From b8b90b4c04a130d9174148486b40bfc8454a290b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 5 Jan 2021 16:31:04 +0100
Subject: [PATCH 1/5] Fix a segmentation fault
When generating results with --stig-viewer a segmentation fault
occured. This segfault has been caused by
9b40767967e533bdb340ca4c91f2fd1192694820.
The patch makes the usage of benchmark and cloned benchmark in this
`if` block consistent with the previous `if` block above.
---
src/XCCDF/xccdf_session.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c
index c88d90be05..9e54a98e9e 100644
--- a/src/XCCDF/xccdf_session.c
+++ b/src/XCCDF/xccdf_session.c
@@ -1393,9 +1393,12 @@ static int _build_xccdf_result_source(struct xccdf_session *session)
}
if (session->export.xccdf_stig_viewer_file != NULL) {
+ struct xccdf_benchmark *cloned_benchmark = xccdf_benchmark_clone(benchmark);
struct xccdf_result *cloned_result = xccdf_result_clone(session->xccdf.result);
+ xccdf_benchmark_add_result(cloned_benchmark, cloned_result);
struct oscap_source * stig_result = xccdf_result_stig_viewer_export_source(cloned_result, session->export.xccdf_stig_viewer_file);
- xccdf_result_free(cloned_result);
+ // cloned_result is freed during xccdf_benchmark_free
+ xccdf_benchmark_free(cloned_benchmark);
if (oscap_source_save_as(stig_result, NULL) != 0) {
oscap_seterr(OSCAP_EFAMILY_OSCAP, "Could not save file: %s",
oscap_source_readable_origin(stig_result));
From 0a73539af773ce261e2b5eb71ca6b2b83ff6e386 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 5 Jan 2021 16:47:13 +0100
Subject: [PATCH 2/5] Fix test for --stig-viewer
The test masked the segfault in oscap command by ignoring the oscap
return code. Moreover, it ignored any failure in the Python script
stig-viewer-equivalence.py. The commit also adds an improvement to
test if the produced file isn't empty.
---
tests/API/XCCDF/unittests/test_single_rule_stigw.sh | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tests/API/XCCDF/unittests/test_single_rule_stigw.sh b/tests/API/XCCDF/unittests/test_single_rule_stigw.sh
index 15803ab94c..e258e72dd1 100755
--- a/tests/API/XCCDF/unittests/test_single_rule_stigw.sh
+++ b/tests/API/XCCDF/unittests/test_single_rule_stigw.sh
@@ -19,8 +19,10 @@ echo "Result file = $result"
# evaluated when '--rule' option is not specified.
# One of the rules is supposed to fail, so the return code of this line has to be 0 so the test can continue
-$OSCAP xccdf eval --stig-viewer "$result" "$srcdir/${name}.xccdf.xml" 2> "$stderr" || true
+$OSCAP xccdf eval --stig-viewer "$result" "$srcdir/${name}.xccdf.xml" 2> "$stderr" || ret=$?
+[ $ret == 2 ]
[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr
+[ -s "$result" ]
-"${PYTHON:-python}" "$srcdir/stig-viewer-equivalence.py" "$result" "$srcdir/correct_stigw_result.xml" 2> "$stderr" || ret=$?
+"${PYTHON:-python}" "$srcdir/stig-viewer-equivalence.py" "$result" "$srcdir/correct_stigw_result.xml" 2> "$stderr"
rm "$result"
From 7011a6fc960515ff626f411349b8b8a267b80c02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 6 Jan 2021 12:08:31 +0100
Subject: [PATCH 3/5] Fix segmentation fault
The function call oscap_reference_get_href(ref) can return NULL
because href attribute of reference element is optional.
