rpms / openscap

Clone
Source Code
GIT

Files

  1.   8b65eea52df3f24591269b4a13f2d9812053f787
  2.   SOURCES
  3.   openscap-1.3.5-fix_segfaults_and_broken_test-PR_1669.patch
Blob Blame History Raw 
From b8b90b4c04a130d9174148486b40bfc8454a290b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 5 Jan 2021 16:31:04 +0100
Subject: [PATCH 1/5] Fix a segmentation fault

When generating results with --stig-viewer a segmentation fault
occured. This segfault has been caused by
9b40767967e533bdb340ca4c91f2fd1192694820.

The patch makes the usage of benchmark and cloned benchmark in this
`if` block consistent with the previous `if` block above.
---
 src/XCCDF/xccdf_session.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c
index c88d90be05..9e54a98e9e 100644
--- a/src/XCCDF/xccdf_session.c
+++ b/src/XCCDF/xccdf_session.c
@@ -1393,9 +1393,12 @@ static int _build_xccdf_result_source(struct xccdf_session *session)
 		}
 
 		if (session->export.xccdf_stig_viewer_file != NULL) {
+			struct xccdf_benchmark *cloned_benchmark = xccdf_benchmark_clone(benchmark);
 			struct xccdf_result *cloned_result = xccdf_result_clone(session->xccdf.result);
+			xccdf_benchmark_add_result(cloned_benchmark, cloned_result);
 			struct oscap_source * stig_result = xccdf_result_stig_viewer_export_source(cloned_result, session->export.xccdf_stig_viewer_file);
-			xccdf_result_free(cloned_result);
+			// cloned_result is freed during xccdf_benchmark_free
+			xccdf_benchmark_free(cloned_benchmark);
 			if (oscap_source_save_as(stig_result, NULL) != 0) {
 				oscap_seterr(OSCAP_EFAMILY_OSCAP, "Could not save file: %s",
 						oscap_source_readable_origin(stig_result));

From 0a73539af773ce261e2b5eb71ca6b2b83ff6e386 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 5 Jan 2021 16:47:13 +0100
Subject: [PATCH 2/5] Fix test for --stig-viewer

The test masked the segfault in oscap command by ignoring the oscap
return code. Moreover, it ignored any failure in the Python script
stig-viewer-equivalence.py. The commit also adds an improvement to
test if the produced file isn't empty.
---
 tests/API/XCCDF/unittests/test_single_rule_stigw.sh | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tests/API/XCCDF/unittests/test_single_rule_stigw.sh b/tests/API/XCCDF/unittests/test_single_rule_stigw.sh
index 15803ab94c..e258e72dd1 100755
--- a/tests/API/XCCDF/unittests/test_single_rule_stigw.sh
+++ b/tests/API/XCCDF/unittests/test_single_rule_stigw.sh
@@ -19,8 +19,10 @@ echo "Result file = $result"
 # evaluated when '--rule' option is not specified.
 
 # One of the rules is supposed to fail, so the return code of this line has to be 0 so the test can continue
-$OSCAP xccdf eval --stig-viewer "$result" "$srcdir/${name}.xccdf.xml" 2> "$stderr" || true
+$OSCAP xccdf eval --stig-viewer "$result" "$srcdir/${name}.xccdf.xml" 2> "$stderr" || ret=$?
+[ $ret == 2 ]
 [ -f $stderr ]; [ ! -s $stderr ]; :> $stderr
+[ -s "$result" ]
 
-"${PYTHON:-python}" "$srcdir/stig-viewer-equivalence.py" "$result" "$srcdir/correct_stigw_result.xml" 2> "$stderr" || ret=$?
+"${PYTHON:-python}" "$srcdir/stig-viewer-equivalence.py" "$result" "$srcdir/correct_stigw_result.xml" 2> "$stderr"
 rm "$result"

From 7011a6fc960515ff626f411349b8b8a267b80c02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 6 Jan 2021 12:08:31 +0100
Subject: [PATCH 3/5] Fix segmentation fault

