diff --git a/SOURCES/openscap-1.2.18-gzip-compression-PR1576.patch b/SOURCES/openscap-1.2.18-gzip-compression-PR1576.patch new file mode 100644 index 0000000..9456fc4 --- /dev/null +++ b/SOURCES/openscap-1.2.18-gzip-compression-PR1576.patch @@ -0,0 +1,263 @@ +diff --git a/configure.ac b/configure.ac +index 91fba1390..bbc525454 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -311,6 +311,21 @@ AC_SUBST([PTHREAD_LIBS]) + PKG_CHECK_MODULES([curl], [libcurl >= 7.12.0],[], + AC_MSG_FAILURE([libcurl devel support is missing])) + ++AC_MSG_CHECKING([whether libcurl supports CURLOPT_ACCEPT_ENCODING and CURLOPT_TRANSFER_ENCODING]) ++AC_COMPILE_IFELSE( ++ [AC_LANG_PROGRAM( ++ [[#include ++ #include ]], ++ [[CURL *curl; curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, 0);]])], ++ [AC_DEFINE([HAVE_CURL_WITH_COMPRESSION], 1, [libcurl is new enough to have support for data compression]) ++ AC_MSG_RESULT([yes])] ++ curl_accepts_encoding=yes, ++ [AC_MSG_RESULT([no]) ++ AC_MSG_NOTICE([libcurl doesnt support any compression with CURLOPT_ACCEPT_ENCODING]) ++ curl_accepts_encoding=no] ++) ++AM_CONDITIONAL([CURLOPT_ACCEPT_ENCODING], [test "$curl_accepts_encoding" = yes]) ++ + PKG_CHECK_MODULES([xml2], [libxml-2.0 >= 2.0],[], + AC_MSG_FAILURE([libxml-2.0 devel support is missing])) + +@@ -1576,6 +1591,7 @@ AC_CONFIG_FILES([Makefile + tests/nist/Makefile + tests/offline_mode/Makefile + ++ tests/curl/Makefile + src/SCE/Makefile + tests/sce/Makefile]) + +diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c +index 70dbbea7c..997e69117 100644 +--- a/src/common/oscap_acquire.c ++++ b/src/common/oscap_acquire.c +@@ -39,6 +39,7 @@ + #include "common/oscap_buffer.h" + #include "common/_error.h" + #include "oscap_string.h" ++#include "debug_priv.h" + + #ifndef OSCAP_TEMP_DIR + #define OSCAP_TEMP_DIR "/tmp" +@@ -142,6 +143,34 @@ oscap_acquire_url_to_filename(const char *url) + return filename; + } + ++static int _curl_trace(CURL *handle, curl_infotype type, char *data, size_t size, void *userp) ++{ ++ const char *title; ++ ++ switch (type) { ++ case CURLINFO_TEXT: ++ title = "== cURL info"; ++ break; ++ case CURLINFO_HEADER_OUT: ++ title = "=> cURL header (out)"; ++ break; ++ case CURLINFO_HEADER_IN: ++ title = "<= cURL header (in)"; ++ break; ++ case CURLINFO_DATA_OUT: ++ case CURLINFO_SSL_DATA_OUT: ++ case CURLINFO_DATA_IN: ++ case CURLINFO_SSL_DATA_IN: ++ default: ++ return 0; ++ break; ++ } ++ ++ dD("%s: %s", title, data); ++ ++ return 0; ++} ++ + char* oscap_acquire_url_download(const char *url, size_t* memory_size) + { + CURL *curl; +@@ -156,7 +185,13 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size) + curl_easy_setopt(curl, CURLOPT_URL, url); + curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback); + curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer); ++#ifdef HAVE_CURL_WITH_COMPRESSION ++ curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); ++ curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true); ++#endif + curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true); ++ curl_easy_setopt(curl, CURLOPT_VERBOSE, true); ++ curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace); + + CURLcode res = curl_easy_perform(curl); + curl_easy_cleanup(curl); +diff --git a/tests/Makefile.am b/tests/Makefile.am +index f15c45702..1d10cc7d7 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -22,6 +22,7 @@ SUBDIRS = \ + bz2 \ + codestyle \ + CPE \ ++ curl \ + DS \ + sources \ + schemas \ +diff --git a/tests/curl/Makefile.am b/tests/curl/Makefile.am +new file mode 100644 +index 000000000..118c53ea1 +--- /dev/null ++++ b/tests/curl/Makefile.am +@@ -0,0 +1,16 @@ ++DISTCLEANFILES = *.log *.results oscap_debug.log.* ++CLEANFILES = *.log *.results oscap_debug.log.* ++ ++TESTS_ENVIRONMENT = \ ++ builddir=$(top_builddir) \ ++ OSCAP_FULL_VALIDATION=1 \ ++ $(top_builddir)/run ++ ++TESTS = ++ ++if CURLOPT_ACCEPT_ENCODING ++TESTS += test_curl_encoding.sh ++endif ++ ++EXTRA_DIST = test_curl_encoding.sh \ ++ ds.xml +diff --git a/tests/curl/ds.xml b/tests/curl/ds.xml +new file mode 100644 +index 000000000..f33cb475d +--- /dev/null ++++ b/tests/curl/ds.xml +@@ -0,0 +1,99 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ 5.11 ++ 2009-01-12T10:41:00-05:00 ++ ++ ++ ++ ++ ++ PASS ++ pass ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ oval:x:var:1 ++ ++ ++ ++ ++ ++ 100 ++ ++ ++ ++ ++ ++ ++ ++ ++ accepted ++ 1.0 ++ ++ ++ xccdf_test_profile ++ This profile is for testing. ++ ++ ++ ++ ++ test value ++ foo ++ 50 ++ 100 ++ ++ ++ This rule always pass ++ ++ ++ ++ ++ ++ This rule checks remote resource ++ ++ ++ ++ ++ ++ This rule always pass ++ ++ ++ ++ ++ ++ ++ +diff --git a/tests/curl/test_curl_encoding.sh b/tests/curl/test_curl_encoding.sh +new file mode 100755 +index 000000000..674abf691 +--- /dev/null ++++ b/tests/curl/test_curl_encoding.sh +@@ -0,0 +1,23 @@ ++#!/bin/bash ++ ++set -e -o pipefail ++ ++. $builddir/tests/test_common.sh ++ ++function curl_accept_encoding { ++ local DF="${srcdir}/ds.xml" ++ local RF="results.xml" ++ local LOG="verbose.log" ++ ++ $OSCAP xccdf eval --verbose=DEVEL --fetch-remote-resources --results $RF $DF 2>$LOG || echo "OK" ++ ++ grep -P "Accept-Encoding.*gzip" $LOG ++ ++ return 0 ++} ++ ++test_init ++ ++test_run "cURL: Accept-Encoding" curl_accept_encoding ++ ++test_exit diff --git a/SOURCES/openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch b/SOURCES/openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch new file mode 100644 index 0000000..4528a9e --- /dev/null +++ b/SOURCES/openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch @@ -0,0 +1,103 @@ +From a0d5ed656f09ab5da547058366cd5f45584ba7b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 31 Jul 2020 10:38:17 +0200 +Subject: [PATCH] Plug a memory leak + +==12029== at 0x483A809: malloc (vg_replace_malloc.c:307) +==12029== by 0x51F1386: realpath@@GLIBC_2.3 (in /usr/lib64/libc-2.31.so) +==12029== by 0x489F8CA: oscap_realpath (util.c:251) +==12029== by 0x495E6EF: rpmverify_collect (rpmverifyfile_probe.c:248) +==12029== by 0x495F461: rpmverifyfile_probe_main (rpmverifyfile_probe.c:543) +==12029== by 0x4935598: probe_worker (worker.c:1090) +==12029== by 0x4932F10: probe_worker_runfn (worker.c:81) +==12029== by 0x4CDA431: start_thread (in /usr/lib64/libpthread-2.31.so) +==12029== by 0x52A8912: clone (in /usr/lib64/libc-2.31.so) + +==12029== at 0x483CCE8: realloc (vg_replace_malloc.c:834) +==12029== by 0x4D9DCD8: rrealloc (in /usr/lib64/librpmio.so.9.0.1) +==12029== by 0x4D25B88: headerFormat (in /usr/lib64/librpm.so.9.0.1) +==12029== by 0x495E467: rpmverify_collect (rpmverifyfile_probe.c:230) +==12029== by 0x495F461: rpmverifyfile_probe_main +(rpmverifyfile_probe.c:543) +==12029== by 0x4935598: probe_worker (worker.c:1090) +==12029== by 0x4932F10: probe_worker_runfn (worker.c:81) +==12029== by 0x4CDA431: start_thread (in +/usr/lib64/libpthread-2.31.so) +==12029== by 0x52A8912: clone (in /usr/lib64/libc-2.31.so) + +Resolves: RHBZ#1861301 +--- + src/OVAL/probes/unix/linux/rpmverifyfile.c | 24 ++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile.c b/src/OVAL/probes/unix/linux/rpmverifyfile.c +index e17f1612b..781d071ab 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifyfile.c ++++ b/src/OVAL/probes/unix/linux/rpmverifyfile.c +@@ -61,10 +61,10 @@ + + struct rpmverify_res { + char *name; /**< package name */ +- const char *epoch; +- const char *version; +- const char *release; +- const char *arch; ++ char *epoch; ++ char *version; ++ char *release; ++ char *arch; + char *file; /**< filepath */ + char extended_name[1024]; + rpmVerifyAttrs vflags; /**< rpm verify flags */ +@@ -273,14 +273,14 @@ static int rpmverify_collect(probe_ctx *ctx, + free(current_file_realpath); + continue; + } +- res.file = current_file_realpath ? current_file_realpath : strdup(current_file); ++ res.file = current_file_realpath ? oscap_strdup(current_file_realpath) : oscap_strdup(current_file); + break; + case OVAL_OPERATION_PATTERN_MATCH: + ret = pcre_exec(re, NULL, current_file, strlen(current_file), 0, 0, NULL, 0); + + switch(ret) { + case 0: /* match */ +- res.file = strdup(current_file); ++ res.file = oscap_strdup(current_file); + break; + case -1: + /* mismatch */ +@@ -300,12 +300,18 @@ static int rpmverify_collect(probe_ctx *ctx, + free(current_file_realpath); + goto ret; + } ++ free(current_file_realpath); + + if (rpmVerifyFile(g_rpm.rpmts, fi, &res.vflags, omit) != 0) + res.vflags = RPMVERIFY_FAILURES; + + if (callback(ctx, &res) != 0) { + ret = 0; ++ free(res.name); ++ free(res.epoch); ++ free(res.version); ++ free(res.release); ++ free(res.arch); + free(res.file); + goto ret; + } +@@ -314,6 +320,12 @@ static int rpmverify_collect(probe_ctx *ctx, + + rpmfiFree(fi); + } ++ ++ free(res.name); ++ free(res.epoch); ++ free(res.version); ++ free(res.release); ++ free(res.arch); + } + + match = rpmdbFreeIterator (match); +-- +2.26.2 + diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index 4cade78..672d82f 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -6,7 +6,7 @@ restorecon -R /usr/bin/oscap /usr/libexec/openscap; \ Name: openscap Version: 1.2.17 -Release: 11%{?dist} +Release: 13%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ @@ -37,6 +37,8 @@ Patch22: openscap-1.2.18-oscap-ssh-sudo.patch Patch23: openscap-1.2.18-selinuxsecuritycontext-verbose.patch Patch24: openscap-1.2.18-cvrf-segfault.patch Patch25: openscap-1.3.2-red-hat-errata-url-pr1388.patch +Patch26: openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch +Patch27: openscap-1.2.18-gzip-compression-PR1576.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: swig libxml2-devel libxslt-devel perl-XML-Parser BuildRequires: rpm-devel @@ -177,6 +179,8 @@ Tool for scanning Atomic containers. %patch23 -p1 %patch24 -p1 %patch25 -p1 +%patch26 -p1 +%patch27 -p1 %build %ifarch sparc64 @@ -332,6 +336,12 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Mon Sep 21 2020 Jan Černý - 1.2.17-13 +- Enable gzip compression when downloading remote content (RHBZ#1870147) + +* Fri Aug 07 2020 Jan Černý - 1.2.17-12 +- Fix memory leaks in rpmverifyfile probe (RHBZ#1861300) + * Tue Apr 28 2020 Jan Černý - 1.2.17-11 - Fix URL for Red Hat Errata (RHBZ#1828779)