_CHECK_ environment variable set to non-zero value, the
program aborted.
The memory issue happened only when NDEBUG is defined, eg. when cmake
-DCMAKE_BUILD_TYPE=RelWithDebInfo or Release, it doesn't happen if cmake
-DCMAKE_BUILD_TYPE=Debug which we usually use in Jenkins CI. This is
most likely because in debug mode the struct SEXP contains 2 additional
members which are the magic canaries and therefore is bigger.
This commit wants to fix the problem by 2 step allocation in which
first the size of the struct SEXP_val_lblk is used and then the
array of SEXPs is allocated separately.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1891770
---
src/OVAL/probes/SEAP/_sexp-value.h | 2 +-
src/OVAL/probes/SEAP/sexp-value.c | 12 ++++++------
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/OVAL/probes/SEAP/_sexp-value.h b/src/OVAL/probes/SEAP/_sexp-value.h
index 426cd2c3d..e66777ef9 100644
--- a/src/OVAL/probes/SEAP/_sexp-value.h
+++ b/src/OVAL/probes/SEAP/_sexp-value.h
@@ -94,7 +94,7 @@ struct SEXP_val_lblk {
uintptr_t nxsz;
uint16_t real;
uint16_t refs;
- SEXP_t memb[];
+ SEXP_t *memb;
};
size_t SEXP_rawval_list_length (struct SEXP_val_list *list);
diff --git a/src/OVAL/probes/SEAP/sexp-value.c b/src/OVAL/probes/SEAP/sexp-value.c
index a11cbc70c..b8b3ed609 100644
--- a/src/OVAL/probes/SEAP/sexp-value.c
+++ b/src/OVAL/probes/SEAP/sexp-value.c
@@ -106,10 +106,8 @@ uintptr_t SEXP_rawval_lblk_new (uint8_t sz)
{
_A(sz < 16);
- struct SEXP_val_lblk *lblk = oscap_aligned_malloc(
- sizeof(uintptr_t) + (2 * sizeof(uint16_t)) + (sizeof(SEXP_t) * (1 << sz)),
- SEXP_LBLK_ALIGN
- );
+ struct SEXP_val_lblk *lblk = malloc(sizeof(struct SEXP_val_lblk));
+ lblk->memb = malloc(sizeof(SEXP_t) * (1 << sz));
lblk->nxsz = ((uintptr_t)(NULL) & SEXP_LBLKP_MASK) | ((uintptr_t)sz & SEXP_LBLKS_MASK);
lblk->refs = 1;
@@ -519,7 +517,8 @@ void SEXP_rawval_lblk_free (uintptr_t lblkp, void (*func) (SEXP_t *))
func (lblk->memb + lblk->real);
}
- oscap_aligned_free(lblk);
+ free(lblk->memb);
+ free(lblk);
if (next != NULL)
SEXP_rawval_lblk_free ((uintptr_t)next, func);
@@ -540,7 +539,8 @@ void SEXP_rawval_lblk_free1 (uintptr_t lblkp, void (*func) (SEXP_t *))
func (lblk->memb + lblk->real);
}
- oscap_aligned_free(lblk);
+ free(lblk->memb);
+ free(lblk);
}
return;
--
2.26.2