The function call oscap_reference_get_href(ref) can return NULL
because href attribute of reference element is optional.
---
 src/XCCDF/result.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/XCCDF/result.c b/src/XCCDF/result.c
index 21b93fba74..a4fdec6cee 100644
--- a/src/XCCDF/result.c
+++ b/src/XCCDF/result.c
@@ -1154,7 +1154,9 @@ void xccdf_result_to_dom(struct xccdf_result *result, xmlNode *result_node, xmlD
 			struct oscap_reference_iterator *references = xccdf_item_get_references(item);
 			while (oscap_reference_iterator_has_more(references)) {
 				struct oscap_reference *ref = oscap_reference_iterator_next(references);
-				if (strcmp(oscap_reference_get_href(ref), DISA_STIG_VIEWER_HREF) == 0) {
+				const char *href = oscap_reference_get_href(ref);
+				if (href && (strcmp(href, DISA_STIG_VIEWER_HREF[0]) == 0 ||
+							strcmp(href, DISA_STIG_VIEWER_HREF[1]) == 0)) {
 					const char *stig_rule_id = oscap_reference_get_title(ref);
 
 					xccdf_test_result_type_t other_res = (xccdf_test_result_type_t)oscap_htable_detach(nodes_by_rule_id, stig_rule_id);
@@ -1367,8 +1368,9 @@ void xccdf_rule_result_to_dom(struct xccdf_rule_result *result, xmlDoc *doc, xml
 		struct oscap_reference_iterator *references = xccdf_item_get_references(item);
 		while (oscap_reference_iterator_has_more(references)) {
 			struct oscap_reference *ref = oscap_reference_iterator_next(references);
-			if (strcmp(oscap_reference_get_href(ref), DISA_STIG_VIEWER_HREF[0]) == 0 ||
-			    strcmp(oscap_reference_get_href(ref), DISA_STIG_VIEWER_HREF[1]) == 0) {
+			const char *href = oscap_reference_get_href(ref);
+			if (href && (strcmp(href, DISA_STIG_VIEWER_HREF[0]) == 0 ||
+					strcmp(href, DISA_STIG_VIEWER_HREF[1]) == 0)) {
 				const char *stig_rule_id = oscap_reference_get_title(ref);
 
 				xccdf_test_result_type_t expected_res = (xccdf_test_result_type_t)oscap_htable_get(nodes_by_rule_id, stig_rule_id);

From 7ae1dd586128889bbaa8b3a20937d00feabd2ac0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 6 Jan 2021 13:35:36 +0100
Subject: [PATCH 4/5] Test reference elements without href attribute

The href attribute is optional within xccdf:reference element.
Moreover, reference elements can contain Dublin Core elements instead of
a simple atomic value. Some SCAP content uses xccdf:reference without
href attribute, for example DISA STIG for RHEL 7 V3R1. There was a
segmentation fault because oscap expected the href attribute to be
present. See RHBZ #1911999 for more information.
---
 tests/API/XCCDF/unittests/test_single_rule.xccdf.xml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/tests/API/XCCDF/unittests/test_single_rule.xccdf.xml b/tests/API/XCCDF/unittests/test_single_rule.xccdf.xml
index c942aac18a..c41b86173a 100644
--- a/tests/API/XCCDF/unittests/test_single_rule.xccdf.xml
+++ b/tests/API/XCCDF/unittests/test_single_rule.xccdf.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_com.example.www_benchmark_dummy" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="false" xml:lang="en-US">
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:dc="http://purl.org/dc/elements/1.1/" id="xccdf_com.example.www_benchmark_dummy" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="false" xml:lang="en-US">
   <status>accepted</status>
   <version>1.0</version>
 
@@ -26,6 +26,14 @@
   </Value>
   <Rule selected="true" id="xccdf_com.example.www_rule_test-pass">
     <title>This rule always pass</title>
+    <reference>Clever book, page 18, section 3</reference>
+    <reference>
+      <dc:title>Test reference without href attribute</dc:title>
+      <dc:publisher>OpenSCAP Project</dc:publisher>
+      <dc:type>Dummy reference</dc:type>
+      <dc:subject>Random subject</dc:subject>
+      <dc:identifier>12345</dc:identifier>
+    </reference>
     <reference href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040800</reference>
     <reference href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86937r1_rule</reference>
     <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation