testing/openscap: upgrade to 1.3.2

author: Leo <thinkabit.ukim@gmail.com> 2020-01-22 01:12:53 +0100
committer: Leo <thinkabit.ukim@gmail.com> 2020-01-22 01:23:01 +0100
commit: b3ab1bd2e90b049fd26c9526cec0d888893d42fa (patch)
tree: e7de0aec502d9c6780ae1ffc3d27fc7447e64f50
parent: 73785f5456576a862f24518ebcaf21527ae85fbf (diff)
download: alpine_aports-b3ab1bd2e90b049fd26c9526cec0d888893d42fa.tar.bz2
alpine_aports-b3ab1bd2e90b049fd26c9526cec0d888893d42fa.tar.xz
alpine_aports-b3ab1bd2e90b049fd26c9526cec0d888893d42fa.zip
4 files changed, 4 insertions, 232 deletions
diff --git a/testing/openscap/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch b/testing/openscap/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch
deleted file mode 100644
index aa78a80064..0000000000
--- a/testing/openscap/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From e09334091d5678b666ea4e92d1a4b55838aa1a41 Mon Sep 17 00:00:00 2001
-From: Panu Matilainen <pmatilai@redhat.com>
-Date: Tue, 11 Jun 2019 16:12:55 +0300
-Subject: [PATCH 1/3] Handle rpmVerifyFile() removal in rpm >= 4.15
-Using rpmfiVerify() directly would be simpler but if upstream wants
-to preserve compatibility with older rpms...
---
- CMakeLists.txt                          |  1 +
- src/OVAL/probes/unix/linux/rpm-helper.c | 12 ++++++++++++
- src/OVAL/probes/unix/linux/rpm-helper.h |  5 +++++
- 3 files changed, 18 insertions(+)
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 720d8d8eb..058319599 100644
--- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -132,6 +132,7 @@ if(RPM_FOUND)
-        check_library_exists("${RPM_LIBRARY}" headerFormat "" HAVE_HEADERFORMAT)
-        check_library_exists("${RPMIO_LIBRARY}" rpmFreeCrypto "" HAVE_RPMFREECRYPTO)
-        check_library_exists("${RPM_LIBRARY}" rpmFreeFilesystems "" HAVE_RPMFREEFILESYSTEMS)
-+       check_library_exists("${RPM_LIBRARY}" rpmVerifyFile "" HAVE_RPMVERIFYFILE)
-        set(HAVE_RPMVERCMP 1)
- endif()
- 
-diff --git a/src/OVAL/probes/unix/linux/rpm-helper.c b/src/OVAL/probes/unix/linux/rpm-helper.c
-index bfb95c363..4d23cf202 100644
--- a/src/OVAL/probes/unix/linux/rpm-helper.c
-+++ b/src/OVAL/probes/unix/linux/rpm-helper.c
-@@ -32,6 +32,18 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data)
- }
- #endif
- 
-+#ifndef HAVE_RPMVERIFYFILE
-+int rpmVerifyFile(const rpmts ts, const rpmfi fi,
-+               rpmVerifyAttrs * res, rpmVerifyAttrs omitMask)
-+{
-+    rpmVerifyAttrs vfy = rpmfiVerify(fi, omitMask);
-+    if (res)
-+       *res = vfy;
-+
-+    return (vfy & RPMVERIFY_LSTATFAIL) ? 1 : 0;
-+}
-+#endif
-+
- void rpmLibsPreload()
- {
-        // Don't load rpmrc files. The are useless for us,
-diff --git a/src/OVAL/probes/unix/linux/rpm-helper.h b/src/OVAL/probes/unix/linux/rpm-helper.h
-index 4e9af8702..f879a5a5b 100644
--- a/src/OVAL/probes/unix/linux/rpm-helper.h
-+++ b/src/OVAL/probes/unix/linux/rpm-helper.h
-@@ -87,6 +87,11 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data);
- #define DISABLE_PLUGINS(ts) rpmDefineMacro(NULL,"__plugindir \"\"", 0);
- #endif
- 
-+#ifndef HAVE_RPMVERIFYFILE
-+int rpmVerifyFile(const rpmts ts, const rpmfi fi,
-+                rpmVerifyAttrs * res, rpmVerifyAttrs omitMask);
-+#endif
-+
- /**
-  * Preload libraries required by rpm
-  * It destroy error callback!
