diff --git a/SOURCES/openscap-1.3.6-PR-1779-initialize-crapi-once.patch b/SOURCES/openscap-1.3.6-PR-1779-initialize-crapi-once.patch
new file mode 100644
index 0000000..94cc375
--- /dev/null
+++ b/SOURCES/openscap-1.3.6-PR-1779-initialize-crapi-once.patch
@@ -0,0 +1,136 @@
+From 5c422226df442855a7dc9834eb4ff74865394a92 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 8 Jul 2021 14:28:16 +0200
+Subject: [PATCH 1/3] Initialize crypto API only once
+
+The function `crapi_init` calls `gcry_check_version` which must be
+called before any other function from the Libgcrypt library. That might
+be violated when multiple threads executing multiple probes are running.
+The mitigation proposed in this PR is to call `crapi_init` only once
+when the session is initialized which means before any threads are
+spawned.
+
+See also: https://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading
+
+Resolves: RHBZ#1959570
+---
+ src/OVAL/oval_probe_session.c | 5 +++++
+ src/OVAL/probes/independent/filehash58_probe.c | 6 ------
+ src/OVAL/probes/independent/filehash_probe.c | 6 ------
+ src/OVAL/probes/independent/filemd5_probe.c | 6 ------
+ 4 files changed, 5 insertions(+), 18 deletions(-)
+
+diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
+index 435ca148fd..6f6d7ad426 100644
+--- a/src/OVAL/oval_probe_session.c
++++ b/src/OVAL/oval_probe_session.c
+@@ -93,6 +93,11 @@ static void oval_probe_session_libinit(void)
+ SEXP_free((SEXP_t *)exp);
+
+ ncache_libinit();
++ /*
++ * Initialize crypto API
++ */
++ if (crapi_init (NULL) != 0)
++ return (NULL);
+ }
+
+ /**
+diff --git a/src/OVAL/probes/independent/filehash58_probe.c b/src/OVAL/probes/independent/filehash58_probe.c
+index ff1e065746..32a38562bd 100644
+--- a/src/OVAL/probes/independent/filehash58_probe.c
++++ b/src/OVAL/probes/independent/filehash58_probe.c
+@@ -210,12 +210,6 @@ int filehash58_probe_offline_mode_supported()
+
+ void *filehash58_probe_init(void)
+ {
+- /*
+- * Initialize crypto API
+- */
+- if (crapi_init (NULL) != 0)
+- return (NULL);
+-
+ /*
+ * Initialize mutex.
+ */
+diff --git a/src/OVAL/probes/independent/filehash_probe.c b/src/OVAL/probes/independent/filehash_probe.c
+index 522d976512..6d8780dc95 100644
+--- a/src/OVAL/probes/independent/filehash_probe.c
++++ b/src/OVAL/probes/independent/filehash_probe.c
+@@ -190,12 +190,6 @@ int filehash_probe_offline_mode_supported()
+
+ void *filehash_probe_init(void)
+ {
+- /*
+- * Initialize crypto API
+- */
+- if (crapi_init (NULL) != 0)
+- return (NULL);
+-
+ /*
+ * Initialize mutex.
+ */
+diff --git a/src/OVAL/probes/independent/filemd5_probe.c b/src/OVAL/probes/independent/filemd5_probe.c
+index d0de402d8b..99913581f0 100644
+--- a/src/OVAL/probes/independent/filemd5_probe.c
++++ b/src/OVAL/probes/independent/filemd5_probe.c
+@@ -163,12 +163,6 @@ int probe_offline_mode_supported()
+
+ void *probe_init (void)
+ {
+- /*
+- * Initialize crypto API
+- */
+- if (crapi_init (NULL) != 0)
+- return (NULL);
+-
+ /*
+ * Initialize mutex.
+ */
+
+From c4c26d99a59205d744befe52be4e81bcf5f55d9c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Tue, 13 Jul 2021 13:03:21 +0200
+Subject: [PATCH 2/3] Add a missing include
+
+---
+ src/OVAL/oval_probe_session.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
+index 6f6d7ad426..295782b536 100644
+--- a/src/OVAL/oval_probe_session.c
++++ b/src/OVAL/oval_probe_session.c
+@@ -48,6 +48,7 @@
+ #include "oval_probe_ext.h"
+ #include "probe-table.h"
+ #include "oval_types.h"
++#include "crapi/crapi.h"
+
+ #if defined(OSCAP_THREAD_SAFE)
+ #include <pthread.h>
+
+From 6241a8835574429a787e0dd48d2c0ac2a71499b8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 15 Jul 2021 14:21:00 +0200
+Subject: [PATCH 3/3] Don't initialize crypto on Windows
+
+---
+ src/OVAL/oval_probe_session.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
+index 295782b536..b443cbcc80 100644
+--- a/src/OVAL/oval_probe_session.c
++++ b/src/OVAL/oval_probe_session.c
+@@ -97,8 +97,10 @@ static void oval_probe_session_libinit(void)
+ /*
+ * Initialize crypto API
+ */
++#ifndef OS_WINDOWS
+ if (crapi_init (NULL) != 0)
+ return (NULL);
++#endif
+ }
+
+ /**
diff --git a/SOURCES/openscap-1.3.6-PR-1788-test-rhbz1959570.patch b/SOURCES/openscap-1.3.6-PR-1788-test-rhbz1959570.patch
new file mode 100644
index 0000000..2c175b8
--- /dev/null
+++ b/SOURCES/openscap-1.3.6-PR-1788-test-rhbz1959570.patch
@@ -0,0 +1,97 @@
+From 05faede8f6602b7b71d71fd965276225a986fb1f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Wed, 28 Jul 2021 13:06:25 +0200
+Subject: [PATCH] Add a regression test for rhbz#1959570
+
+The bug was a segmentation fault in filehash58 probe which happened
+in openscap-1.3.3-6.el8_3.
+
+The bug was fixed by https://github.com/OpenSCAP/openscap/pull/1779
+and this patch adds a very small test.
+---
+ tests/probes/filehash58/CMakeLists.txt | 1 +
+ .../probes/filehash58/rhbz1959570_segfault.sh | 19 +++++++++
+ .../rhbz1959570_segfault_reproducer.xml | 39 +++++++++++++++++++
+ 3 files changed, 59 insertions(+)
+ create mode 100755 tests/probes/filehash58/rhbz1959570_segfault.sh
+ create mode 100644 tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
+
+diff --git a/tests/probes/filehash58/CMakeLists.txt b/tests/probes/filehash58/CMakeLists.txt
+index b26d8171fb..cdec0792eb 100644
+--- a/tests/probes/filehash58/CMakeLists.txt
++++ b/tests/probes/filehash58/CMakeLists.txt
+@@ -1,3 +1,4 @@
+ if(ENABLE_PROBES_INDEPENDENT)
+ add_oscap_test("test_probes_filehash58.sh")
++ add_oscap_test("rhbz1959570_segfault.sh")
+ endif()
+diff --git a/tests/probes/filehash58/rhbz1959570_segfault.sh b/tests/probes/filehash58/rhbz1959570_segfault.sh
+new file mode 100755
+index 0000000000..0c32cc79f1
+--- /dev/null
++++ b/tests/probes/filehash58/rhbz1959570_segfault.sh
+@@ -0,0 +1,19 @@
++#!/usr/bin/env bash
++
++# Copyright 2021 Red Hat Inc., Durham, North Carolina.
++# All Rights Reserved.
++#
++# OpenSCAP Probes Test Suite.
++#
++# Authors:
++# Jan Černý, <jcerny@redhat.com>
++
++set -e -o pipefail
++. $builddir/tests/test_common.sh
++
++# Test Cases
++
++stderr="$(mktemp)"
++$OSCAP oval eval --id oval:x:def:1 "$srcdir/rhbz1959570_segfault_reproducer.xml" 2> "$stderr"
++[ ! -s "$stderr" ]
++rm "$stderr"
+diff --git a/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
+new file mode 100644
+index 0000000000..4b3fc4863a
+--- /dev/null
++++ b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
+@@ -0,0 +1,39 @@
++<?xml version="1.0"?>
++<oval-def:oval_definitions xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
++ <oval-def:generator>
++ <oval:product_name>jcerny</oval:product_name>
++ <oval:product_version>1</oval:product_version>
++ <oval:schema_version>5.11</oval:schema_version>
++ <oval:timestamp>2021-07-28T07:40:55</oval:timestamp>
++ </oval-def:generator>
++ <oval-def:definitions>
++ <oval-def:definition class="compliance" id="oval:x:def:1" version="1">
++ <oval-def:metadata>
++ <oval-def:title>title</oval-def:title>
++ <oval-def:description>description</oval-def:description>
++ </oval-def:metadata>
++ <oval-def:criteria>
++ <oval-def:criterion comment="comment" test_ref="oval:x:tst:1"/>
++ </oval-def:criteria>
++ </oval-def:definition>
++ </oval-def:definitions>
++ <oval-def:tests>
++ <ind:filehash58_test check="all" check_existence="all_exist" comment="comment" id="oval:x:tst:1" version="1">
++ <ind:object object_ref="oval:x:obj:1"/>
++ <ind:state state_ref="oval:x:ste:1"/>
++ </ind:filehash58_test>
++ </oval-def:tests>
++ <oval-def:objects>
++ <ind:filehash58_object id="oval:x:obj:1" version="1">
++ <ind:filepath>/etc/os-release</ind:filepath>
++ <ind:hash_type>SHA-256</ind:hash_type>
++ </ind:filehash58_object>
++ </oval-def:objects>
++ <oval-def:states>
++ <ind:filehash58_state id="oval:x:ste:1" version="1">
++ <ind:filepath>/etc/os-release</ind:filepath>
++ <ind:hash_type>SHA-256</ind:hash_type>
++ <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
++ </ind:filehash58_state>
++ </oval-def:states>
++</oval-def:oval_definitions>
diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec
index d415d82..900978e 100644
--- a/SPECS/openscap.spec
+++ b/SPECS/openscap.spec
@@ -1,6 +1,6 @@
Name: openscap
Version: 1.3.5
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: Set of open source libraries enabling integration of the SCAP line of standards
Group: System Environment/Libraries
License: LGPLv2+
@@ -11,6 +11,8 @@ Patch2: openscap-1.3.6-PR-1748-covscan.patch
Patch3: openscap-1.3.6-PR-1749-blueprint-fix.patch
Patch4: openscap-1.3.6-PR-1753-getlogin.patch
Patch5: openscap-1.3.6-PR-1756-yaml-nulls.patch
+Patch6: openscap-1.3.6-PR-1779-initialize-crapi-once.patch
+Patch7: openscap-1.3.6-PR-1788-test-rhbz1959570.patch
BuildRequires: cmake >= 2.6
BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
BuildRequires: rpm-devel
@@ -219,6 +221,9 @@ rm -rf $RPM_BUILD_ROOT
%{_bindir}/oscap-run-sce-script
%changelog
+* Wed Jul 28 2021 Jan Černý <jcerny@redhat.com> - 1.3.5-6
+- Initialize crypto API only once (rhbz#1959570)
+
* Wed Jul 14 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1.3.5-5
- Add 'null' values handling to the yamlfilecontent probe (RHBZ#1981691)