From f7b7f9df1b2e5f2b87aab09da0abe98793fbd68abf11310fc54050c87f65928a Mon Sep 17 00:00:00 2001 From: Robert Frohl Date: Fri, 14 Jun 2019 12:32:39 +0000 Subject: [PATCH] Accepting request 709892 from home:rfrohl:branches:security update openscap to version 1.3.1 OBS-URL: https://build.opensuse.org/request/show/709892 OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=232 --- 1.3.0.tar.gz | 3 -- 1.3.1.tar.gz | 3 ++ openscap.changes | 19 +++++++ openscap.spec | 13 +---- rpmverify_unittest.patch | 19 ------- rpmverifyfile_unittest.patch | 52 ------------------- sysctl_unittest.patch | 29 ----------- ..._rpmverifypackage-disable-epoch-test.patch | 23 -------- xinetd_probe.patch | 30 ----------- 9 files changed, 24 insertions(+), 167 deletions(-) delete mode 100644 1.3.0.tar.gz create mode 100644 1.3.1.tar.gz delete mode 100644 rpmverify_unittest.patch delete mode 100644 rpmverifyfile_unittest.patch delete mode 100644 sysctl_unittest.patch delete mode 100644 test_probes_rpmverifypackage-disable-epoch-test.patch delete mode 100644 xinetd_probe.patch diff --git a/1.3.0.tar.gz b/1.3.0.tar.gz deleted file mode 100644 index e10cdcb..0000000 --- a/1.3.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:70bab797f956c5130dac862ccf79724ef795466ad59c4411ac8e2a7e0066493b -size 12327473 diff --git a/1.3.1.tar.gz b/1.3.1.tar.gz new file mode 100644 index 0000000..54f265a --- /dev/null +++ b/1.3.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1c5caa1bc8f10c470cf03bf6818986185f51513b9775f6363260cb6e79038c2f +size 12333871 diff --git a/openscap.changes b/openscap.changes index f4d5995..16e16db 100644 --- a/openscap.changes +++ b/openscap.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Thu Jun 13 14:22:06 UTC 2019 - Robert Frohl + +- openscap 1.3.1 + - New features + - Support for SCAP 1.3 Source Datastreams (evaluating, XML schemas, validation) + - Introduced `oscap-podman` -- a tool for SCAP evaluation of Podman images and containers + - Tailoring files are included in ARF result files + - OVAL details are always shown in HTML report, users do not have to provide `--oval-results` on command line + - HTML report displays OVAL test details also for OVAL tests included from other OVAL definitions using `extend_definition` + - OVAL test IDs are shown in HTML report - Rule IDs are shown in HTML guide + - Added `block_size` in Linux `partition_state` defined in OVAL 5.11.2 + - Added `oscap_wrapper` that can be used to comfortably execute custom compiled oscap tool + - Maintenance and bug fixes + for a complete list please see https://github.com/OpenSCAP/openscap/releases/tag/1.3.1 +- removed patches accepted upstream: + rpmverifyfile_unittest.patch rpmverify_unittest.patch sysctl_unittest.patch + test_probes_rpmverifypackage-disable-epoch-test.patch xinetd_probe.patch + ------------------------------------------------------------------- Tue Mar 26 13:55:18 UTC 2019 - Robert Frohl diff --git a/openscap.spec b/openscap.spec index 65165a6..c8b52aa 100644 --- a/openscap.spec +++ b/openscap.spec @@ -25,7 +25,7 @@ %define with_bindings 0 Name: openscap -Version: 1.3.0 +Version: 1.3.1 Release: 1.0 Source: https://github.com/OpenSCAP/openscap/archive/%{version}.tar.gz Source1: openscap-rpmlintrc @@ -37,11 +37,6 @@ Source4: scap-yast2sec-oval.xml Source5: oscap-scan.service Source6: oscap-scan.sh Patch0: openscap-new-suse.patch -Patch1: xinetd_probe.patch -Patch2: test_probes_rpmverifypackage-disable-epoch-test.patch -Patch3: sysctl_unittest.patch -Patch4: rpmverifyfile_unittest.patch -Patch5: rpmverify_unittest.patch Url: http://www.open-scap.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: asciidoc @@ -175,11 +170,6 @@ This package contains the Script Checking Engine Library (SCE) for OpenSCAP. %prep %setup -q %patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 %build %if 0%{?with_bindings} @@ -299,6 +289,7 @@ ln -s %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/ope %{_bindir}/oscap-ssh %{_bindir}/oscap-chroot %{_bindir}/scap-as-rpm +%{_bindir}/oscap-podman %{_sbindir}/rcoscap-scan %{_datadir}/bash-completion/completions/* diff --git a/rpmverify_unittest.patch b/rpmverify_unittest.patch deleted file mode 100644 index 6149780..0000000 --- a/rpmverify_unittest.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/tests/probes/rpmverify/test_not_equals_operation.xml b/tests/probes/rpmverify/test_not_equals_operation.xml -index abdfcc4c7..1855b981e 100644 ---- a/tests/probes/rpmverify/test_not_equals_operation.xml -+++ b/tests/probes/rpmverify/test_not_equals_operation.xml -@@ -29,12 +29,12 @@ - - - -- / -+ /etc - - - - -- (^/$|^/etc/passwd$) -+ (^/etc$|^/etc/os-release$) - - - diff --git a/rpmverifyfile_unittest.patch b/rpmverifyfile_unittest.patch deleted file mode 100644 index 515651d..0000000 --- a/rpmverifyfile_unittest.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh -index ee93a7058..0299ec6e0 100755 ---- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh -+++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh -@@ -40,7 +40,7 @@ function test_probes_rpmverifyfile { - assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:release' - assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:arch' - assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath' -- assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/passwd"]' -+ assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/os-release"]' - sc='oval_results/results/system/oval_system_characteristics/' - sd=$sc'system_data/' - assert_exists 1 $sc'collected_objects/object' -diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml -index 049b82627..b36428582 100644 ---- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml -+++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml -@@ -30,7 +30,7 @@ - - - -- /etc/passwd -+ /etc/os-release - - - -diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh -index 642f209e9..f9486e314 100755 ---- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh -+++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh -@@ -39,7 +39,7 @@ function test_probes_rpmverifyfile { - assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:release' - assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:arch' - assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath' -- assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/passwd"]' -+ assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/os-release"]' - sc='oval_results/results/system/oval_system_characteristics/' - sd=$sc'system_data/' - assert_exists 1 $sc'collected_objects/object' -diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml -index fe83a1e1c..c39282f51 100644 ---- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml -+++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml -@@ -30,7 +30,7 @@ - - - -- /etc/passwd -+ /etc/os-release - - - diff --git a/sysctl_unittest.patch b/sysctl_unittest.patch deleted file mode 100644 index e92ce33..0000000 --- a/sysctl_unittest.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh -index bb9859d71..6534e1142 100755 ---- a/tests/probes/sysctl/test_sysctl_probe_all.sh -+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh -@@ -4,6 +4,12 @@ - - set -e -o pipefail - -+# on some systems sysctl might live in sbin, which can cause problems for -+# non root users -+PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin -+# non root users are not able to access some kernel params, so they get blacklisted -+SYSCTL_BLACKLIST='stable_secret\|vm.stat_refresh\|fs.protected_hardlinks\|fs.protected_symlinks\|kernel.cad_pid\|kernel.unprivileged_userns_apparmor_policy\|kernel.usermodehelper.bset\|kernel.usermodehelper.inheritable\|net.core.bpf_jit_harden\|net.core.bpf_jit_kallsyms\|net.ipv4.tcp_fastopen_key\|vm.mmap_rnd_bits\|vm.mmap_rnd_compat_bits' -+ - function perform_test { - probecheck "sysctl" || return 255 - -@@ -24,9 +30,9 @@ $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev - # sysctl has duplicities in output - # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'" - # kernel parameters might use "/" and "." separators interchangeably - normalizing --sysctl -aN --deprecated 2> /dev/null | tr "/" "." | sort -u > "$sysctlNames" -+sysctl -aN --deprecated 2> /dev/null | grep -v $SYSCTL_BLACKLIST | tr "/" "." | sort -u > "$sysctlNames" - --grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" -+grep unix-sys:name "$result" | grep -v $SYSCTL_BLACKLIST | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" - - diff "$sysctlNames" "$ourNames" - diff --git a/test_probes_rpmverifypackage-disable-epoch-test.patch b/test_probes_rpmverifypackage-disable-epoch-test.patch deleted file mode 100644 index 1f00935..0000000 --- a/test_probes_rpmverifypackage-disable-epoch-test.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff --git a/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh b/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh -index f4179e063..475ebf0b3 100755 ---- a/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh -+++ b/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh -@@ -11,6 +11,8 @@ - - . $builddir/tests/test_common.sh - -+[ -f /etc/os-release ] && . /etc/os-release -+ - set -e -o pipefail - set -x - -@@ -79,7 +81,9 @@ function test_probes_rpmverifypackage_noepoch { - - test_init - -+if [[ $ID_LIKE != *"suse"* ]]; then - test_run "test_probes_rpmverifypackage_epoch" test_probes_rpmverifypackage_epoch -+fi - test_run "test_probes_rpmverifypackage_noepoch" test_probes_rpmverifypackage_noepoch - - test_exit diff --git a/xinetd_probe.patch b/xinetd_probe.patch deleted file mode 100644 index e656c4a..0000000 --- a/xinetd_probe.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c -index 965d8cd04..e911ecc29 100644 ---- a/src/OVAL/probes/unix/xinetd_probe.c -+++ b/src/OVAL/probes/unix/xinetd_probe.c -@@ -1298,6 +1298,7 @@ int op_merge_u16(void *dst, void *src, int type) - - int op_assign_str(void *var, char *val) - { -+ char *strend = NULL; - if (var == NULL) { - return -1; - } -@@ -1306,7 +1307,16 @@ int op_assign_str(void *var, char *val) - while(isspace(*val)) ++val; - - if (*val != '\0') { -- *((char **)(var)) = strdup(val); -+ strend = strrchr(val, '\0'); -+ /* strip trailing whitespaces */ -+ do { -+ strend--; -+ } while(isspace(*strend)); -+ if((strend-val) < 0) { -+ dE("Error stripping white space from string '%s'", val); -+ return (-1); -+ } -+ *((char **)(var)) = strndup(val, (strend-val+1)); - return (0); - } else - return (-1);