71
SOURCES/openscap-1.3.5-plug-memory-leak-PR_1616.patch Normal file
View File

@ -0,0 +1,71 @@
From d5518f3f4c32ac19fcf3427602d5b2978b7ef1b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 5 Oct 2020 16:02:29 +0200
Subject: [PATCH] Plug a memory leak
Addressing:
8 bytes in 1 blocks are indirectly lost in loss record 7 of 235
at 0x483A809: malloc (vg_replace_malloc.c:307)
by 0x48F15CA: oval_collection_new (oval_collection.c:64)
by 0x48F4FCC: oval_result_criteria_node_new (oval_resultCriteriaNode.c:106)
by 0x48F5580: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:249)
by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130)
by 0x48F7F41: oval_result_system_get_new_definition_with_check (oval_resultSystem.c:217)
by 0x48F5686: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:279)
by 0x48F55BD: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:260)
by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130)
by 0x48F8794: oval_result_system_prepare_definition (oval_resultSystem.c:395)
by 0x48F86A6: oval_result_system_eval_definition (oval_resultSystem.c:369)
by 0x48C23FD: oval_agent_eval_definition (oval_agent.c:181)
8 bytes in 1 blocks are definitely lost in loss record 8 of 235
at 0x483A809: malloc (vg_replace_malloc.c:307)
by 0x48F1799: oval_collection_iterator (oval_collection.c:120)
by 0x48CCE4C: oval_criteria_node_get_subnodes (oval_criteriaNode.c:161)
by 0x48F5590: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:255)
by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130)
by 0x48F7F41: oval_result_system_get_new_definition_with_check (oval_resultSystem.c:217)
by 0x48F5686: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:279)
by 0x48F55BD: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:260)
by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130)
by 0x48F8794: oval_result_system_prepare_definition (oval_resultSystem.c:395)
by 0x48F86A6: oval_result_system_eval_definition (oval_resultSystem.c:369)
by 0x48C23FD: oval_agent_eval_definition (oval_agent.c:181)
48 (40 direct, 8 indirect) bytes in 1 blocks are definitely lost in loss record 125 of 235
at 0x483A809: malloc (vg_replace_malloc.c:307)
by 0x48F4F50: oval_result_criteria_node_new (oval_resultCriteriaNode.c:98)
by 0x48F5580: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:249)
by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130)
by 0x48F7F41: oval_result_system_get_new_definition_with_check (oval_resultSystem.c:217)
by 0x48F5686: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:279)
by 0x48F55BD: make_result_criteria_node_from_oval_criteria_node (oval_resultCriteriaNode.c:260)
by 0x48F6B51: make_result_definition_from_oval_definition (oval_resultDefinition.c:130)
by 0x48F8794: oval_result_system_prepare_definition (oval_resultSystem.c:395)
by 0x48F86A6: oval_result_system_eval_definition (oval_resultSystem.c:369)
by 0x48C23FD: oval_agent_eval_definition (oval_agent.c:181)
by 0x48C2671: oval_agent_eval_system (oval_agent.c:286)
This leak has been created by #1610.
---
src/OVAL/results/oval_resultCriteriaNode.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/OVAL/results/oval_resultCriteriaNode.c b/src/OVAL/results/oval_resultCriteriaNode.c
index 807283206..f6e980861 100644
--- a/src/OVAL/results/oval_resultCriteriaNode.c
+++ b/src/OVAL/results/oval_resultCriteriaNode.c
@@ -258,8 +258,11 @@ struct oval_result_criteria_node *make_result_criteria_node_from_oval_criteria_n
= oval_criteria_node_iterator_next(oval_subnodes);
struct oval_result_criteria_node *rslt_subnode
= make_result_criteria_node_from_oval_criteria_node(sys, oval_subnode, visited_definitions, variable_instance);
- if (rslt_subnode == NULL)
+ if (rslt_subnode == NULL) {
+ oval_criteria_node_iterator_free(oval_subnodes);
+ oval_result_criteria_node_free(rslt_node);
return NULL;
+ }
oval_result_criteria_node_add_subnode(rslt_node, rslt_subnode);
}
oval_criteria_node_iterator_free(oval_subnodes);

9
SOURCES/openscap-1.3.5-test-non-local-gpfs-PR_1653.patch Normal file
View File

@ -0,0 +1,9 @@
diff --git a/tests/API/probes/fake_mtab b/tests/API/probes/fake_mtab
index 94b1fe295..32c516b7d 100644
--- a/tests/API/probes/fake_mtab
+++ b/tests/API/probes/fake_mtab
@@ -5,3 +5,4 @@ tmpfs /tmp tmpfs rw,seclabel,nosuid,nodev 0 0
/dev/mapper/fedora-home /home ext4 rw,seclabel,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
//192.168.0.5/storage /media/movies cifs guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm 0 0
+/dev/gpfsdev /gpfs gpfs rw,relatime 0 0

13
SOURCES/openscap-1.3.5-use-MALLOC_CHECK-in-tests-PR_1635.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/tests/test_common.sh.in b/tests/test_common.sh.in
index 6b54ad015..5b6126dbf 100755
--- a/tests/test_common.sh.in
+++ b/tests/test_common.sh.in
@@ -17,6 +17,9 @@ PREFERRED_PYTHON=@PREFERRED_PYTHON_PATH@
LC_ALL=C
export LC_ALL
+MALLOC_CHECK_=3
+export MALLOC_CHECK_
+
OSCAP_FULL_VALIDATION=1
export OSCAP_FULL_VALIDATION