-- 
-2.22.0
diff --git a/testing/openscap/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch b/testing/openscap/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch
deleted file mode 100644
index 4294235348..0000000000
--- a/testing/openscap/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 9db9474dd092a67e37af54a2eb898cea625a98cd Mon Sep 17 00:00:00 2001
-From: Panu Matilainen <pmatilai@redhat.com>
-Date: Tue, 11 Jun 2019 16:12:56 +0300
-Subject: [PATCH 2/3] Refer to the RPMVERIFY_* constants instead of VERIFY_*
- counterparts
-The RPMVERIFY_* values always refer to corresponding file verification
-attributes, which is what we're dealing with here. The VERIFY_*
-constants do not exist in all versions, and include things that
-do not make any sense at all for files anyway, such as VERIFY_DEPS
-and VERIFY_SCRIPT which are package-level operations and VERIFY_SIGNATURE
-and VERIFY_DIGEST which are not verify operations at all.
---
- src/OVAL/probes/unix/linux/rpmverify_probe.c  | 21 ++++++----------
- .../probes/unix/linux/rpmverifyfile_probe.c   | 25 +++++++++----------
- 2 files changed, 20 insertions(+), 26 deletions(-)
-diff --git a/src/OVAL/probes/unix/linux/rpmverify_probe.c b/src/OVAL/probes/unix/linux/rpmverify_probe.c
-index 07bd09d84..dbc9523ba 100644
--- a/src/OVAL/probes/unix/linux/rpmverify_probe.c
-+++ b/src/OVAL/probes/unix/linux/rpmverify_probe.c
-@@ -303,19 +303,14 @@ typedef struct {
- } rpmverify_bhmap_t;
- 
- const rpmverify_bhmap_t rpmverify_bhmap[] = {
-        { "nodeps",        (uint64_t)VERIFY_DEPS      },
-        { "nodigest",      (uint64_t)VERIFY_DIGEST    },
-        { "nofiles",       (uint64_t)VERIFY_FILES     },
-        { "noscripts",     (uint64_t)VERIFY_SCRIPT    },
-        { "nosignature",   (uint64_t)VERIFY_SIGNATURE },
-        { "nolinkto",      (uint64_t)VERIFY_LINKTO    },
-        { "nomd5",         (uint64_t)VERIFY_MD5       },
-        { "nosize",        (uint64_t)VERIFY_SIZE      },
-        { "nouser",        (uint64_t)VERIFY_USER      },
-        { "nogroup",       (uint64_t)VERIFY_GROUP     },
-        { "nomtime",       (uint64_t)VERIFY_MTIME     },
-        { "nomode",        (uint64_t)VERIFY_MODE      },
-        { "nordev",        (uint64_t)VERIFY_RDEV      },
-+        { "nolinkto",      (uint64_t)RPMVERIFY_LINKTO    },
-+        { "nomd5",         (uint64_t)RPMVERIFY_MD5       },
-+        { "nosize",        (uint64_t)RPMVERIFY_FILESIZE  },
-+        { "nouser",        (uint64_t)RPMVERIFY_USER      },
-+        { "nogroup",       (uint64_t)RPMVERIFY_GROUP     },
-+        { "nomtime",       (uint64_t)RPMVERIFY_MTIME     },
-+        { "nomode",        (uint64_t)RPMVERIFY_MODE      },
-+        { "nordev",        (uint64_t)RPMVERIFY_RDEV      },
-         { "noconfigfiles", RPMVERIFY_SKIP_CONFIG      },
-         { "noghostfiles",  RPMVERIFY_SKIP_GHOST       }
- };
-diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
-index d81728ebe..10fcdf8df 100644
--- a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
-+++ b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
-@@ -83,11 +83,10 @@ struct rpmverify_res {
-         * They all have the same value (1) - see 'rpm/rpmvf.h'.
-         */
-        #define RPMVERIFY_FILEDIGEST RPMVERIFY_MD5
-       #define VERIFY_FILEDIGEST VERIFY_MD5
-       /* VERIFY_CAPS is not supported in older rpmlib.
-+       /* RPMVERIFY_CAPS is not supported in older rpmlib.
-         * We can set it to 0 because 0 is neutral to bit OR operation.
