diff --git a/0001-Fix-memory-allocation.patch b/0001-Fix-memory-allocation.patch deleted file mode 100644 index 99eb604..0000000 --- a/0001-Fix-memory-allocation.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 5eea79eaf426ac3e51a09d3f3fe72c2b385abc89 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 10 Nov 2020 11:16:00 +0100 -Subject: [PATCH] Fix memory allocation - -We can't assume that size of a structure is a sum of sizes of its -members because padding and alignment can be involved. In fact, -we need to allocate more bytes for the structure than the -sum of sizes of its members. - -The wrong assumption caused invalid writes and invalid reads -which can be discovered by valgrind. Moreover, when run with -MALLOC_CHECK_ environment variable set to non-zero value, the -program aborted. - -The memory issue happened only when NDEBUG is defined, eg. when cmake --DCMAKE_BUILD_TYPE=RelWithDebInfo or Release, it doesn't happen if cmake --DCMAKE_BUILD_TYPE=Debug which we usually use in Jenkins CI. This is -most likely because in debug mode the struct SEXP contains 2 additional -members which are the magic canaries and therefore is bigger. - -This commit wants to fix the problem by 2 step allocation in which -first the size of the struct SEXP_val_lblk is used and then the -array of SEXPs is allocated separately. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1891770 ---- - src/OVAL/probes/SEAP/_sexp-value.h | 2 +- - src/OVAL/probes/SEAP/sexp-value.c | 12 ++++++------ - 2 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/src/OVAL/probes/SEAP/_sexp-value.h b/src/OVAL/probes/SEAP/_sexp-value.h -index 426cd2c3d..e66777ef9 100644 ---- a/src/OVAL/probes/SEAP/_sexp-value.h -+++ b/src/OVAL/probes/SEAP/_sexp-value.h -@@ -94,7 +94,7 @@ struct SEXP_val_lblk { - uintptr_t nxsz; - uint16_t real; - uint16_t refs; -- SEXP_t memb[]; -+ SEXP_t *memb; - }; - - size_t SEXP_rawval_list_length (struct SEXP_val_list *list); -diff --git a/src/OVAL/probes/SEAP/sexp-value.c b/src/OVAL/probes/SEAP/sexp-value.c -index a11cbc70c..b8b3ed609 100644 ---- a/src/OVAL/probes/SEAP/sexp-value.c -+++ b/src/OVAL/probes/SEAP/sexp-value.c -@@ -106,10 +106,8 @@ uintptr_t SEXP_rawval_lblk_new (uint8_t sz) - { - _A(sz < 16); - -- struct SEXP_val_lblk *lblk = oscap_aligned_malloc( -- sizeof(uintptr_t) + (2 * sizeof(uint16_t)) + (sizeof(SEXP_t) * (1 << sz)), -- SEXP_LBLK_ALIGN -- ); -+ struct SEXP_val_lblk *lblk = malloc(sizeof(struct SEXP_val_lblk)); -+ lblk->memb = malloc(sizeof(SEXP_t) * (1 << sz)); - - lblk->nxsz = ((uintptr_t)(NULL) & SEXP_LBLKP_MASK) | ((uintptr_t)sz & SEXP_LBLKS_MASK); - lblk->refs = 1; -@@ -519,7 +517,8 @@ void SEXP_rawval_lblk_free (uintptr_t lblkp, void (*func) (SEXP_t *)) - func (lblk->memb + lblk->real); - } - -- oscap_aligned_free(lblk); -+ free(lblk->memb); -+ free(lblk); - - if (next != NULL) - SEXP_rawval_lblk_free ((uintptr_t)next, func); -@@ -540,7 +539,8 @@ void SEXP_rawval_lblk_free1 (uintptr_t lblkp, void (*func) (SEXP_t *)) - func (lblk->memb + lblk->real); - } - -- oscap_aligned_free(lblk); -+ free(lblk->memb); -+ free(lblk); - } - - return; --- -2.26.2 - diff --git a/1.3.4.tar.gz b/1.3.4.tar.gz deleted file mode 100644 index 39a065a..0000000 --- a/1.3.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ee98f650f028819cfeda786d7e85dcadb74d827d4585f332ca03b217d4d82fb7 -size 14807442 diff --git a/1.3.5.tar.gz b/1.3.5.tar.gz new file mode 100644 index 0000000..53e73da --- /dev/null +++ b/1.3.