67
SOURCES/openscap-1.3.5-yamlfilecontent-fix-field-names-PR_1619.patch Normal file
View File

@ -0,0 +1,67 @@
diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c
index 6f18abf83..17741a240 100644
--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c
+++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c
@@ -206,6 +206,7 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str
yaml_event_type_t event_type;
bool sequence = false;
bool mapping = false;
+ bool fake_mapping = false;
int index = 0;
char *key = strdup("#");
@@ -224,21 +225,39 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str
if (sequence) {
if (event_type == YAML_SEQUENCE_END_EVENT) {
- sequence = false;
+ if (fake_mapping) {
+ fake_mapping = false;
+ if (record && record->itemcount > 0) {
+ oscap_list_add(values, record);
+ } else {
+ // Do not collect empty records
+ oscap_htable_free0(record);
+ }
+ record = NULL;
+ } else {
+ sequence = false;
+ }
} else if (event_type == YAML_SEQUENCE_START_EVENT) {
- result_error("YAML path '%s' points to a multi-dimensional structure (sequence containing another sequence)", yaml_path_cstr);
- goto cleanup;
+ if (mapping || fake_mapping) {
+ result_error("YAML path '%s' points to a multi-dimensional structure (a map or a sequence containing other sequences)", yaml_path_cstr);
+ goto cleanup;
+ } else {
+ fake_mapping = true;
+ record = oscap_htable_new();
+ }
}
} else {
if (event_type == YAML_SEQUENCE_START_EVENT) {
sequence = true;
+ if (mapping)
+ index++;
}
}
if (mapping) {
if (event_type == YAML_MAPPING_END_EVENT) {
mapping = false;
- if (record->itemcount > 0) {
+ if (record && record->itemcount > 0) {
oscap_list_add(values, record);
} else {
// Do not collect empty records
@@ -255,6 +274,10 @@ static int yaml_path_query(const char *filepath, const char *yaml_path_cstr, str
result_error("YAML path '%s' points to an invalid structure (map containing another map)", yaml_path_cstr);
goto cleanup;
}
+ if (fake_mapping) {
+ result_error("YAML path '%s' points to a multi-dimensional structure (two-dimensional sequence containing a map)", yaml_path_cstr);
+ goto cleanup;
+ }
mapping = true;
sequence = false;
index = 0;

61
SPECS/openscap.spec
View File

@ -1,25 +1,18 @@
Name: openscap
Version: 1.3.3
Release: 6%{?dist}
Version: 1.3.4
Release: 5%{?dist}
Summary: Set of open source libraries enabling integration of the SCAP line of standards
Group: System Environment/Libraries
License: LGPLv2+
URL: http://www.open-scap.org/
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
Patch1: openscap-1.3.4-fix-environmentvariable58-regression.patch
Patch2: openscap-1.3.4-fix-no-more-recursion.patch
Patch3: openscap-1.3.4-add_compression_support-PR_1557.patch
Patch4: openscap-1.3.4-add_compression_test-PR_1564.patch
Patch5: openscap-1.3.4-add_compression_tracing-PR_1561.patch
Patch6: openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch
Patch7: openscap-1.3.4-detect_remote_file_systems-PR_1573.patch
Patch8: openscap-1.3.4-export-profile-platform-PR_1609.patch
Patch9: openscap-1.3.4-bump-yamlfilter-fix-warnings-PR_1530.patch
Patch10: openscap-1.3.4-bump-yamlfilter-upgrade-probe-schemas-PR_1552.patch
Patch11: openscap-1.3.4-bump-yamlfilter-upgrade-probe-schemas-submodule-PR_1552.patch
Patch12: openscap-1.3.5-bump-yamlfilter-covscan-fix-PR_1620.patch
Patch13: openscap-1.3.5-bump-yamlfilter-fix-field-names-PR_1619.patch
Patch1: openscap-1.3.5-plug-memory-leak-PR_1616.patch
Patch2: openscap-1.3.5-coverity1-PR_1617.patch
Patch3: openscap-1.3.5-coverity2-PR_1620.patch
Patch4: openscap-1.3.5-yamlfilecontent-fix-field-names-PR_1619.patch
Patch5: openscap-1.3.5-memory-PR_1627.patch
Patch6: openscap-1.3.5-use-MALLOC_CHECK-in-tests-PR_1635.patch
Patch7: openscap-1.3.5-test-non-local-gpfs-PR_1653.patch
BuildRequires: cmake >= 2.6
BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
BuildRequires: rpm-devel
@ -138,20 +131,7 @@ The %{name}-engine-sce-devel package contains libraries and header files
for developing applications that use %{name}-engine-sce.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1 -d yaml-filter
%patch12 -p1
%patch13 -p1
%autosetup -p1
mkdir build
%build
@ -239,9 +219,24 @@ rm -rf $RPM_BUILD_ROOT
%{_bindir}/oscap-run-sce-script
%changelog
* Thu Oct 29 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.3-6
- Enable profile composition with a specific platform (RHBZ#1896676)
- Enable YAML probe to work with sets of values (RHBZ#1895715)
* Wed Nov 25 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.4-5
- Add check for non-local GPFS file system into Test Suite (RHBZ#1840578)
* Fri Nov 13 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.4-4
- Use MALLOC_CHECK_=3 while executing Test Suite (RHBZ#1891770)
* Tue Nov 10 2020 Jan Černý <jcerny@redhat.com> - 1.3.4-3
- Fix memory allocation (RHBZ#1891770)
* Mon Oct 26 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.4-2
- Fix problems uncovered by the Coverity Scan (RHBZ#1887794)
* Wed Oct 14 2020 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.4-1
- Upgrade to the latest upstream release (RHBZ#1887794)
- Treat GPFS as a remote file system (RHBZ#1840578, RHBZ#1840579)
- Fixed the most problematic memory issues that were causing OOM situations
for systems with large amount of files (RHBZ#1824152)
- Proper handling of OVALs with circular dependencies between definitions (RHBZ#1812476)
* Wed Aug 19 2020 Jan Černý <jcerny@redhat.com> - 1.3.3-5
- Detect remote file systems correctly (RHBZ#1870087)