-         */
-       #define VERIFY_CAPS 0
-+       #define RPMVERIFY_CAPS 0
- #endif
- 
- #define RPMVERIFY_LOCK   RPM_MUTEX_LOCK(&g_rpm->mutex)
-@@ -423,18 +422,18 @@ typedef struct {
- } rpmverifyfile_bhmap_t;
- 
- const rpmverifyfile_bhmap_t rpmverifyfile_bhmap[] = {
-       { "nolinkto",      (uint64_t)VERIFY_LINKTO    },
-       { "nomd5",       (uint64_t)VERIFY_MD5       }, // deprecated since OVAL 5.11.1
-       { "nosize",     (uint64_t)VERIFY_SIZE      },
-       { "nouser",     (uint64_t)VERIFY_USER      },
-       { "nogroup",       (uint64_t)VERIFY_GROUP     },
-       { "nomtime",       (uint64_t)VERIFY_MTIME     },
-       { "nomode",     (uint64_t)VERIFY_MODE      },
-       { "nordev",     (uint64_t)VERIFY_RDEV      },
-+       { "nolinkto",      (uint64_t)RPMVERIFY_LINKTO    },
-+       { "nomd5",       (uint64_t)RPMVERIFY_MD5       }, // deprecated since OVAL 5.11.1
-+       { "nosize",     (uint64_t)RPMVERIFY_FILESIZE      },
-+       { "nouser",     (uint64_t)RPMVERIFY_USER      },
-+       { "nogroup",       (uint64_t)RPMVERIFY_GROUP     },
-+       { "nomtime",       (uint64_t)RPMVERIFY_MTIME     },
-+       { "nomode",     (uint64_t)RPMVERIFY_MODE      },
-+       { "nordev",     (uint64_t)RPMVERIFY_RDEV      },
-        { "noconfigfiles", RPMVERIFY_SKIP_CONFIG      },
-        { "noghostfiles",  RPMVERIFY_SKIP_GHOST       },
-       { "nofiledigest", (uint64_t)VERIFY_FILEDIGEST },
-       { "nocaps", (uint64_t)VERIFY_CAPS }
-+       { "nofiledigest", (uint64_t)RPMVERIFY_FILEDIGEST },
-+       { "nocaps", (uint64_t)RPMVERIFY_CAPS }
- };
- 
- int rpmverifyfile_probe_main(probe_ctx *ctx, void *arg)
-- 
-2.22.0
diff --git a/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch b/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch
deleted file mode 100644
index cc2be0ad3f..0000000000
--- a/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From efd08dd9d8453583f1e801ddb5ac0af65cc86f69 Mon Sep 17 00:00:00 2001
-From: Panu Matilainen <pmatilai@redhat.com>
-Date: Tue, 11 Jun 2019 16:12:57 +0300
-Subject: [PATCH 3/3] Drop bogus VERIFY_SIGNATURE and VERIFY_DIGEST checks
-VERIFY_SIGNATURE and VERIFY_DIGEST are not independent verification
-checks, these checks are performed internally by rpm and failure in
-either will cause the entire header failing to load. These flags allow
-disabling that verification, but this doesn't make sense for openscap
-and doesn't work this way in rpm >= 4.15 anyway.
---
- .../probes/unix/linux/rpmverifypackage_probe.c     | 14 --------------
- 1 file changed, 14 deletions(-)
-diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
-index ed6c714d8..06059ae47 100644
--- a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
-+++ b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
-@@ -69,9 +69,7 @@ typedef struct {
- 
- const rpmverifypackage_bhmap_t rpmverifypackage_bhmap[] = {
-        { "nodeps",        (uint64_t)VERIFY_DEPS      , "--nodeps"},
-       { "nodigest",      (uint64_t)VERIFY_DIGEST    , "--nodigest"},
-        { "noscripts",     (uint64_t)VERIFY_SCRIPT    , "--noscript"},
-       { "nosignature",   (uint64_t)VERIFY_SIGNATURE , "--nosignature"}
- };
- 
- struct rpmverify_res {
-@@ -409,24 +407,12 @@ static int rpmverifypackage_additem(probe_ctx *ctx, struct rpmverify_res *res)
-                probe_item_ent_add(item, "dependency_check_passed", NULL, value);
-                SEXP_free(value);
-        }
-       if (res->vflags & VERIFY_DIGEST) {
-               dI("VERIFY_DIGEST %d", res->vresults & VERIFY_DIGEST);
-               value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_DIGEST ? "1" : "0"), 1);
-               probe_item_ent_add(item, "digest_check_passed", NULL, value);
-               SEXP_free(value);
-       }
-        if (res->vflags & VERIFY_SCRIPT) {
-                dI("VERIFY_SCRIPT %d", res->vresults & VERIFY_SCRIPT);
-                value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SCRIPT ? "1" : "0"), 1);
-                probe_item_ent_add(item, "verification_script_successful", NULL, value);
-                SEXP_free(value);
-        }
-       if (res->vflags & VERIFY_SIGNATURE) {
-               dI("VERIFY_SIGNATURE %d", res->vresults & VERIFY_SIGNATURE);
-               value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SIGNATURE ? "1" : "0"), 1);
-               probe_item_ent_add(item, "signature_check_passed", NULL, value);
-               SEXP_free(value);
-       }
- 
-        return probe_item_collect(ctx, item) == 2 ? 1 : 0;
- }
-- 
-2.22.0
diff --git a/testing/openscap/APKBUILD b/testing/openscap/APKBUILD
index 69352dd396..46735ddb28 100644
--- a/testing/openscap/APKBUILD
+++ b/testing/openscap/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Francesco Colista <fcolista@alpinelinux.org>
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=openscap
-pkgver=1.3.1
+pkgver=1.3.2
-pkgrel=7
+pkgrel=0
 pkgdesc="NIST Certified SCAP 1.2 toolkit"
 url="https://www.open-scap.org/tools/openscap-base/"
 arch="all"
@@ -17,9 +17,6 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-bash-completion:bashcomp:noarch"
 source="https://github.com/OpenSCAP/openscap/releases/download/$pkgver/openscap-$pkgver.tar.gz
        fix-ppc64le-path_max.patch
        path_mounted.patch
-        0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch
-        0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch
-        0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch
        "
 prepare() {
@@ -54,9 +51,6 @@ bashcomp() {
                "$subpkgdir"/usr/share/bash-completion/completions/$pkgname
 }
-sha512sums="c42c59a19e3f71a4ef55daa82be7a2b66514dfe4a98b8e897a03d4785b25395a3508ff2457072d3ae123328a104cab054e64dcb52209ae77060542484439d859  openscap-1.3.1.tar.gz
+sha512sums="7f41c223d9ca1228a03cc4d16c4ee57279ec55954aa0c5b9d8fc602e267ab1fbd31bbb102fd556563a37091c3307e09487f0a85992eaf01d70b5812455ab0235  openscap-1.3.2.tar.gz
 70bcc718e473862ecac22752ad553c5a520e42207688960403e3d7b9caefc7868fc4d81379a07d3c50fdd9373caab5ac91f758f306d1e3d2bbf355618674b611  fix-ppc64le-path_max.patch
-f2157d6b1d31affe16edb184a287b69d28808123f1cc26a5a4238040d935517b307772b1f2d66271b8ee99b59a4d204930f9147b78478c83c36c7fc8718ec1d9  path_mounted.patch
+f2157d6b1d31affe16edb184a287b69d28808123f1cc26a5a4238040d935517b307772b1f2d66271b8ee99b59a4d204930f9147b78478c83c36c7fc8718ec1d9  path_mounted.patch"
-b95065c7bcb808fe85c971b1fc311f800a26a77391e7a652a3659ce0d5cb6bc89ea50d054d47a459078a9e6101ac44fb1fedc1e3cc84e101915b81f9b625cee5  0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch
-dffa0244a20df1f7935ebbbf16f38a1d4e0db5ec770a47cd353d923abee8b9472cb6f380c5d022b27f50b59a9702bfd7ae943f17b9bfdd3634c921a939b7c76d  0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch
-539d4e6bbed1a16724a103e6d72e9e468ef3babdd55e1aa13e8fdf3202982dd1a3c8e17a41f1656051d826dc125539b6dec89885a44bf90980b500b2f7d1143b  0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch"
author	Leo <thinkabit.ukim@gmail.com>	2020-01-22 01:12:53 +0100
committer	Leo <thinkabit.ukim@gmail.com>	2020-01-22 01:23:01 +0100
commit	b3ab1bd2e90b049fd26c9526cec0d888893d42fa (patch)
tree	e7de0aec502d9c6780ae1ffc3d27fc7447e64f50
parent	73785f5456576a862f24518ebcaf21527ae85fbf (diff)
download	alpine_aports-b3ab1bd2e90b049fd26c9526cec0d888893d42fa.tar.bz2 alpine_aports-b3ab1bd2e90b049fd26c9526cec0d888893d42fa.tar.xz alpine_aports-b3ab1bd2e90b049fd26c9526cec0d888893d42fa.zip

diff --git a/testing/openscap/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch b/testing/openscap/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch deleted file mode 100644 index aa78a80064..0000000000 --- a/testing/openscap/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch +++ /dev/null
@@ -1,67 +0,0 @@
1	From e09334091d5678b666ea4e92d1a4b55838aa1a41 Mon Sep 17 00:00:00 2001
2	From: Panu Matilainen <pmatilai@redhat.com>
3	Date: Tue, 11 Jun 2019 16:12:55 +0300
4	Subject: [PATCH 1/3] Handle rpmVerifyFile() removal in rpm >= 4.15
5
6	Using rpmfiVerify() directly would be simpler but if upstream wants
7	to preserve compatibility with older rpms...
