diff --git a/SOURCES/openscap-1.3.6-PR-1779-initialize-crapi-once.patch b/SOURCES/openscap-1.3.6-PR-1779-initialize-crapi-once.patch new file mode 100644 index 0000000..94cc375 --- /dev/null +++ b/SOURCES/openscap-1.3.6-PR-1779-initialize-crapi-once.patch @@ -0,0 +1,136 @@ +From 5c422226df442855a7dc9834eb4ff74865394a92 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 8 Jul 2021 14:28:16 +0200 +Subject: [PATCH 1/3] Initialize crypto API only once + +The function `crapi_init` calls `gcry_check_version` which must be +called before any other function from the Libgcrypt library. That might +be violated when multiple threads executing multiple probes are running. +The mitigation proposed in this PR is to call `crapi_init` only once +when the session is initialized which means before any threads are +spawned. + +See also: https://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading + +Resolves: RHBZ#1959570 +--- + src/OVAL/oval_probe_session.c | 5 +++++ + src/OVAL/probes/independent/filehash58_probe.c | 6 ------ + src/OVAL/probes/independent/filehash_probe.c | 6 ------ + src/OVAL/probes/independent/filemd5_probe.c | 6 ------ + 4 files changed, 5 insertions(+), 18 deletions(-) + +diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c +index 435ca148fd..6f6d7ad426 100644 +--- a/src/OVAL/oval_probe_session.c ++++ b/src/OVAL/oval_probe_session.c +@@ -93,6 +93,11 @@ static void oval_probe_session_libinit(void) + SEXP_free((SEXP_t *)exp); + + ncache_libinit(); ++ /* ++ * Initialize crypto API ++ */ ++ if (crapi_init (NULL) != 0) ++ return (NULL); + } + + /** +diff --git a/src/OVAL/probes/independent/filehash58_probe.c b/src/OVAL/probes/independent/filehash58_probe.c +index ff1e065746..32a38562bd 100644 +--- a/src/OVAL/probes/independent/filehash58_probe.c ++++ b/src/OVAL/probes/independent/filehash58_probe.c +@@ -210,12 +210,6 @@ int filehash58_probe_offline_mode_supported() + + void *filehash58_probe_init(void) + { +- /* +- * Initialize crypto API +- */ +- if (crapi_init (NULL) != 0) +- return (NULL); +- + /* + * Initialize mutex. + */ +diff --git a/src/OVAL/probes/independent/filehash_probe.c b/src/OVAL/probes/independent/filehash_probe.c +index 522d976512..6d8780dc95 100644 +--- a/src/OVAL/probes/independent/filehash_probe.c ++++ b/src/OVAL/probes/independent/filehash_probe.c +@@ -190,12 +190,6 @@ int filehash_probe_offline_mode_supported() + + void *filehash_probe_init(void) + { +- /* +- * Initialize crypto API +- */ +- if (crapi_init (NULL) != 0) +- return (NULL); +- + /* + * Initialize mutex. + */ +diff --git a/src/OVAL/probes/independent/filemd5_probe.c b/src/OVAL/probes/independent/filemd5_probe.c +index d0de402d8b..99913581f0 100644 +--- a/src/OVAL/probes/independent/filemd5_probe.c ++++ b/src/OVAL/probes/independent/filemd5_probe.c +@@ -163,12 +163,6 @@ int probe_offline_mode_supported() + + void *probe_init (void) + { +- /* +- * Initialize crypto API +- */ +- if (crapi_init (NULL) != 0) +- return (NULL); +- + /* + * Initialize mutex. + */ + +From c4c26d99a59205d744befe52be4e81bcf5f55d9c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 13 Jul 2021 13:03:21 +0200 +Subject: [PATCH 2/3] Add a missing include + +--- + src/OVAL/oval_probe_session.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c +index 6f6d7ad426..295782b536 100644 +--- a/src/OVAL/oval_probe_session.c ++++ b/src/OVAL/oval_probe_session.c +@@ -48,6 +48,7 @@ + #include "oval_probe_ext.h" + #include "probe-table.h" + #include "oval_types.h" ++#include "crapi/crapi.h" + + #if defined(OSCAP_THREAD_SAFE) + #include + +From 6241a8835574429a787e0dd48d2c0ac2a71499b8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 15 Jul 2021 14:21:00 +0200 +Subject: [PATCH 3/3] Don't initialize crypto on Windows + +--- + src/OVAL/oval_probe_session.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c +index 295782b536..b443cbcc80 100644 +--- a/src/OVAL/oval_probe_session.c ++++ b/src/OVAL/oval_probe_session.c +@@ -97,8 +97,10 @@ static void oval_probe_session_libinit(void) + /* + * Initialize crypto API + */ ++#ifndef OS_WINDOWS + if (crapi_init (NULL) != 0) + return (NULL); ++#endif + } + + /** diff --git a/SOURCES/openscap-1.3.6-PR-1788-test-rhbz1959570.patch b/SOURCES/openscap-1.3.6-PR-1788-test-rhbz1959570.patch new file mode 100644 index 0000000..2c175b8 --- /dev/null +++ b/SOURCES/openscap-1.3.6-PR-1788-test-rhbz1959570.patch @@ -0,0 +1,97 @@ +From 05faede8f6602b7b71d71fd965276225a986fb1f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 28 Jul 2021 13:06:25 +0200 +Subject: [PATCH] Add a regression test for rhbz#1959570 + +The bug was a segmentation fault in filehash58 probe which happened +in openscap-1.3.3-6.el8_3. + +The bug was fixed by https://github.com/OpenSCAP/openscap/pull/1779 +and this patch adds a very small test. +--- + tests/probes/filehash58/CMakeLists.txt | 1 + + .../probes/filehash58/rhbz1959570_segfault.sh | 19 +++++++++ + .../rhbz1959570_segfault_reproducer.xml | 39 +++++++++++++++++++ + 3 files changed, 59 insertions(+) + create mode 100755 tests/probes/filehash58/rhbz1959570_segfault.sh + create mode 100644 tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml + +diff --git a/tests/probes/filehash58/CMakeLists.txt b/tests/probes/filehash58/CMakeLists.txt +index b26d8171fb..cdec0792eb 100644 +--- a/tests/probes/filehash58/CMakeLists.txt ++++ b/tests/probes/filehash58/CMakeLists.txt +@@ -1,3 +1,4 @@ + if(ENABLE_PROBES_INDEPENDENT) + add_oscap_test("test_probes_filehash58.sh") ++ add_oscap_test("rhbz1959570_segfault.sh") + endif() +diff --git a/tests/probes/filehash58/rhbz1959570_segfault.sh b/tests/probes/filehash58/rhbz1959570_segfault.sh +new file mode 100755 +index 0000000000..0c32cc79f1 +--- /dev/null ++++ b/tests/probes/filehash58/rhbz1959570_segfault.sh +@@ -0,0 +1,19 @@ ++#!/usr/bin/env bash ++ ++# Copyright 2021 Red Hat Inc., Durham, North Carolina. ++# All Rights Reserved. ++# ++# OpenSCAP Probes Test Suite. ++# ++# Authors: ++# Jan Černý, ++ ++set -e -o pipefail ++. $builddir/tests/test_common.sh ++ ++# Test Cases ++ ++stderr="$(mktemp)" ++$OSCAP oval eval --id oval:x:def:1 "$srcdir/rhbz1959570_segfault_reproducer.xml" 2> "$stderr" ++[ ! -s "$stderr" ] ++rm "$stderr" +diff --git a/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml +new file mode 100644 +index 0000000000..4b3fc4863a +--- /dev/null ++++ b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml +@@ -0,0 +1,39 @@ ++ ++ ++ ++ jcerny ++ 1 ++ 5.11 ++ 2021-07-28T07:40:55 ++ ++ ++ ++ ++ title ++ description ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/os-release ++ SHA-256 ++ ++ ++ ++ ++ /etc/os-release ++ SHA-256 ++ 6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af ++ ++ ++ diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index d415d82..900978e 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -1,6 +1,6 @@ Name: openscap Version: 1.3.5 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ @@ -11,6 +11,8 @@ Patch2: openscap-1.3.6-PR-1748-covscan.patch Patch3: openscap-1.3.6-PR-1749-blueprint-fix.patch Patch4: openscap-1.3.6-PR-1753-getlogin.patch Patch5: openscap-1.3.6-PR-1756-yaml-nulls.patch +Patch6: openscap-1.3.6-PR-1779-initialize-crapi-once.patch +Patch7: openscap-1.3.6-PR-1788-test-rhbz1959570.patch BuildRequires: cmake >= 2.6 BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser BuildRequires: rpm-devel @@ -219,6 +221,9 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/oscap-run-sce-script %changelog +* Wed Jul 28 2021 Jan Černý - 1.3.5-6 +- Initialize crypto API only once (rhbz#1959570) + * Wed Jul 14 2021 Evgenii Kolesnikov - 1.3.5-5 - Add 'null' values handling to the yamlfilecontent probe (RHBZ#1981691)