From cf36c6aa053287434269a51cb5ad857493a9735e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sep 29 2020 07:00:34 +0000
Subject: import openscap-1.2.17-11.el7


---

diff --git a/SOURCES/openscap-1.2.18-cvrf-segfault.patch b/SOURCES/openscap-1.2.18-cvrf-segfault.patch
new file mode 100644
index 0000000..388c169
--- /dev/null
+++ b/SOURCES/openscap-1.2.18-cvrf-segfault.patch
@@ -0,0 +1,67 @@
+diff --git a/src/CVRF/cvrf_eval.c b/src/CVRF/cvrf_eval.c
+index 049b871f8..3bb39d109 100644
+--- a/src/CVRF/cvrf_eval.c
++++ b/src/CVRF/cvrf_eval.c
+@@ -89,10 +89,14 @@ struct cvrf_session *cvrf_session_new_from_source_model(struct oscap_source *sou
+ 	if (source == NULL)
+ 		return NULL;
+ 
++	struct cvrf_model *model = cvrf_model_import(source);
++	if (model == NULL) {
++		return NULL;
++	}
+ 	struct cvrf_session *ret = malloc(sizeof(struct cvrf_session));
+ 	ret->source = source;
+ 	ret->index = NULL;
+-	ret->model = cvrf_model_import(source);
++	ret->model = model;
+ 	ret->os_name = NULL;
+ 	ret->product_ids = oscap_stringlist_new();
+ 	ret->def_model = oval_definition_model_new();
+@@ -225,6 +229,9 @@ struct oscap_source *cvrf_model_get_results_source(struct oscap_source *import_s
+ 	if (import_source == NULL)
+ 		return NULL;
+ 	struct cvrf_session *session = cvrf_session_new_from_source_model(import_source);
++	if (session == NULL) {
++		return NULL;
++	}
+ 	cvrf_session_set_os_name(session, os_name);
+ 
+ 	if (find_all_cvrf_product_ids_from_cpe(session) != 0) {
+diff --git a/utils/oscap-cvrf.c b/utils/oscap-cvrf.c
+index 9a2441165..d6c571007 100644
+--- a/utils/oscap-cvrf.c
++++ b/utils/oscap-cvrf.c
+@@ -99,20 +99,29 @@ static int app_cvrf_evaluate(const struct oscap_action *action) {
+ 	// themselves
+ 	const char *os_name = "Red Hat Enterprise Linux Desktop Supplementary (v. 6)";
+ 	struct oscap_source *import_source = oscap_source_new_from_file(action->cvrf_action->f_cvrf);
++
++	int ret = oscap_source_validate(import_source, reporter, (void *) action);
++	if (ret != 0) {
++		result = OSCAP_ERROR;
++		goto cleanup;
++	}
++
+ 	struct oscap_source *export_source = cvrf_model_get_results_source(import_source, os_name);
+-	if (export_source == NULL)
+-		return -1;
++	if (export_source == NULL) {
++		result = OSCAP_ERROR;
++		goto cleanup;
++	}
+ 
+ 	if (oscap_source_save_as(export_source, action->cvrf_action->f_results) == -1) {
+ 		result = OSCAP_ERROR;
+ 		goto cleanup;
+ 	}
++	oscap_source_free(export_source);
+ 
+ 	cleanup:
+ 		if (oscap_err())
+ 			fprintf(stderr, "%s %s\n", OSCAP_ERR_MSG, oscap_err_desc());
+ 
+-	oscap_source_free(export_source);
+ 	free(action->cvrf_action);
+ 	return result;
+ }
diff --git a/SOURCES/openscap-1.2.18-oscap-ssh-sudo.patch b/SOURCES/openscap-1.2.18-oscap-ssh-sudo.patch
new file mode 100644
index 0000000..a572061
--- /dev/null
+++ b/SOURCES/openscap-1.2.18-oscap-ssh-sudo.patch
@@ -0,0 +1,18 @@
+diff --git a/utils/oscap-ssh b/utils/oscap-ssh
+index 658cc2ee4..bd2e209c4 100755
+--- a/utils/oscap-ssh
++++ b/utils/oscap-ssh
+@@ -280,7 +280,12 @@ echo "Starting the evaluation..."