8	---
9	CMakeLists.txt \| 1 +
10	src/OVAL/probes/unix/linux/rpm-helper.c \| 12 ++++++++++++
11	src/OVAL/probes/unix/linux/rpm-helper.h \| 5 +++++
12	3 files changed, 18 insertions(+)
13
14	diff --git a/CMakeLists.txt b/CMakeLists.txt
15	index 720d8d8eb..058319599 100644
16	--- a/CMakeLists.txt
17	+++ b/CMakeLists.txt
18	@@ -132,6 +132,7 @@ if(RPM_FOUND)
19	check_library_exists("${RPM_LIBRARY}" headerFormat "" HAVE_HEADERFORMAT)
20	check_library_exists("${RPMIO_LIBRARY}" rpmFreeCrypto "" HAVE_RPMFREECRYPTO)
21	check_library_exists("${RPM_LIBRARY}" rpmFreeFilesystems "" HAVE_RPMFREEFILESYSTEMS)
22	+ check_library_exists("${RPM_LIBRARY}" rpmVerifyFile "" HAVE_RPMVERIFYFILE)
23	set(HAVE_RPMVERCMP 1)
24	endif()
25
26	diff --git a/src/OVAL/probes/unix/linux/rpm-helper.c b/src/OVAL/probes/unix/linux/rpm-helper.c
27	index bfb95c363..4d23cf202 100644
28	--- a/src/OVAL/probes/unix/linux/rpm-helper.c
29	+++ b/src/OVAL/probes/unix/linux/rpm-helper.c
30	@@ -32,6 +32,18 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data)
31	}
32	#endif
33
34	+#ifndef HAVE_RPMVERIFYFILE
35	+int rpmVerifyFile(const rpmts ts, const rpmfi fi,
36	+ rpmVerifyAttrs * res, rpmVerifyAttrs omitMask)
37	+{
38	+ rpmVerifyAttrs vfy = rpmfiVerify(fi, omitMask);
39	+ if (res)
40	+ *res = vfy;
41	+
42	+ return (vfy & RPMVERIFY_LSTATFAIL) ? 1 : 0;
43	+}
44	+#endif
45	+
46	void rpmLibsPreload()
47	{
48	// Don't load rpmrc files. The are useless for us,
49	diff --git a/src/OVAL/probes/unix/linux/rpm-helper.h b/src/OVAL/probes/unix/linux/rpm-helper.h
50	index 4e9af8702..f879a5a5b 100644
51	--- a/src/OVAL/probes/unix/linux/rpm-helper.h
52	+++ b/src/OVAL/probes/unix/linux/rpm-helper.h
53	@@ -87,6 +87,11 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data);
54	#define DISABLE_PLUGINS(ts) rpmDefineMacro(NULL,"__plugindir \"\"", 0);
55	#endif
56
57	+#ifndef HAVE_RPMVERIFYFILE
58	+int rpmVerifyFile(const rpmts ts, const rpmfi fi,
59	+ rpmVerifyAttrs * res, rpmVerifyAttrs omitMask);
60	+#endif
61	+
62	/**
63	* Preload libraries required by rpm
64	* It destroy error callback!
65	--
66	2.22.0
67


diff --git a/testing/openscap/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch b/testing/openscap/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch deleted file mode 100644 index 4294235348..0000000000 --- a/testing/openscap/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch +++ /dev/null
@@ -1,99 +0,0 @@
1	From 9db9474dd092a67e37af54a2eb898cea625a98cd Mon Sep 17 00:00:00 2001
2	From: Panu Matilainen <pmatilai@redhat.com>
3	Date: Tue, 11 Jun 2019 16:12:56 +0300
4	Subject: [PATCH 2/3] Refer to the RPMVERIFY_* constants instead of VERIFY_*
5	counterparts
6
7	The RPMVERIFY_* values always refer to corresponding file verification
8	attributes, which is what we're dealing with here. The VERIFY_*
9	constants do not exist in all versions, and include things that
10	do not make any sense at all for files anyway, such as VERIFY_DEPS
11	and VERIFY_SCRIPT which are package-level operations and VERIFY_SIGNATURE
12	and VERIFY_DIGEST which are not verify operations at all.
