pool/openscap
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 894638 from home:rfrohl:branches:security

Browse Source 
update openscap to 1.3.5

OBS-URL: https://build.opensuse.org/request/show/894638
OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=259
This commit is contained in:
Marcus Meissner 2021-05-20 14:23:59 +00:00 committed by Git OBS Bridge
parent d258d10fad
commit afb06b7aac
7 changed files with 50 additions and 285 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
0001-Fix-memory-allocation.patch
View File

@ -1,84 +0,0 @@
From 5eea79eaf426ac3e51a09d3f3fe72c2b385abc89 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 10 Nov 2020 11:16:00 +0100
Subject: [PATCH] Fix memory allocation
We can't assume that size of a structure is a sum of sizes of its
members because padding and alignment can be involved. In fact,
we need to allocate more bytes for the structure than the
sum of sizes of its members.
The wrong assumption caused invalid writes and invalid reads
which can be discovered by valgrind. Moreover, when run with
MALLOC_CHECK_ environment variable set to non-zero value, the
program aborted.
The memory issue happened only when NDEBUG is defined, eg. when cmake
-DCMAKE_BUILD_TYPE=RelWithDebInfo or Release, it doesn't happen if cmake
-DCMAKE_BUILD_TYPE=Debug which we usually use in Jenkins CI. This is
most likely because in debug mode the struct SEXP contains 2 additional
members which are the magic canaries and therefore is bigger.
This commit wants to fix the problem by 2 step allocation in which
first the size of the struct SEXP_val_lblk is used and then the
array of SEXPs is allocated separately.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1891770
---
src/OVAL/probes/SEAP/_sexp-value.h | 2 +-
src/OVAL/probes/SEAP/sexp-value.c | 12 ++++++------
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/OVAL/probes/SEAP/_sexp-value.h b/src/OVAL/probes/SEAP/_sexp-value.h
index 426cd2c3d..e66777ef9 100644
--- a/src/OVAL/probes/SEAP/_sexp-value.h
+++ b/src/OVAL/probes/SEAP/_sexp-value.h
@@ -94,7 +94,7 @@ struct SEXP_val_lblk {
uintptr_t nxsz;
uint16_t real;
uint16_t refs;
- SEXP_t memb[];
+ SEXP_t *memb;
};
size_t SEXP_rawval_list_length (struct SEXP_val_list *list);
diff --git a/src/OVAL/probes/SEAP/sexp-value.c b/src/OVAL/probes/SEAP/sexp-value.c
index a11cbc70c..b8b3ed609 100644
--- a/src/OVAL/probes/SEAP/sexp-value.c
+++ b/src/OVAL/probes/SEAP/sexp-value.c
@@ -106,10 +106,8 @@ uintptr_t SEXP_rawval_lblk_new (uint8_t sz)
{
_A(sz < 16);
- struct SEXP_val_lblk *lblk = oscap_aligned_malloc(
- sizeof(uintptr_t) + (2 * sizeof(uint16_t)) + (sizeof(SEXP_t) * (1 << sz)),
- SEXP_LBLK_ALIGN
- );
+ struct SEXP_val_lblk *lblk = malloc(sizeof(struct SEXP_val_lblk));
+ lblk->memb = malloc(sizeof(SEXP_t) * (1 << sz));
lblk->nxsz = ((uintptr_t)(NULL) & SEXP_LBLKP_MASK) | ((uintptr_t)sz & SEXP_LBLKS_MASK);
lblk->refs = 1;
@@ -519,7 +517,8 @@ void SEXP_rawval_lblk_free (uintptr_t lblkp, void (*func) (SEXP_t *))
func (lblk->memb + lblk->real);
}
- oscap_aligned_free(lblk);
+ free(lblk->memb);
+ free(lblk);
if (next != NULL)
SEXP_rawval_lblk_free ((uintptr_t)next, func);
@@ -540,7 +539,8 @@ void SEXP_rawval_lblk_free1 (uintptr_t lblkp, void (*func) (SEXP_t *))
func (lblk->memb + lblk->real);
}
- oscap_aligned_free(lblk);
+ free(lblk->memb);
+ free(lblk);
}
return;
--
2.26.2

3
1.3.4.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ee98f650f028819cfeda786d7e85dcadb74d827d4585f332ca03b217d4d82fb7
size 14807442

3
1.3.5.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4702590dae5c346b7c10f808e55bce9c54812099304221c440141abbd0b37dd6
size 13990718

86
openscap-leap-cpe-15.12.patch
View File

@ -1,86 +0,0 @@
Index: openscap-1.3.4/cpe/openscap-cpe-dict.xml
===================================================================
--- openscap-1.3.4.orig/cpe/openscap-cpe-dict.xml
+++ openscap-1.3.4/cpe/openscap-cpe-dict.xml
@@ -205,6 +205,14 @@
<title xml:lang="en-us">openSUSE Leap 15.0</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:150</check>
</cpe-item>
+ <cpe-item name="cpe:/o:opensuse:leap:15.1">
+ <title xml:lang="en-us">openSUSE Leap 15.1</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:151</check>
+ </cpe-item>
+ <cpe-item name="cpe:/o:opensuse:leap:15.2">
+ <title xml:lang="en-us">openSUSE Leap 15.2</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:152</check>
+ </cpe-item>
<cpe-item name="cpe:/o:opensuse:opensuse">
<title xml:lang="en-us">openSUSE All Versions</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:1</check>
Index: openscap-1.3.4/cpe/openscap-cpe-oval.xml
===================================================================
--- openscap-1.3.4.orig/cpe/openscap-cpe-oval.xml
+++ openscap-1.3.4/cpe/openscap-cpe-oval.xml
@@ -678,6 +678,32 @@
<criterion comment="openSUSE Leap 15.0 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:150"/>
</criteria>
</definition>
+ <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:151" version="1">
+ <metadata>
+ <title>openSUSE Leap 15.1</title>
+ <affected family="unix">
+ <platform>openSUSE Leap 15.1</platform>
+ </affected>
+ <reference ref_id="cpe:/o:opensuse:leap:15.1" source="CPE"/>
+ <description>The operating system installed on the system is openSUSE Leap 15.1</description>
+ </metadata>
+ <criteria>
+ <criterion comment="openSUSE Leap 15.1 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:151"/>
+ </criteria>
+ </definition>
+ <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:152" version="1">
+ <metadata>
+ <title>openSUSE Leap 15.2</title>
+ <affected family="unix">
+ <platform>openSUSE Leap 15.2</platform>
+ </affected>
+ <reference ref_id="cpe:/o:opensuse:leap:15.2" source="CPE"/>
+ <description>The operating system installed on the system is openSUSE Leap 15.2</description>
+ </metadata>
+ <criteria>
+ <criterion comment="openSUSE Leap 15.2 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:152"/>
+ </criteria>
+ </definition>
<definition class="inventory" id="oval:org.open-scap.cpe.wrlinux:def:1" version="1" >
<metadata>
<title>Wind River Linux</title>
@@ -1067,6 +1093,16 @@
<object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
<state state_ref="oval:org.open-scap.cpe.opensuse:ste:150"/>
</rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:151" version="2" check="at least one" comment="openSUSE-release is version 15.1"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.opensuse:ste:151"/>
+ </rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:152" version="2" check="at least one" comment="openSUSE-release is version 15.2"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.opensuse:ste:152"/>
+ </rpminfo_test>
<family_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.wrlinux:tst:1" version="1" check="only one"
comment="Installed operating system is part of the Unix family."
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
@@ -1379,6 +1415,12 @@
<rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:150" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<version operation="pattern match">^15.0$</version>
</rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:151" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <version operation="pattern match">^15.1$</version>
+ </rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:152" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <version operation="pattern match">^15.2$</version>
+ </rpminfo_state>
<textfilecontent54_state
id="oval:org.open-scap.cpe.wrlinux-release:ste:8"
comment="Check the /etc/wrlinux-release file for VERSION 8 specification."

102
openscap-new-suse.patch
View File

@ -1,102 +0,0 @@
Index: openscap-1.3.0/cpe/openscap-cpe-dict.xml
===================================================================
--- openscap-1.3.0.orig/cpe/openscap-cpe-dict.xml
+++ openscap-1.3.0/cpe/openscap-cpe-dict.xml
@@ -141,6 +141,14 @@
<title xml:lang="en-us">SUSE Linux Enterprise Desktop 12</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.sled:def:12</check>
</cpe-item>
+ <cpe-item name="cpe:/o:suse:sles:15">
+ <title xml:lang="en-us">SUSE Linux Enterprise Server 15</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.sles:def:15</check>
+ </cpe-item>
+ <cpe-item name="cpe:/o:suse:sled:15">
+ <title xml:lang="en-us">SUSE Linux Enterprise Desktop 15</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.sled:def:15</check>
+ </cpe-item>
<cpe-item name="cpe:/o:opensuse:opensuse:11.4">
<title xml:lang="en-us">openSUSE 11.4</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:114</check>
Index: openscap-1.3.0/cpe/openscap-cpe-oval.xml
===================================================================
--- openscap-1.3.0.orig/cpe/openscap-cpe-oval.xml
+++ openscap-1.3.0/cpe/openscap-cpe-oval.xml
@@ -475,6 +475,34 @@
</criteria>
</definition>
+ <definition class="inventory" id="oval:org.open-scap.cpe.sles:def:15" version="1">
+ <metadata>
+ <title>SUSE Linux Enterprise Server 15</title>
+ <affected family="unix">
+ <platform>SUSE Linux Enterprise Server 15</platform>
+ </affected>
+ <reference ref_id="cpe:/o:suse:sles:15" source="CPE"/>
+ <description>The operating system installed on the system is SUSE Linux Enterprise Server 15</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SLES 15 is installed" test_ref="oval:org.open-scap.cpe.sles:tst:15"/>
+ </criteria>
+ </definition>
+
+ <definition class="inventory" id="oval:org.open-scap.cpe.sled:def:15" version="1">
+ <metadata>
+ <title>SUSE Linux Enterprise Desktop 15</title>
+ <affected family="unix">
+ <platform>SUSE Linux Enterprise Desktop 15</platform>
+ </affected>
+ <reference ref_id="cpe:/o:suse:sled:15" source="CPE"/>
+ <description>The operating system installed on the system is SUSE Linux Enterprise Desktop 15</description>
+ </metadata>
+ <criteria>
+ <criterion comment="SLED 15 is installed" test_ref="oval:org.open-scap.cpe.sled:tst:15"/>
+ </criteria>
+ </definition>
+
<definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:1" version="1">
<metadata>
<title>openSUSE All Versions</title>
@@ -870,6 +898,11 @@
<object object_ref="oval:org.open-scap.cpe.sles-release:obj:1"/>
<state state_ref="oval:org.open-scap.cpe.sles:ste:12"/>
</rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.sles:tst:15" version="1" check="at least one" comment="sles-release is version 15"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.sles-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.sles:ste:15"/>
+ </rpminfo_test>
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.sled:tst:10" version="1" check="at least one" comment="sled-release is version 10"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.open-scap.cpe.sled-release:obj:1"/>
@@ -885,6 +918,11 @@
<object object_ref="oval:org.open-scap.cpe.sled-release:obj:1"/>
<state state_ref="oval:org.open-scap.cpe.sled:ste:12"/>
</rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.sled:tst:15" version="1" check="at least one" comment="sled-release is version 15"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.sled-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.sled:ste:15"/>
+ </rpminfo_test>
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:1" version="1" check="at least one" comment="openSUSE-release is version 11.4"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
@@ -1159,6 +1207,9 @@
<rpminfo_state id="oval:org.open-scap.cpe.sles:ste:12" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<version operation="pattern match">^12($|[^\d])</version>
</rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.sles:ste:15" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <version operation="pattern match">^15($|[^\d])</version>
+ </rpminfo_state>
<rpminfo_state id="oval:org.open-scap.cpe.sled:ste:10" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<version operation="pattern match">^10($|[^\d])</version>
</rpminfo_state>
@@ -1168,6 +1219,9 @@
<rpminfo_state id="oval:org.open-scap.cpe.sled:ste:12" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<version operation="pattern match">^12($|[^\d])</version>
</rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.sled:ste:15" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <version operation="pattern match">^15($|[^\d])</version>
+ </rpminfo_state>
<rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:2" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<name operation="pattern match">^openSUSE-release</name>
</rpminfo_state>

41
openscap.changes
View File

@ -1,3 +1,44 @@
-------------------------------------------------------------------
Fri Apr 23 11:08:00 UTC 2021 - Robert Frohl <rfrohl@suse.com>
- openscap 1.3.5
* New features
- Made schematron-based validation enabled by default for validate command of oval and xccdf modules
- Added SCAP 1.3 source data stream Schematron
- Added XML Signature Validation
- Added --enforce-signature option for eval, guide, and fix modules
- Added <content> entity support (OVAL/yamlfilecontent)
- Allowed to clamp mtime to SOURCE_DATE_EPOCH
- Added severity and role attributes
- Added support for requires/conflicts elements of the Rule and Group (XCCDF)
- Added Kubernetes remediation to HTML report
* Maintenance, bug fix
- Fixed CMake warnings
- Made 'gpfs', 'proc' and 'sysfs' filesystems non-local
- Fixed handling of '--arg=val'-styled common options
- Documented used environment variables
- Updated man page and help texts
- Added --skip-validation option synonym for --skip-valid
- Fixed behavior of StateType operator
- Fixed some of the coverity warnings
- Ignoring namespace in XPath expressions
- Fixed how oval_probe_ext_eval checks absence of the response from the probe (obtrusive data warning)
- Described SWID tags detection
- Improved documentation about --stig-viewer option
- File probe behaviour fixed (symlink traversal now behaves as defined by OVAL)
- Fixed multiple segfaults and broken test in --stig-viewer feature
- Added dpkg version comparison algorithm
- Pluged some memory leaks
- Fixed TestResult/benchmark/@href attribute
- Fixed memory allocation
- Fixed field names for cases where key selection section is followed by a set section (probes/yamfilecontent)
- Changing hard coded libperl path in favor of FindPerlLibs method
- Check local filesystems when using 'filepath' element
- dropped, because not needed anymore:
* 0001-Fix-memory-allocation.patch
* openscap-new-suse.patch
* openscap-leap-cpe-15.12.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Nov 14 08:55:03 UTC 2020 - Marcus Meissner <meissner@suse.com> Sat Nov 14 08:55:03 UTC 2020 - Marcus Meissner <meissner@suse.com>

16
openscap.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package openscap # spec file for package openscap
# #
# Copyright (c) 2020 SUSE LLC # Copyright (c) 2021 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -25,7 +25,7 @@
%define with_bindings 0 %define with_bindings 0
Name: openscap Name: openscap
Version: 1.3.4 Version: 1.3.5
Release: 0 Release: 0
Source: https://github.com/OpenSCAP/openscap/archive/%{version}.tar.gz Source: https://github.com/OpenSCAP/openscap/archive/%{version}.tar.gz
# temp snapshot to make it build with new RPM before 1.3.2 # temp snapshot to make it build with new RPM before 1.3.2
@ -38,15 +38,12 @@ Source3: scap-yast2sec-xccdf.xml
Source4: scap-yast2sec-oval.xml Source4: scap-yast2sec-oval.xml
Source5: oscap-scan.service Source5: oscap-scan.service
Source6: oscap-scan.sh Source6: oscap-scan.sh
Patch0: openscap-new-suse.patch
Patch1: openscap-leap-cpe-15.12.patch
Patch2: 0001-Fix-memory-allocation.patch
URL: https://www.open-scap.org/ URL: https://www.open-scap.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: asciidoc BuildRequires: asciidoc
BuildRequires: doxygen BuildRequires: doxygen
# Next few lines are needed for unit tests, they expect /etc/os-release to exist # Next few lines are needed for unit tests, they expect /etc/os-release to exist
%if !0%{?is_opensuse} && 0%{?sle_version} < 130000 %if !0%{?is_opensuse} && 0%{?sle_version} < 130000
BuildRequires: sles-release BuildRequires: sles-release
%else %else
BuildRequires: distribution-release BuildRequires: distribution-release
@ -79,6 +76,8 @@ BuildRequires: rpm-devel
BuildRequires: sendmail BuildRequires: sendmail
BuildRequires: swig BuildRequires: swig
BuildRequires: unixODBC-devel BuildRequires: unixODBC-devel
BuildRequires: xmlsec1-devel
BuildRequires: xmlsec1-openssl-devel
BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(gobject-2.0) BuildRequires: pkgconfig(gobject-2.0)
Summary: A Set of Libraries for Integration with SCAP Summary: A Set of Libraries for Integration with SCAP
@ -106,7 +105,7 @@ Summary: Development Files for OpenSCAP
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
%description devel %description devel
This package contains the development files (mainly C header files) for the This package contains the development files (mainly C header files) for the
OpenSCAP C library. OpenSCAP C library.
%package docker %package docker
@ -174,9 +173,6 @@ This package contains the Script Checking Engine Library (SCE) for OpenSCAP.
%prep %prep
%setup -q %setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%build %build
%if 0%{?with_bindings} %if 0%{?with_bindings}