+ # changing directory because of --oval-results support. oval results files are
+ # dumped into PWD, and we can't be sure by the file names - we need controlled
+ # environment
+-ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO oscap $(command_array_to_string oscap_args)" "$SSH_TTY_ALLOCATION_OPTION"
++if [ -z "$OSCAP_SUDO" ]; then
++    ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; oscap $(command_array_to_string oscap_args)" "$SSH_TTY_ALLOCATION_OPTION"
++else
++    OSCAP_CMD="oscap $(command_array_to_string oscap_args); rc=\$?; chown \$SUDO_USER $REMOTE_TEMP_DIR/*; exit \$rc"
++    ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO sh -c '$OSCAP_CMD'" "$SSH_TTY_ALLOCATION_OPTION"
++fi
+ OSCAP_EXIT_CODE=$?
+ echo "oscap exit code: $OSCAP_EXIT_CODE"
+ 
diff --git a/SOURCES/openscap-1.2.18-selinuxsecuritycontext-verbose.patch b/SOURCES/openscap-1.2.18-selinuxsecuritycontext-verbose.patch
new file mode 100644
index 0000000..7abfdd9
--- /dev/null
+++ b/SOURCES/openscap-1.2.18-selinuxsecuritycontext-verbose.patch
@@ -0,0 +1,13 @@
+diff --git a/src/OVAL/probes/unix/linux/selinuxsecuritycontext.c b/src/OVAL/probes/unix/linux/selinuxsecuritycontext.c
+index 65268cbfb..d9c91d75e 100644
+--- a/src/OVAL/probes/unix/linux/selinuxsecuritycontext.c
++++ b/src/OVAL/probes/unix/linux/selinuxsecuritycontext.c
+@@ -269,7 +269,7 @@ static int selinuxsecuritycontext_file_cb(const char *prefix, const char *p, con
+ 	file_context_size = getfilecon(path_with_prefix, &file_context);
+ 	free(path_with_prefix);
+ 	if (file_context_size == -1) {
+-		dE("Can't get context for %s: %s", pbuf, strerror(errno));
++		dD("Can't get context for %s: %s", pbuf, strerror(errno));
+ 
+ 		item = probe_item_create(OVAL_LINUX_SELINUXSECURITYCONTEXT, NULL,
+ 						"filepath", OVAL_DATATYPE_STRING, pbuf,
diff --git a/SOURCES/openscap-1.3.2-red-hat-errata-url-pr1388.patch b/SOURCES/openscap-1.3.2-red-hat-errata-url-pr1388.patch
new file mode 100644
index 0000000..fa88355
--- /dev/null
+++ b/SOURCES/openscap-1.3.2-red-hat-errata-url-pr1388.patch
@@ -0,0 +1,66 @@
+From e957c5104fc8bdd6a272c8e7019b08aec921dc95 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
+Date: Tue, 30 Jul 2019 13:28:41 +0200
+Subject: [PATCH 1/2] Fix URL link mechanism for Red Hat Errata
+
+Previously, public description of each erratum was available under
+
+    https://rhn.redhat.com/errata/
+
+at some point in time this has changed to
+
+    https://access.redhat.com/errata/
+
+and since not all links redirect properly from old to new, we have to fix
+OpenSCAP end as well.
+
+This enables people reviewing XCCDF policy guide or XCCDF result report to click
+on RH[SBE]A-YYYY-ABCD acronym and be redirected to public description of the
+given erratum.
+---
+ xsl/xccdf-share.xsl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xsl/xccdf-share.xsl b/xsl/xccdf-share.xsl
+index 50b6ad950..37a74ffa2 100644
+--- a/xsl/xccdf-share.xsl
++++ b/xsl/xccdf-share.xsl
+@@ -55,8 +55,8 @@ Authors:
+         <xsl:when test="starts-with(@system, 'http://cve.mitre.org')">
+             <a href="{concat('https://cve.mitre.org/cgi-bin/cvename.cgi?name=', text())}"><abbr title="{concat(@system, concat(': ', text()))}"><xsl:value-of select="text()"/></abbr></a>
+         </xsl:when>
+-        <xsl:when test="starts-with(@system, 'https://rhn.redhat.com/errata')">
+-            <a href="{concat('https://rhn.redhat.com/errata/', concat(text(), '.html'))}"><abbr title="{concat(@system, concat(': ', text()))}"><xsl:value-of select="text()"/></abbr></a>
++        <xsl:when test="starts-with(@system, 'https://access.redhat.com/errata')">
++            <a href="{concat('https://access.redhat.com/errata/', concat(text(), '.html'))}"><abbr title="{concat(@system, concat(': ', text()))}"><xsl:value-of select="text()"/></abbr></a>
+         </xsl:when>
+         <xsl:otherwise>
+             <abbr title="{concat(@system, concat(': ', text()))}"><xsl:value-of select="text()"/></abbr>
+
+From c142a763dfd92d7b304d76aecc1615729fea8533 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
+Date: Tue, 30 Jul 2019 14:06:09 +0200
+Subject: [PATCH 2/2] Transformation from OVAL to XCCDF should also assume new
+ url for RH Errata
+
+---
+ xsl/oval-to-xccdf.xsl | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/xsl/oval-to-xccdf.xsl b/xsl/oval-to-xccdf.xsl
+index 850ee97a2..9dd29fd58 100644
+--- a/xsl/oval-to-xccdf.xsl
++++ b/xsl/oval-to-xccdf.xsl
+@@ -86,9 +86,9 @@ Authors:
+     </xsl:template>
+ 
+     <xsl:template match="oval-def:reference[@source='RHSA']">
+-        <xsl:if test="starts-with(@ref_url, 'https://rhn.redhat.com/errata')">
+-            <xccdf:ident system="https://rhn.redhat.com/errata">
+-                <xsl:copy-of select="substring-before(substring-after(@ref_url, 'https://rhn.redhat.com/errata/'), '.html')"/>
++        <xsl:if test="starts-with(@ref_url, 'https://access.redhat.com/errata')">
++            <xccdf:ident system="https://access.redhat.com/errata">
++                <xsl:copy-of select="substring-after(@ref_url, 'https://access.redhat.com/errata/')"/>
+             </xccdf:ident>
+         </xsl:if>
+     </xsl:template>
diff --git a/SOURCES/openscap-1.3.3-systemdunitdependency-probe-segfault.patch b/SOURCES/openscap-1.3.3-systemdunitdependency-probe-segfault.patch
new file mode 100644
index 0000000..ae10910
--- /dev/null
+++ b/SOURCES/openscap-1.3.3-systemdunitdependency-probe-segfault.patch
@@ -0,0 +1,134 @@
+diff --git a/src/OVAL/probes/unix/linux/systemdunitdependency.c b/src/OVAL/probes/unix/linux/systemdunitdependency.c
+index 2f194ce07..e2cbdb7d2 100644
+--- a/src/OVAL/probes/unix/linux/systemdunitdependency.c
++++ b/src/OVAL/probes/unix/linux/systemdunitdependency.c
+@@ -37,6 +37,8 @@
+ #include "common/list.h"
+ #include <string.h>
+ 
++static void get_all_dependencies_by_unit(DBusConnection *conn, const char *unit, SEXP_t *item, struct oscap_htable *visited_units);
++