13	---
14	src/OVAL/probes/unix/linux/rpmverify_probe.c \| 21 ++++++----------
15	.../probes/unix/linux/rpmverifyfile_probe.c \| 25 +++++++++----------
16	2 files changed, 20 insertions(+), 26 deletions(-)
17
18	diff --git a/src/OVAL/probes/unix/linux/rpmverify_probe.c b/src/OVAL/probes/unix/linux/rpmverify_probe.c
19	index 07bd09d84..dbc9523ba 100644
20	--- a/src/OVAL/probes/unix/linux/rpmverify_probe.c
21	+++ b/src/OVAL/probes/unix/linux/rpmverify_probe.c
22	@@ -303,19 +303,14 @@ typedef struct {
23	} rpmverify_bhmap_t;
24
25	const rpmverify_bhmap_t rpmverify_bhmap[] = {
26	- { "nodeps", (uint64_t)VERIFY_DEPS },
27	- { "nodigest", (uint64_t)VERIFY_DIGEST },
28	- { "nofiles", (uint64_t)VERIFY_FILES },
29	- { "noscripts", (uint64_t)VERIFY_SCRIPT },
30	- { "nosignature", (uint64_t)VERIFY_SIGNATURE },
31	- { "nolinkto", (uint64_t)VERIFY_LINKTO },
32	- { "nomd5", (uint64_t)VERIFY_MD5 },
33	- { "nosize", (uint64_t)VERIFY_SIZE },
34	- { "nouser", (uint64_t)VERIFY_USER },
35	- { "nogroup", (uint64_t)VERIFY_GROUP },
36	- { "nomtime", (uint64_t)VERIFY_MTIME },
37	- { "nomode", (uint64_t)VERIFY_MODE },
38	- { "nordev", (uint64_t)VERIFY_RDEV },
39	+ { "nolinkto", (uint64_t)RPMVERIFY_LINKTO },
40	+ { "nomd5", (uint64_t)RPMVERIFY_MD5 },
41	+ { "nosize", (uint64_t)RPMVERIFY_FILESIZE },
42	+ { "nouser", (uint64_t)RPMVERIFY_USER },
43	+ { "nogroup", (uint64_t)RPMVERIFY_GROUP },
44	+ { "nomtime", (uint64_t)RPMVERIFY_MTIME },
45	+ { "nomode", (uint64_t)RPMVERIFY_MODE },
46	+ { "nordev", (uint64_t)RPMVERIFY_RDEV },
47	{ "noconfigfiles", RPMVERIFY_SKIP_CONFIG },
48	{ "noghostfiles", RPMVERIFY_SKIP_GHOST }
49	};
50	diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
51	index d81728ebe..10fcdf8df 100644
52	--- a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
53	+++ b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
54	@@ -83,11 +83,10 @@ struct rpmverify_res {
55	* They all have the same value (1) - see 'rpm/rpmvf.h'.
56	*/
57	#define RPMVERIFY_FILEDIGEST RPMVERIFY_MD5
58	- #define VERIFY_FILEDIGEST VERIFY_MD5
59	- /* VERIFY_CAPS is not supported in older rpmlib.
60	+ /* RPMVERIFY_CAPS is not supported in older rpmlib.
61	* We can set it to 0 because 0 is neutral to bit OR operation.