---
src/XCCDF/result.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/XCCDF/result.c b/src/XCCDF/result.c
index 21b93fba74..a4fdec6cee 100644
--- a/src/XCCDF/result.c
+++ b/src/XCCDF/result.c
@@ -1154,7 +1154,9 @@ void xccdf_result_to_dom(struct xccdf_result *result, xmlNode *result_node, xmlD
struct oscap_reference_iterator *references = xccdf_item_get_references(item);
while (oscap_reference_iterator_has_more(references)) {
struct oscap_reference *ref = oscap_reference_iterator_next(references);
- if (strcmp(oscap_reference_get_href(ref), DISA_STIG_VIEWER_HREF) == 0) {
+ const char *href = oscap_reference_get_href(ref);
+ if (href && (strcmp(href, DISA_STIG_VIEWER_HREF[0]) == 0 ||
+ strcmp(href, DISA_STIG_VIEWER_HREF[1]) == 0)) {
const char *stig_rule_id = oscap_reference_get_title(ref);
xccdf_test_result_type_t other_res = (xccdf_test_result_type_t)oscap_htable_detach(nodes_by_rule_id, stig_rule_id);
@@ -1367,8 +1368,9 @@ void xccdf_rule_result_to_dom(struct xccdf_rule_result *result, xmlDoc *doc, xml
struct oscap_reference_iterator *references = xccdf_item_get_references(item);
while (oscap_reference_iterator_has_more(references)) {
struct oscap_reference *ref = oscap_reference_iterator_next(references);
- if (strcmp(oscap_reference_get_href(ref), DISA_STIG_VIEWER_HREF[0]) == 0 ||
- strcmp(oscap_reference_get_href(ref), DISA_STIG_VIEWER_HREF[1]) == 0) {
+ const char *href = oscap_reference_get_href(ref);
+ if (href && (strcmp(href, DISA_STIG_VIEWER_HREF[0]) == 0 ||
+ strcmp(href, DISA_STIG_VIEWER_HREF[1]) == 0)) {
const char *stig_rule_id = oscap_reference_get_title(ref);
xccdf_test_result_type_t expected_res = (xccdf_test_result_type_t)oscap_htable_get(nodes_by_rule_id, stig_rule_id);
From 7ae1dd586128889bbaa8b3a20937d00feabd2ac0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 6 Jan 2021 13:35:36 +0100
Subject: [PATCH 4/5] Test reference elements without href attribute
The href attribute is optional within xccdf:reference element.
Moreover, reference elements can contain Dublin Core elements instead of
a simple atomic value. Some SCAP content uses xccdf:reference without
href attribute, for example DISA STIG for RHEL 7 V3R1. There was a
segmentation fault because oscap expected the href attribute to be
present. See RHBZ #1911999 for more information.
---
tests/API/XCCDF/unittests/test_single_rule.xccdf.xml | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/tests/API/XCCDF/unittests/test_single_rule.xccdf.xml b/tests/API/XCCDF/unittests/test_single_rule.xccdf.xml
index c942aac18a..c41b86173a 100644
--- a/tests/API/XCCDF/unittests/test_single_rule.xccdf.xml
+++ b/tests/API/XCCDF/unittests/test_single_rule.xccdf.xml
@@ -1,5 +1,5 @@
<?xml version="1.0"?>
-<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_com.example.www_benchmark_dummy" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="false" xml:lang="en-US">
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:dc="http://purl.org/dc/elements/1.1/" id="xccdf_com.example.www_benchmark_dummy" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="false" xml:lang="en-US">
<status>accepted</status>
<version>1.0</version>
@@ -26,6 +26,14 @@
</Value>
<Rule selected="true" id="xccdf_com.example.www_rule_test-pass">
<title>This rule always pass</title>
+ <reference>Clever book, page 18, section 3</reference>
+ <reference>
+ <dc:title>Test reference without href attribute</dc:title>
+ <dc:publisher>OpenSCAP Project</dc:publisher>
+ <dc:type>Dummy reference</dc:type>
+ <dc:subject>Random subject</dc:subject>
+ <dc:identifier>12345</dc:identifier>
+ </reference>
<reference href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040800</reference>
<reference href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86937r1_rule</reference>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">