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4702590dae5c346b7c10f808e55bce9c54812099304221c440141abbd0b37dd6 +size 13990718 diff --git a/openscap-leap-cpe-15.12.patch b/openscap-leap-cpe-15.12.patch deleted file mode 100644 index 98cb56f..0000000 --- a/openscap-leap-cpe-15.12.patch +++ /dev/null @@ -1,86 +0,0 @@ -Index: openscap-1.3.4/cpe/openscap-cpe-dict.xml -=================================================================== ---- openscap-1.3.4.orig/cpe/openscap-cpe-dict.xml -+++ openscap-1.3.4/cpe/openscap-cpe-dict.xml -@@ -205,6 +205,14 @@ - openSUSE Leap 15.0 - oval:org.open-scap.cpe.opensuse:def:150 - -+ -+ openSUSE Leap 15.1 -+ oval:org.open-scap.cpe.opensuse:def:151 -+ -+ -+ openSUSE Leap 15.2 -+ oval:org.open-scap.cpe.opensuse:def:152 -+ - - openSUSE All Versions - oval:org.open-scap.cpe.opensuse:def:1 -Index: openscap-1.3.4/cpe/openscap-cpe-oval.xml -=================================================================== ---- openscap-1.3.4.orig/cpe/openscap-cpe-oval.xml -+++ openscap-1.3.4/cpe/openscap-cpe-oval.xml -@@ -678,6 +678,32 @@ - - - -+ -+ -+ openSUSE Leap 15.1 -+ -+ openSUSE Leap 15.1 -+ -+ -+ The operating system installed on the system is openSUSE Leap 15.1 -+ -+ -+ -+ -+ -+ -+ -+ openSUSE Leap 15.2 -+ -+ openSUSE Leap 15.2 -+ -+ -+ The operating system installed on the system is openSUSE Leap 15.2 -+ -+ -+ -+ -+ - - - Wind River Linux -@@ -1067,6 +1093,16 @@ - - - -+ -+ -+ -+ -+ -+ -+ -+ - -@@ -1379,6 +1415,12 @@ - - ^15.0$ - -+ -+ ^15.1$ -+ -+ -+ ^15.2$ -+ - SUSE Linux Enterprise Desktop 12 - oval:org.open-scap.cpe.sled:def:12 - -+ -+ SUSE Linux Enterprise Server 15 -+ oval:org.open-scap.cpe.sles:def:15 -+ -+ -+ SUSE Linux Enterprise Desktop 15 -+ oval:org.open-scap.cpe.sled:def:15 -+ - - openSUSE 11.4 - oval:org.open-scap.cpe.opensuse:def:114 -Index: openscap-1.3.0/cpe/openscap-cpe-oval.xml -=================================================================== ---- openscap-1.3.0.orig/cpe/openscap-cpe-oval.xml -+++ openscap-1.3.0/cpe/openscap-cpe-oval.xml -@@ -475,6 +475,34 @@ - - - -+ -+ -+ SUSE Linux Enterprise Server 15 -+ -+ SUSE Linux Enterprise Server 15 -+ -+ -+ The operating system installed on the system is SUSE Linux Enterprise Server 15 -+ -+ -+ -+ -+ -+ -+ -+ -+ SUSE Linux Enterprise Desktop 15 -+ -+ SUSE Linux Enterprise Desktop 15 -+ -+ -+ The operating system installed on the system is SUSE Linux Enterprise Desktop 15 -+ -+ -+ -+ -+ -+ - - - openSUSE All Versions -@@ -870,6 +898,11 @@ - - - -+ -+ -+ -+ - - -@@ -885,6 +918,11 @@ - - - -+ -+ -+ -+ - - -@@ -1159,6 +1207,9 @@ - - ^12($|[^\d]) - -+ -+ ^15($|[^\d]) -+ - - ^10($|[^\d]) - -@@ -1168,6 +1219,9 @@ - - ^12($|[^\d]) - -+ -+ ^15($|[^\d]) -+ - - ^openSUSE-release - diff --git a/openscap.changes b/openscap.changes index 922899e..e624bd6 100644 --- a/openscap.changes +++ b/openscap.changes @@ -1,3 +1,44 @@ +------------------------------------------------------------------- +Fri Apr 23 11:08:00 UTC 2021 - Robert Frohl + +- openscap 1.3.5 + * New features + - Made schematron-based validation enabled by default for validate command of oval and xccdf modules + - Added SCAP 1.3 source data stream Schematron + - Added XML Signature Validation + - Added --enforce-signature option for eval, guide, and fix modules + - Added entity support (OVAL/yamlfilecontent) + - Allowed to clamp mtime to SOURCE_DATE_EPOCH + - Added severity and role attributes + - Added support for requires/conflicts elements of the Rule and Group (XCCDF) + - Added Kubernetes remediation to HTML report + * Maintenance, bug fix + - Fixed CMake warnings + - Made 'gpfs', 'proc' and 'sysfs' filesystems non-local + - Fixed handling of '--arg=val'-styled common options + - Documented used environment variables + - Updated man page and help texts + - Added --skip-validation option synonym for --skip-valid + - Fixed behavior of StateType operator + - Fixed some of the coverity warnings + - Ignoring namespace in XPath expressions + - Fixed how oval_probe_ext_eval checks absence of the response from the probe (obtrusive data warning) + - Described SWID tags detection + - Improved documentation about --stig-viewer option + - File probe behaviour fixed (symlink traversal now behaves as defined by OVAL) + - Fixed multiple segfaults and broken test in --stig-viewer feature + - Added dpkg version comparison algorithm + - Pluged some memory leaks + - Fixed TestResult/benchmark/@href attribute + - Fixed memory allocation + - Fixed field names for cases where key selection section is followed by a set section (probes/yamfilecontent) + - Changing hard coded libperl path in favor of FindPerlLibs method + - Check local filesystems when using 'filepath' element +- dropped, because not needed anymore: + * 0001-Fix-memory-allocation.patch + * openscap-new-suse.patch + * openscap-leap-cpe-15.12.patch + ------------------------------------------------------------------- Sat Nov 14 08:55:03 UTC 2020 - Marcus Meissner diff --git a/openscap.spec b/openscap.spec index 649ab5a..2808d70 100644 --- a/openscap.spec +++ b/openscap.spec @@ -1,7 +1,7 @@ # # spec file for package openscap # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,7 +25,7 @@ %define with_bindings 0 Name: openscap -Version: 1.3.4 +Version: 1.3.5 Release: 0 Source: https://github.com/OpenSCAP/openscap/archive/%{version}.tar.gz # temp snapshot to make it build with new RPM before 1.3.2 @@ -38,15 +38,12 @@ Source3: scap-yast2sec-xccdf.xml Source4: scap-yast2sec-oval.xml Source5: oscap-scan.service Source6: oscap-scan.sh -Patch0: openscap-new-suse.patch -Patch1: openscap-leap-cpe-15.12.patch -Patch2: 0001-Fix-memory-allocation.patch URL: https://www.open-scap.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: asciidoc BuildRequires: doxygen # Next few lines are needed for unit tests, they expect /etc/os-release to exist -%if !0%{?is_opensuse} && 0%{?sle_version} < 130000 +%if !0%{?is_opensuse} && 0%{?sle_version} < 130000 BuildRequires: sles-release %else BuildRequires: distribution-release @@ -79,6 +76,8 @@ BuildRequires: rpm-devel BuildRequires: sendmail BuildRequires: swig BuildRequires: unixODBC-devel +BuildRequires: xmlsec1-devel +BuildRequires: xmlsec1-openssl-devel BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(gobject-2.0) Summary: A Set of Libraries for Integration with SCAP @@ -106,7 +105,7 @@ Summary: Development Files for OpenSCAP Group: Development/Libraries/C and C++ %description devel -This package contains the development files (mainly C header files) for the +This package contains the development files (mainly C header files) for the OpenSCAP C library. %package docker @@ -174,9 +173,6 @@ This package contains the Script Checking Engine Library (SCE) for OpenSCAP. %prep %setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 %build %if 0%{?with_bindings}