62	*/
63	- #define VERIFY_CAPS 0
64	+ #define RPMVERIFY_CAPS 0
65	#endif
66
67	#define RPMVERIFY_LOCK RPM_MUTEX_LOCK(&g_rpm->mutex)
68	@@ -423,18 +422,18 @@ typedef struct {
69	} rpmverifyfile_bhmap_t;
70
71	const rpmverifyfile_bhmap_t rpmverifyfile_bhmap[] = {
72	- { "nolinkto", (uint64_t)VERIFY_LINKTO },
73	- { "nomd5", (uint64_t)VERIFY_MD5 }, // deprecated since OVAL 5.11.1
74	- { "nosize", (uint64_t)VERIFY_SIZE },
75	- { "nouser", (uint64_t)VERIFY_USER },
76	- { "nogroup", (uint64_t)VERIFY_GROUP },
77	- { "nomtime", (uint64_t)VERIFY_MTIME },
78	- { "nomode", (uint64_t)VERIFY_MODE },
79	- { "nordev", (uint64_t)VERIFY_RDEV },
80	+ { "nolinkto", (uint64_t)RPMVERIFY_LINKTO },
81	+ { "nomd5", (uint64_t)RPMVERIFY_MD5 }, // deprecated since OVAL 5.11.1
82	+ { "nosize", (uint64_t)RPMVERIFY_FILESIZE },
83	+ { "nouser", (uint64_t)RPMVERIFY_USER },
84	+ { "nogroup", (uint64_t)RPMVERIFY_GROUP },
85	+ { "nomtime", (uint64_t)RPMVERIFY_MTIME },
86	+ { "nomode", (uint64_t)RPMVERIFY_MODE },
87	+ { "nordev", (uint64_t)RPMVERIFY_RDEV },
88	{ "noconfigfiles", RPMVERIFY_SKIP_CONFIG },
89	{ "noghostfiles", RPMVERIFY_SKIP_GHOST },
90	- { "nofiledigest", (uint64_t)VERIFY_FILEDIGEST },
91	- { "nocaps", (uint64_t)VERIFY_CAPS }
92	+ { "nofiledigest", (uint64_t)RPMVERIFY_FILEDIGEST },
93	+ { "nocaps", (uint64_t)RPMVERIFY_CAPS }
94	};
95
96	int rpmverifyfile_probe_main(probe_ctx ctx, void arg)
97	--
98	2.22.0
99


diff --git a/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch b/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch deleted file mode 100644 index cc2be0ad3f..0000000000 --- a/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch +++ /dev/null
@@ -1,56 +0,0 @@
1	From efd08dd9d8453583f1e801ddb5ac0af65cc86f69 Mon Sep 17 00:00:00 2001
2	From: Panu Matilainen <pmatilai@redhat.com>
3	Date: Tue, 11 Jun 2019 16:12:57 +0300
4	Subject: [PATCH 3/3] Drop bogus VERIFY_SIGNATURE and VERIFY_DIGEST checks
5
6	VERIFY_SIGNATURE and VERIFY_DIGEST are not independent verification
7	checks, these checks are performed internally by rpm and failure in
8	either will cause the entire header failing to load. These flags allow
9	disabling that verification, but this doesn't make sense for openscap
10	and doesn't work this way in rpm >= 4.15 anyway.
11	---
12	.../probes/unix/linux/rpmverifypackage_probe.c \| 14 --------------
13	1 file changed, 14 deletions(-)
14
15	diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
16	index ed6c714d8..06059ae47 100644
17	--- a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
18	+++ b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
19	@@ -69,9 +69,7 @@ typedef struct {
20
21	const rpmverifypackage_bhmap_t rpmverifypackage_bhmap[] = {
22	{ "nodeps", (uint64_t)VERIFY_DEPS , "--nodeps"},
23	- { "nodigest", (uint64_t)VERIFY_DIGEST , "--nodigest"},
24	{ "noscripts", (uint64_t)VERIFY_SCRIPT , "--noscript"},
25	- { "nosignature", (uint64_t)VERIFY_SIGNATURE , "--nosignature"}
26	};
27
28	struct rpmverify_res {
29	@@ -409,24 +407,12 @@ static int rpmverifypackage_additem(probe_ctx ctx, struct rpmverify_res res)
30	probe_item_ent_add(item, "dependency_check_passed", NULL, value);
31	SEXP_free(value);
32	}
33	- if (res->vflags & VERIFY_DIGEST) {
34	- dI("VERIFY_DIGEST %d", res->vresults & VERIFY_DIGEST);
35	- value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_DIGEST ? "1" : "0"), 1);
36	- probe_item_ent_add(item, "digest_check_passed", NULL, value);
37	- SEXP_free(value);
38	- }
39	if (res->vflags & VERIFY_SCRIPT) {
40	dI("VERIFY_SCRIPT %d", res->vresults & VERIFY_SCRIPT);
