diff --git a/SOURCES/openscap-1.3.6-PR-1745-waive-hugepages.patch b/SOURCES/openscap-1.3.6-PR-1745-waive-hugepages.patch new file mode 100644 index 0000000..4272a78 --- /dev/null +++ b/SOURCES/openscap-1.3.6-PR-1745-waive-hugepages.patch @@ -0,0 +1,43 @@ +From 192f908562779fe4c9b7e5cc7605840976a06c85 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 26 Apr 2021 13:13:26 +0200 +Subject: [PATCH] Waive the known issue with hugepages on ppc64/ppc64le + +The known issue has been reported in +https://bugzilla.redhat.com/show_bug.cgi?id=1642995 + +This modification is currently applied as a patch applied during setup +phase of Sanity/smoke-test in Fedora CI gating. +https://src.fedoraproject.org/tests/openscap/blob/main/f/Sanity/smoke-test +The patched file got changed recetly so the patch doesn't apply anymore +which causes the Rawhide gating to fail. +We have decided to propose the change to upstream to avoid the need +for modifying the patch in the tests and to prevent similar problems +in the future. +--- + tests/probes/sysctl/test_sysctl_probe_all.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh +index 2280ff7ae..c79d7ed18 100755 +--- a/tests/probes/sysctl/test_sysctl_probe_all.sh ++++ b/tests/probes/sysctl/test_sysctl_probe_all.sh +@@ -73,6 +73,10 @@ if [ "$procps_ver" != "$lowest_ver" ]; then + sed -i '/.*vm.stat_refresh/d' "$sysctlNames" + fi + ++if ! grep -q "hugepages" "$ourNames"; then ++ sed -i "/^.*hugepages.*$/d" "$sysctlNames" ++fi ++ + echo "Diff (sysctlNames / ourNames): ------" + diff "$sysctlNames" "$ourNames" + echo "-------------------------------------" +@@ -84,6 +88,7 @@ sed -i -E "/^E: oscap: +Can't read sysctl value from /d" "$stderr" + # that can't fit into 8K buffer and result in errno 14 + # (for example /proc/sys/kernel/spl/hostid could be the case) + sed -i -E "/^E: oscap: +An error.*14, Bad address/d" "$stderr" ++sed -i "/^.*hugepages.*$/d" "$stderr" + + echo "Errors (without messages related to permissions):" + cat "$stderr" diff --git a/SOURCES/openscap-1.3.6-PR-1748-covscan.patch b/SOURCES/openscap-1.3.6-PR-1748-covscan.patch new file mode 100644 index 0000000..9d5661a --- /dev/null +++ b/SOURCES/openscap-1.3.6-PR-1748-covscan.patch @@ -0,0 +1,52 @@ +From 378ef5e438a2f5af7a50374d2bd23bdd3403201f Mon Sep 17 00:00:00 2001 +From: Evgeny Kolesnikov +Date: Tue, 4 May 2021 08:41:06 +0200 +Subject: [PATCH] Fix covscan-reported issues in yamlfilecontent probe and + schematron + +Error: FORWARD_NULL (CWE-476): [#def1] +/OVAL/probes/independent/yamlfilecontent_probe.c:392: var_compare_op: Comparing "yaml_file" to null implies that "yaml_file" might be null. +/OVAL/probes/independent/yamlfilecontent_probe.c:417: var_deref_model: Passing null pointer "yaml_file" to "fclose", which dereferences it. +# 416| cleanup: +# 417|-> fclose(yaml_file); +# 418| yaml_parser_delete(&parser); + +Error: RESOURCE_LEAK (CWE-772): [#def2] [important] +/source/schematron.c:549: alloc_fn: Storage is returned from allocation function "xmlXPathNodeEval". +/source/schematron.c:549: var_assign: Assigning: "component_refs" = storage returned from "xmlXPathNodeEval(data_stream_node, (xmlChar *)"ds:checklists/ds:component-ref", context)". +/source/schematron.c:551: leaked_storage: Variable "component_refs" going out of scope leaks the storage it points to. +# 550| if (component_refs == NULL || component_refs->nodesetval == NULL) { +# 551|-> return res; +# 552| } +--- + src/OVAL/probes/independent/yamlfilecontent_probe.c | 3 ++- + src/source/schematron.c | 2 ++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/OVAL/probes/independent/yamlfilecontent_probe.c b/src/OVAL/probes/independent/yamlfilecontent_probe.c +index ed5ce0d68..62a8f4ff2 100644 +--- a/src/OVAL/probes/independent/yamlfilecontent_probe.c ++++ b/src/OVAL/probes/independent/yamlfilecontent_probe.c +@@ -414,7 +414,8 @@ static int process_yaml_file(const char *prefix, const char *path, const char *f + } + + cleanup: +- fclose(yaml_file); ++ if (yaml_file != NULL) ++ fclose(yaml_file); + yaml_parser_delete(&parser); + free(filepath_with_prefix); + free(filepath); +diff --git a/src/source/schematron.c b/src/source/schematron.c +index 6cb22658b..c32d5aed6 100644 +--- a/src/source/schematron.c ++++ b/src/source/schematron.c +@@ -548,6 +548,8 @@ static bool _req_src_346_1_sub1(xmlNodePtr data_stream_node, xmlXPathContextPtr + /* every $m in ds:checklists/ds:component-ref satisfies ... */ + xmlXPathObjectPtr component_refs = xmlXPathNodeEval(data_stream_node, BAD_CAST "ds:checklists/ds:component-ref", context); + if (component_refs == NULL || component_refs->nodesetval == NULL) { ++ if (component_refs != NULL) ++ xmlXPathFreeObject(component_refs); + return res; + } + for (int i = 0; i < component_refs->nodesetval->nodeNr; i++) { diff --git a/SOURCES/openscap-1.3.6-PR-1749-blueprint-fix.patch b/SOURCES/openscap-1.3.6-PR-1749-blueprint-fix.patch new file mode 100644 index 0000000..0e44989 --- /dev/null +++ b/SOURCES/openscap-1.3.6-PR-1749-blueprint-fix.patch @@ -0,0 +1,64 @@ +From 5f0a9033b466d929613a2a55a1524ec75c09b5b0 Mon Sep 17 00:00:00 2001 +From: Evgeny Kolesnikov +Date: Thu, 6 May 2021 08:14:12 +0200 +Subject: [PATCH] Introduce OSBuild Blueprint fix type + +--- + utils/oscap-xccdf.c | 7 +++++-- + utils/oscap.8 | 2 +- + xsl/xccdf-share.xsl | 1 + + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c +index 95c1c7658d..801e54fa35 100644 +--- a/utils/oscap-xccdf.c ++++ b/utils/oscap-xccdf.c +@@ -275,7 +275,8 @@ static struct oscap_module XCCDF_GEN_FIX = { + .usage = "[options] xccdf-file.xml", + .help = GEN_OPTS + "\nFix Options:\n" +- " --fix-type - Fix type. Should be one of: bash, ansible, puppet, anaconda (default: bash).\n" ++ " --fix-type - Fix type. Should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes,\n" ++ " blueprint (default: bash).\n" + " --output - Write the script into file.\n" + " --result-id - Fixes will be generated for failed rule-results of the specified TestResult.\n" + " --template - Fix template. (default: bash)\n" +@@ -887,10 +888,12 @@ int app_generate_fix(const struct oscap_action *action) + template = "urn:xccdf:fix:script:ignition"; + } else if (strcmp(action->fix_type, "kubernetes") == 0) { + template = "urn:xccdf:fix:script:kubernetes"; ++ } else if (strcmp(action->fix_type, "blueprint") == 0) { ++ template = "urn:redhat:osbuild:blueprint"; + } else { + fprintf(stderr, + "Unknown fix type '%s'.\n" +- "Please provide one of: bash, ansible, puppet, anaconda, ignition, kubernetes.\n" ++ "Please provide one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint.\n" + "Or provide a custom template using '--template' instead.\n", + action->fix_type); + return OSCAP_ERROR; +diff --git a/utils/oscap.8 b/utils/oscap.8 +index 240b829d7b..6cae0ffe8a 100644 +--- a/utils/oscap.8 ++++ b/utils/oscap.8 +@@ -395,7 +395,7 @@ Result-oriented fixes are generated using result-id provided to select only the + Profile-oriented fixes are generated using all rules within the provided profile. If no result-id/profile are provided, (default) profile will be used to generate fixes. + .TP + \fB\-\-fix-type TYPE\fR +-Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN. ++Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN. + .TP + \fB\-\-output FILE\fR + Write the report to this file instead of standard output. +diff --git a/xsl/xccdf-share.xsl b/xsl/xccdf-share.xsl +index 9f8e587676..d7a9f3b7e2 100644 +--- a/xsl/xccdf-share.xsl ++++ b/xsl/xccdf-share.xsl +@@ -295,6 +295,7 @@ Authors: + Puppet snippet + Anaconda snippet + Kubernetes snippet ++ OSBuild Blueprint snippet + script + + diff --git a/SOURCES/openscap-1.3.6-PR-1753-getlogin.patch b/SOURCES/openscap-1.3.6-PR-1753-getlogin.patch new file mode 100644 index 0000000..a63f094 --- /dev/null +++ b/SOURCES/openscap-1.3.6-PR-1753-getlogin.patch @@ -0,0 +1,36 @@ +From b31cff1bc3a298cfa36a10476f2d633c290b6741 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 11 May 2021 13:20:18 +0200 +Subject: [PATCH] Replace getlogin by cuserid + +The getlogin() is used here to fill in the xccdf:identity element which +shall contain information about the system identity or user employed +during application of the benchmark. But, the getlogin() can return NULL +when there is no controlling terminal. This happened when testing oscap +on a test system with no pty. As an alternative, the system provides +also cuserid() function which gets the effective user ID of the process. +However, these 2 values differ when the program is executed under sudo. +From the user experience point of view, it would be better to have +displayed there the user logged in on the controlling terminal. As a +compromise, we will first attempt to obtain the name using getlogin() +and if that fails we will run cuserid(). +--- + src/XCCDF/result.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/XCCDF/result.c b/src/XCCDF/result.c +index cd03e6bd8f..cbe016c44a 100644 +--- a/src/XCCDF/result.c ++++ b/src/XCCDF/result.c +@@ -217,7 +217,10 @@ static inline void _xccdf_result_fill_identity(struct xccdf_result *result) + xccdf_identity_set_authenticated(id, 0); + xccdf_identity_set_privileged(id, 0); + #ifdef OSCAP_UNIX +- xccdf_identity_set_name(id, getlogin()); ++ char *name = getlogin(); ++ if (name == NULL) ++ name = cuserid(NULL); ++ xccdf_identity_set_name(id, name); + #elif defined(OS_WINDOWS) + GetUserName((TCHAR *) w32_username, &w32_usernamesize); /* XXX: Check the return value? */ + xccdf_identity_set_name(id, w32_username); diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index 6dca31a..a0b284f 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -1,11 +1,15 @@ Name: openscap Version: 1.3.5 -Release: 2%{?dist} +Release: 4%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ URL: http://www.open-scap.org/ Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz +Patch1: openscap-1.3.6-PR-1745-waive-hugepages.patch +Patch2: openscap-1.3.6-PR-1748-covscan.patch +Patch3: openscap-1.3.6-PR-1749-blueprint-fix.patch +Patch4: openscap-1.3.6-PR-1753-getlogin.patch BuildRequires: cmake >= 2.6 BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser BuildRequires: rpm-devel @@ -214,6 +218,14 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/oscap-run-sce-script %changelog +* Tue Jun 01 2021 Jan Černý - 1.3.5-4 +- Replace getlogin by cuserid + +* Mon May 10 2021 Evgenii Kolesnikov - 1.3.5-3 +- Waive known issue with hugepages in upstream testsuite (RHBZ#1912000) +- Fix issues reported by the coverity scan +- Introduce OSBuild 'blueprint' fix type + * Tue May 04 2021 Evgenii Kolesnikov - 1.3.5-2 - Fix changelog (add missing 1.3.3-6 entry)