+ static char *get_property_by_unit_path(DBusConnection *conn, const char *unit_path, const char *property)
+ {
+ 	DBusMessage *msg = NULL;
+@@ -135,7 +137,38 @@ static bool is_unit_name_a_target(const char *unit)
+ 	return strncmp(unit + len - suffix_len, suffix, suffix_len) == 0;
+ }
+ 
+-static void get_all_dependencies_by_unit(DBusConnection *conn, const char *unit, int(*callback)(const char *, void *), void *cbarg, bool include_requires, bool include_wants)
++static int add_unit_dependency(const char *dependency, SEXP_t *item, struct oscap_htable *visited_units)
++{
++	if (oscap_htable_get(visited_units, dependency) != NULL) {
++		return 1;
++	}
++	oscap_htable_add(visited_units, dependency, (void *) true);
++	SEXP_t *se_dependency = SEXP_string_new(dependency, strlen(dependency));
++	probe_item_ent_add(item, "dependency", NULL, se_dependency);
++	SEXP_free(se_dependency);
++	return 0;
++}
++
++static void process_unit_property(const char *property, DBusConnection *conn, const char *path, SEXP_t *item, struct oscap_htable *visited_units)
++{
++	char *values_s = get_property_by_unit_path(conn, path, property);
++	if (values_s) {
++		char **values = oscap_split(values_s, ", ");
++		for (int i = 0; values[i] != NULL; ++i) {
++			if (oscap_strcmp(values[i], "") == 0) {
++				continue;
++			}
++
++			if (add_unit_dependency(values[i], item, visited_units) == 0) {
++				get_all_dependencies_by_unit(conn, values[i], item, visited_units);
++			}
++		}
++		free(values);
++	}
++	free(values_s);
++}
++
++static void get_all_dependencies_by_unit(DBusConnection *conn, const char *unit, SEXP_t *item, struct oscap_htable *visited_units)
+ {
+ 	if (!unit || strcmp(unit, "(null)") == 0)
+ 		return;
+@@ -146,66 +179,12 @@ static void get_all_dependencies_by_unit(DBusConnection *conn, const char *unit,
+ 
+ 	char *path = get_path_by_unit(conn, unit);
+ 
+-	if (include_requires) {
+-		char *requires_s = get_property_by_unit_path(conn, path, "Requires");
+-		if (requires_s) {
+-			char **requires = oscap_split(requires_s, ", ");
+-			for (int i = 0; requires[i] != NULL; ++i) {
+-				if (oscap_strcmp(requires[i], "") == 0)
+-					continue;
+-
+-				if (callback(requires[i], cbarg) == 0) {
+-					get_all_dependencies_by_unit(conn, requires[i],
+-									callback, cbarg,
+-									include_requires, include_wants);
+-				} else {
+-					free(requires);
+-					free(requires_s);
+-					free(path);
+-					return;
+-				}
+-			}
+-			free(requires);
+-		}
+-		free(requires_s);
+-	}
+-
+-	if (include_wants) {
+-		char *wants_s = get_property_by_unit_path(conn, path, "Wants");
+-		if (wants_s)
+-		{
+-			char **wants = oscap_split(wants_s, ", ");
+-			for (int i = 0; wants[i] != NULL; ++i) {
+-				if (oscap_strcmp(wants[i], "") == 0)
+-					continue;
+-
+-				if (callback(wants[i], cbarg) == 0) {
+-					get_all_dependencies_by_unit(conn, wants[i],
+-									callback, cbarg,
+-									include_requires, include_wants);
+-				} else {
+-					free(wants);
+-					free(wants_s);
+-					free(path);
+-					return;
+-				}
+-			}
+-			free(wants);
+-		}
+-		free(wants_s);
+-	}
++	process_unit_property("Requires", conn, path, item, visited_units);
++	process_unit_property("Wants", conn, path, item, visited_units);
+ 
+ 	free(path);
+ }
+ 
+-static int dependency_callback(const char *dependency, void *cbarg)
+-{
+-	SEXP_t *item = (SEXP_t *)cbarg;
+-	SEXP_t *se_dependency = SEXP_string_new(dependency, strlen(dependency));
+-	probe_item_ent_add(item, "dependency", NULL, se_dependency);
+-	return 0;
+-}
+-
+ static int unit_callback(const char *unit, void *cbarg)
+ {
+ 	struct unit_callback_vars *vars = (struct unit_callback_vars *)cbarg;
+@@ -221,8 +200,9 @@ static int unit_callback(const char *unit, void *cbarg)
+ 					 "unit", OVAL_DATATYPE_SEXP, se_unit,
+ 					 NULL);
+ 
+-	get_all_dependencies_by_unit(vars->dbus_conn, unit,
+-				     dependency_callback, item, true, true);
++	struct oscap_htable *visited_units = oscap_htable_new();
++	get_all_dependencies_by_unit(vars->dbus_conn, unit, item, visited_units);
++	oscap_htable_free(visited_units, NULL);
+ 
+ 	probe_item_collect(vars->ctx, item);
+ 	SEXP_free(se_unit);
diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec
index 57efd1a..4cade78 100644
--- a/SPECS/openscap.spec
+++ b/SPECS/openscap.spec
@@ -6,7 +6,7 @@ restorecon -R /usr/bin/oscap /usr/libexec/openscap; \
 
 Name:           openscap
 Version:        1.2.17
-Release:        9%{?dist}
+Release:        11%{?dist}
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 Group:          System Environment/Libraries
 License:        LGPLv2+
@@ -32,6 +32,11 @@ Patch17:        openscap-1.2.18-all_profile-ssh.patch
 Patch18:        openscap-1.3.2-canonical_path_in_rpmverifyfile_probe.patch
 Patch19:        openscap-1.2.18-rhel8-cpe.patch
 Patch20:        openscap-1.2.18-stig_viewer_uri.patch
+Patch21:        openscap-1.3.3-systemdunitdependency-probe-segfault.patch
+Patch22:        openscap-1.2.18-oscap-ssh-sudo.patch
+Patch23:        openscap-1.2.18-selinuxsecuritycontext-verbose.patch
+Patch24:        openscap-1.2.18-cvrf-segfault.patch
+Patch25:        openscap-1.3.2-red-hat-errata-url-pr1388.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:  swig libxml2-devel libxslt-devel perl-XML-Parser
 BuildRequires:  rpm-devel
@@ -167,6 +172,11 @@ Tool for scanning Atomic containers.
 %patch18 -p1
 %patch19 -p1
 %patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
 
 %build
 %ifarch sparc64
@@ -225,7 +235,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %files
 %defattr(-,root,root,-)
-%doc AUTHORS COPYING ChangeLog NEWS README.md
+%doc AUTHORS COPYING ChangeLog NEWS README.md docs/manual/manual.html
 %{_libdir}/libopenscap.so.*
 %{_libexecdir}/openscap/probe_dnscache
 %{_libexecdir}/openscap/probe_environmentvariable
@@ -322,6 +332,16 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Tue Apr 28 2020 Jan Černý <jcerny@redhat.com> - 1.2.17-11
+- Fix URL for Red Hat Errata (RHBZ#1828779)
+
+* Thu Mar 19 2020 Jan Černý <jcerny@redhat.com> - 1.2.17-10
+- Fix segfault in systemdunitdependency probe (RHBZ#1478285)
+- Build and ship HTML manual (RHBZ#1465661)
+- Fix oscap-ssh with --sudo (RHBZ#1803114)
+- Change category of verbose message (RHBZ#1640522)
+- Fix segfault in CVRF module (RHBZ#1642283)
+
 * Tue Jan 7 2020 Jan Černý <jcerny@redhat.com> - 1.2.17-9
 - Add new DISA STIG Viewer URI (RHBZ#1783200)