41	value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SCRIPT ? "1" : "0"), 1);
42	probe_item_ent_add(item, "verification_script_successful", NULL, value);
43	SEXP_free(value);
44	}
45	- if (res->vflags & VERIFY_SIGNATURE) {
46	- dI("VERIFY_SIGNATURE %d", res->vresults & VERIFY_SIGNATURE);
47	- value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SIGNATURE ? "1" : "0"), 1);
48	- probe_item_ent_add(item, "signature_check_passed", NULL, value);
49	- SEXP_free(value);
50	- }
51
52	return probe_item_collect(ctx, item) == 2 ? 1 : 0;
53	}
54	--
55	2.22.0
56


diff --git a/testing/openscap/APKBUILD b/testing/openscap/APKBUILD index 69352dd396..46735ddb28 100644 --- a/testing/openscap/APKBUILD +++ b/testing/openscap/APKBUILD
@@ -1,8 +1,8 @@
1	# Contributor: Francesco Colista <fcolista@alpinelinux.org>	1	# Contributor: Francesco Colista <fcolista@alpinelinux.org>
2	# Maintainer: Francesco Colista <fcolista@alpinelinux.org>	2	# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
3	pkgname=openscap	3	pkgname=openscap
4	pkgver=1.3.1	4	pkgver=1.3.2
5	pkgrel=7	5	pkgrel=0
6	pkgdesc="NIST Certified SCAP 1.2 toolkit"	6	pkgdesc="NIST Certified SCAP 1.2 toolkit"
7	url="https://www.open-scap.org/tools/openscap-base/"	7	url="https://www.open-scap.org/tools/openscap-base/"
8	arch="all"	8	arch="all"
@@ -17,9 +17,6 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-bash-completion:bashcomp:noarch"
17	source="https://github.com/OpenSCAP/openscap/releases/download/$pkgver/openscap-$pkgver.tar.gz	17	source="https://github.com/OpenSCAP/openscap/releases/download/$pkgver/openscap-$pkgver.tar.gz
18	fix-ppc64le-path_max.patch	18	fix-ppc64le-path_max.patch
19	path_mounted.patch	19	path_mounted.patch
20	0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch
21	0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch
22	0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch
23	"	20	"
24		21
25	prepare() {	22	prepare() {
@@ -54,9 +51,6 @@ bashcomp() {
54	"$subpkgdir"/usr/share/bash-completion/completions/$pkgname	51	"$subpkgdir"/usr/share/bash-completion/completions/$pkgname
55	}	52	}
56		53
57	sha512sums="c42c59a19e3f71a4ef55daa82be7a2b66514dfe4a98b8e897a03d4785b25395a3508ff2457072d3ae123328a104cab054e64dcb52209ae77060542484439d859 openscap-1.3.1.tar.gz	54	sha512sums="7f41c223d9ca1228a03cc4d16c4ee57279ec55954aa0c5b9d8fc602e267ab1fbd31bbb102fd556563a37091c3307e09487f0a85992eaf01d70b5812455ab0235 openscap-1.3.2.tar.gz
58	70bcc718e473862ecac22752ad553c5a520e42207688960403e3d7b9caefc7868fc4d81379a07d3c50fdd9373caab5ac91f758f306d1e3d2bbf355618674b611 fix-ppc64le-path_max.patch	55	70bcc718e473862ecac22752ad553c5a520e42207688960403e3d7b9caefc7868fc4d81379a07d3c50fdd9373caab5ac91f758f306d1e3d2bbf355618674b611 fix-ppc64le-path_max.patch
59	f2157d6b1d31affe16edb184a287b69d28808123f1cc26a5a4238040d935517b307772b1f2d66271b8ee99b59a4d204930f9147b78478c83c36c7fc8718ec1d9 path_mounted.patch	56	f2157d6b1d31affe16edb184a287b69d28808123f1cc26a5a4238040d935517b307772b1f2d66271b8ee99b59a4d204930f9147b78478c83c36c7fc8718ec1d9 path_mounted.patch"
60	b95065c7bcb808fe85c971b1fc311f800a26a77391e7a652a3659ce0d5cb6bc89ea50d054d47a459078a9e6101ac44fb1fedc1e3cc84e101915b81f9b625cee5 0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch
61	dffa0244a20df1f7935ebbbf16f38a1d4e0db5ec770a47cd353d923abee8b9472cb6f380c5d022b27f50b59a9702bfd7ae943f17b9bfdd3634c921a939b7c76d 0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch
62	539d4e6bbed1a16724a103e6d72e9e468ef3babdd55e1aa13e8fdf3202982dd1a3c8e17a41f1656051d826dc125539b6dec89885a44bf90980b500b2f7d1143b 0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch"