diff options
author | Leo <thinkabit.ukim@gmail.com> | 2020-01-22 01:12:53 +0100 |
---|---|---|
committer | Leo <thinkabit.ukim@gmail.com> | 2020-01-22 01:23:01 +0100 |
commit | b3ab1bd2e90b049fd26c9526cec0d888893d42fa (patch) | |
tree | e7de0aec502d9c6780ae1ffc3d27fc7447e64f50 | |
parent | 73785f5456576a862f24518ebcaf21527ae85fbf (diff) | |
download | alpine_aports-b3ab1bd2e90b049fd26c9526cec0d888893d42fa.tar.bz2 alpine_aports-b3ab1bd2e90b049fd26c9526cec0d888893d42fa.tar.xz alpine_aports-b3ab1bd2e90b049fd26c9526cec0d888893d42fa.zip |
testing/openscap: upgrade to 1.3.2
4 files changed, 4 insertions, 232 deletions
diff --git a/testing/openscap/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch b/testing/openscap/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch deleted file mode 100644 index aa78a80064..0000000000 --- a/testing/openscap/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch +++ /dev/null | |||
@@ -1,67 +0,0 @@ | |||
1 | From e09334091d5678b666ea4e92d1a4b55838aa1a41 Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Tue, 11 Jun 2019 16:12:55 +0300 | ||
4 | Subject: [PATCH 1/3] Handle rpmVerifyFile() removal in rpm >= 4.15 | ||
5 | |||
6 | Using rpmfiVerify() directly would be simpler but if upstream wants | ||
7 | to preserve compatibility with older rpms... | ||
8 | --- | ||
9 | CMakeLists.txt | 1 + | ||
10 | src/OVAL/probes/unix/linux/rpm-helper.c | 12 ++++++++++++ | ||
11 | src/OVAL/probes/unix/linux/rpm-helper.h | 5 +++++ | ||
12 | 3 files changed, 18 insertions(+) | ||
13 | |||
14 | diff --git a/CMakeLists.txt b/CMakeLists.txt | ||
15 | index 720d8d8eb..058319599 100644 | ||
16 | --- a/CMakeLists.txt | ||
17 | +++ b/CMakeLists.txt | ||
18 | @@ -132,6 +132,7 @@ if(RPM_FOUND) | ||
19 | check_library_exists("${RPM_LIBRARY}" headerFormat "" HAVE_HEADERFORMAT) | ||
20 | check_library_exists("${RPMIO_LIBRARY}" rpmFreeCrypto "" HAVE_RPMFREECRYPTO) | ||
21 | check_library_exists("${RPM_LIBRARY}" rpmFreeFilesystems "" HAVE_RPMFREEFILESYSTEMS) | ||
22 | + check_library_exists("${RPM_LIBRARY}" rpmVerifyFile "" HAVE_RPMVERIFYFILE) | ||
23 | set(HAVE_RPMVERCMP 1) | ||
24 | endif() | ||
25 | |||
26 | diff --git a/src/OVAL/probes/unix/linux/rpm-helper.c b/src/OVAL/probes/unix/linux/rpm-helper.c | ||
27 | index bfb95c363..4d23cf202 100644 | ||
28 | --- a/src/OVAL/probes/unix/linux/rpm-helper.c | ||
29 | +++ b/src/OVAL/probes/unix/linux/rpm-helper.c | ||
30 | @@ -32,6 +32,18 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data) | ||
31 | } | ||
32 | #endif | ||
33 | |||
34 | +#ifndef HAVE_RPMVERIFYFILE | ||
35 | +int rpmVerifyFile(const rpmts ts, const rpmfi fi, | ||
36 | + rpmVerifyAttrs * res, rpmVerifyAttrs omitMask) | ||
37 | +{ | ||
38 | + rpmVerifyAttrs vfy = rpmfiVerify(fi, omitMask); | ||
39 | + if (res) | ||
40 | + *res = vfy; | ||
41 | + | ||
42 | + return (vfy & RPMVERIFY_LSTATFAIL) ? 1 : 0; | ||
43 | +} | ||
44 | +#endif | ||
45 | + | ||
46 | void rpmLibsPreload() | ||
47 | { | ||
48 | // Don't load rpmrc files. The are useless for us, | ||
49 | diff --git a/src/OVAL/probes/unix/linux/rpm-helper.h b/src/OVAL/probes/unix/linux/rpm-helper.h | ||
50 | index 4e9af8702..f879a5a5b 100644 | ||
51 | --- a/src/OVAL/probes/unix/linux/rpm-helper.h | ||
52 | +++ b/src/OVAL/probes/unix/linux/rpm-helper.h | ||
53 | @@ -87,6 +87,11 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data); | ||
54 | #define DISABLE_PLUGINS(ts) rpmDefineMacro(NULL,"__plugindir \"\"", 0); | ||
55 | #endif | ||
56 | |||
57 | +#ifndef HAVE_RPMVERIFYFILE | ||
58 | +int rpmVerifyFile(const rpmts ts, const rpmfi fi, | ||
59 | + rpmVerifyAttrs * res, rpmVerifyAttrs omitMask); | ||
60 | +#endif | ||
61 | + | ||
62 | /** | ||
63 | * Preload libraries required by rpm | ||
64 | * It destroy error callback! | ||
65 | -- | ||
66 | 2.22.0 | ||
67 | |||
diff --git a/testing/openscap/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch b/testing/openscap/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch deleted file mode 100644 index 4294235348..0000000000 --- a/testing/openscap/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch +++ /dev/null | |||
@@ -1,99 +0,0 @@ | |||
1 | From 9db9474dd092a67e37af54a2eb898cea625a98cd Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Tue, 11 Jun 2019 16:12:56 +0300 | ||
4 | Subject: [PATCH 2/3] Refer to the RPMVERIFY_* constants instead of VERIFY_* | ||
5 | counterparts | ||
6 | |||
7 | The RPMVERIFY_* values always refer to corresponding file verification | ||
8 | attributes, which is what we're dealing with here. The VERIFY_* | ||
9 | constants do not exist in all versions, and include things that | ||
10 | do not make any sense at all for files anyway, such as VERIFY_DEPS | ||
11 | and VERIFY_SCRIPT which are package-level operations and VERIFY_SIGNATURE | ||
12 | and VERIFY_DIGEST which are not verify operations at all. | ||
13 | --- | ||
14 | src/OVAL/probes/unix/linux/rpmverify_probe.c | 21 ++++++---------- | ||
15 | .../probes/unix/linux/rpmverifyfile_probe.c | 25 +++++++++---------- | ||
16 | 2 files changed, 20 insertions(+), 26 deletions(-) | ||
17 | |||
18 | diff --git a/src/OVAL/probes/unix/linux/rpmverify_probe.c b/src/OVAL/probes/unix/linux/rpmverify_probe.c | ||
19 | index 07bd09d84..dbc9523ba 100644 | ||
20 | --- a/src/OVAL/probes/unix/linux/rpmverify_probe.c | ||
21 | +++ b/src/OVAL/probes/unix/linux/rpmverify_probe.c | ||
22 | @@ -303,19 +303,14 @@ typedef struct { | ||
23 | } rpmverify_bhmap_t; | ||
24 | |||
25 | const rpmverify_bhmap_t rpmverify_bhmap[] = { | ||
26 | - { "nodeps", (uint64_t)VERIFY_DEPS }, | ||
27 | - { "nodigest", (uint64_t)VERIFY_DIGEST }, | ||
28 | - { "nofiles", (uint64_t)VERIFY_FILES }, | ||
29 | - { "noscripts", (uint64_t)VERIFY_SCRIPT }, | ||
30 | - { "nosignature", (uint64_t)VERIFY_SIGNATURE }, | ||
31 | - { "nolinkto", (uint64_t)VERIFY_LINKTO }, | ||
32 | - { "nomd5", (uint64_t)VERIFY_MD5 }, | ||
33 | - { "nosize", (uint64_t)VERIFY_SIZE }, | ||
34 | - { "nouser", (uint64_t)VERIFY_USER }, | ||
35 | - { "nogroup", (uint64_t)VERIFY_GROUP }, | ||
36 | - { "nomtime", (uint64_t)VERIFY_MTIME }, | ||
37 | - { "nomode", (uint64_t)VERIFY_MODE }, | ||
38 | - { "nordev", (uint64_t)VERIFY_RDEV }, | ||
39 | + { "nolinkto", (uint64_t)RPMVERIFY_LINKTO }, | ||
40 | + { "nomd5", (uint64_t)RPMVERIFY_MD5 }, | ||
41 | + { "nosize", (uint64_t)RPMVERIFY_FILESIZE }, | ||
42 | + { "nouser", (uint64_t)RPMVERIFY_USER }, | ||
43 | + { "nogroup", (uint64_t)RPMVERIFY_GROUP }, | ||
44 | + { "nomtime", (uint64_t)RPMVERIFY_MTIME }, | ||
45 | + { "nomode", (uint64_t)RPMVERIFY_MODE }, | ||
46 | + { "nordev", (uint64_t)RPMVERIFY_RDEV }, | ||
47 | { "noconfigfiles", RPMVERIFY_SKIP_CONFIG }, | ||
48 | { "noghostfiles", RPMVERIFY_SKIP_GHOST } | ||
49 | }; | ||
50 | diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c | ||
51 | index d81728ebe..10fcdf8df 100644 | ||
52 | --- a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c | ||
53 | +++ b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c | ||
54 | @@ -83,11 +83,10 @@ struct rpmverify_res { | ||
55 | * They all have the same value (1) - see 'rpm/rpmvf.h'. | ||
56 | */ | ||
57 | #define RPMVERIFY_FILEDIGEST RPMVERIFY_MD5 | ||
58 | - #define VERIFY_FILEDIGEST VERIFY_MD5 | ||
59 | - /* VERIFY_CAPS is not supported in older rpmlib. | ||
60 | + /* RPMVERIFY_CAPS is not supported in older rpmlib. | ||
61 | * We can set it to 0 because 0 is neutral to bit OR operation. | ||
62 | */ | ||
63 | - #define VERIFY_CAPS 0 | ||
64 | + #define RPMVERIFY_CAPS 0 | ||
65 | #endif | ||
66 | |||
67 | #define RPMVERIFY_LOCK RPM_MUTEX_LOCK(&g_rpm->mutex) | ||
68 | @@ -423,18 +422,18 @@ typedef struct { | ||
69 | } rpmverifyfile_bhmap_t; | ||
70 | |||
71 | const rpmverifyfile_bhmap_t rpmverifyfile_bhmap[] = { | ||
72 | - { "nolinkto", (uint64_t)VERIFY_LINKTO }, | ||
73 | - { "nomd5", (uint64_t)VERIFY_MD5 }, // deprecated since OVAL 5.11.1 | ||
74 | - { "nosize", (uint64_t)VERIFY_SIZE }, | ||
75 | - { "nouser", (uint64_t)VERIFY_USER }, | ||
76 | - { "nogroup", (uint64_t)VERIFY_GROUP }, | ||
77 | - { "nomtime", (uint64_t)VERIFY_MTIME }, | ||
78 | - { "nomode", (uint64_t)VERIFY_MODE }, | ||
79 | - { "nordev", (uint64_t)VERIFY_RDEV }, | ||
80 | + { "nolinkto", (uint64_t)RPMVERIFY_LINKTO }, | ||
81 | + { "nomd5", (uint64_t)RPMVERIFY_MD5 }, // deprecated since OVAL 5.11.1 | ||
82 | + { "nosize", (uint64_t)RPMVERIFY_FILESIZE }, | ||
83 | + { "nouser", (uint64_t)RPMVERIFY_USER }, | ||
84 | + { "nogroup", (uint64_t)RPMVERIFY_GROUP }, | ||
85 | + { "nomtime", (uint64_t)RPMVERIFY_MTIME }, | ||
86 | + { "nomode", (uint64_t)RPMVERIFY_MODE }, | ||
87 | + { "nordev", (uint64_t)RPMVERIFY_RDEV }, | ||
88 | { "noconfigfiles", RPMVERIFY_SKIP_CONFIG }, | ||
89 | { "noghostfiles", RPMVERIFY_SKIP_GHOST }, | ||
90 | - { "nofiledigest", (uint64_t)VERIFY_FILEDIGEST }, | ||
91 | - { "nocaps", (uint64_t)VERIFY_CAPS } | ||
92 | + { "nofiledigest", (uint64_t)RPMVERIFY_FILEDIGEST }, | ||
93 | + { "nocaps", (uint64_t)RPMVERIFY_CAPS } | ||
94 | }; | ||
95 | |||
96 | int rpmverifyfile_probe_main(probe_ctx *ctx, void *arg) | ||
97 | -- | ||
98 | 2.22.0 | ||
99 | |||
diff --git a/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch b/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch deleted file mode 100644 index cc2be0ad3f..0000000000 --- a/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch +++ /dev/null | |||
@@ -1,56 +0,0 @@ | |||
1 | From efd08dd9d8453583f1e801ddb5ac0af65cc86f69 Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Tue, 11 Jun 2019 16:12:57 +0300 | ||
4 | Subject: [PATCH 3/3] Drop bogus VERIFY_SIGNATURE and VERIFY_DIGEST checks | ||
5 | |||
6 | VERIFY_SIGNATURE and VERIFY_DIGEST are not independent verification | ||
7 | checks, these checks are performed internally by rpm and failure in | ||
8 | either will cause the entire header failing to load. These flags allow | ||
9 | disabling that verification, but this doesn't make sense for openscap | ||
10 | and doesn't work this way in rpm >= 4.15 anyway. | ||
11 | --- | ||
12 | .../probes/unix/linux/rpmverifypackage_probe.c | 14 -------------- | ||
13 | 1 file changed, 14 deletions(-) | ||
14 | |||
15 | diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c | ||
16 | index ed6c714d8..06059ae47 100644 | ||
17 | --- a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c | ||
18 | +++ b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c | ||
19 | @@ -69,9 +69,7 @@ typedef struct { | ||
20 | |||
21 | const rpmverifypackage_bhmap_t rpmverifypackage_bhmap[] = { | ||
22 | { "nodeps", (uint64_t)VERIFY_DEPS , "--nodeps"}, | ||
23 | - { "nodigest", (uint64_t)VERIFY_DIGEST , "--nodigest"}, | ||
24 | { "noscripts", (uint64_t)VERIFY_SCRIPT , "--noscript"}, | ||
25 | - { "nosignature", (uint64_t)VERIFY_SIGNATURE , "--nosignature"} | ||
26 | }; | ||
27 | |||
28 | struct rpmverify_res { | ||
29 | @@ -409,24 +407,12 @@ static int rpmverifypackage_additem(probe_ctx *ctx, struct rpmverify_res *res) | ||
30 | probe_item_ent_add(item, "dependency_check_passed", NULL, value); | ||
31 | SEXP_free(value); | ||
32 | } | ||
33 | - if (res->vflags & VERIFY_DIGEST) { | ||
34 | - dI("VERIFY_DIGEST %d", res->vresults & VERIFY_DIGEST); | ||
35 | - value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_DIGEST ? "1" : "0"), 1); | ||
36 | - probe_item_ent_add(item, "digest_check_passed", NULL, value); | ||
37 | - SEXP_free(value); | ||
38 | - } | ||
39 | if (res->vflags & VERIFY_SCRIPT) { | ||
40 | dI("VERIFY_SCRIPT %d", res->vresults & VERIFY_SCRIPT); | ||
41 | value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SCRIPT ? "1" : "0"), 1); | ||
42 | probe_item_ent_add(item, "verification_script_successful", NULL, value); | ||
43 | SEXP_free(value); | ||
44 | } | ||
45 | - if (res->vflags & VERIFY_SIGNATURE) { | ||
46 | - dI("VERIFY_SIGNATURE %d", res->vresults & VERIFY_SIGNATURE); | ||
47 | - value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SIGNATURE ? "1" : "0"), 1); | ||
48 | - probe_item_ent_add(item, "signature_check_passed", NULL, value); | ||
49 | - SEXP_free(value); | ||
50 | - } | ||
51 | |||
52 | return probe_item_collect(ctx, item) == 2 ? 1 : 0; | ||
53 | } | ||
54 | -- | ||
55 | 2.22.0 | ||
56 | |||
diff --git a/testing/openscap/APKBUILD b/testing/openscap/APKBUILD index 69352dd396..46735ddb28 100644 --- a/testing/openscap/APKBUILD +++ b/testing/openscap/APKBUILD | |||
@@ -1,8 +1,8 @@ | |||
1 | # Contributor: Francesco Colista <fcolista@alpinelinux.org> | 1 | # Contributor: Francesco Colista <fcolista@alpinelinux.org> |
2 | # Maintainer: Francesco Colista <fcolista@alpinelinux.org> | 2 | # Maintainer: Francesco Colista <fcolista@alpinelinux.org> |
3 | pkgname=openscap | 3 | pkgname=openscap |
4 | pkgver=1.3.1 | 4 | pkgver=1.3.2 |
5 | pkgrel=7 | 5 | pkgrel=0 |
6 | pkgdesc="NIST Certified SCAP 1.2 toolkit" | 6 | pkgdesc="NIST Certified SCAP 1.2 toolkit" |
7 | url="https://www.open-scap.org/tools/openscap-base/" | 7 | url="https://www.open-scap.org/tools/openscap-base/" |
8 | arch="all" | 8 | arch="all" |
@@ -17,9 +17,6 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-bash-completion:bashcomp:noarch" | |||
17 | source="https://github.com/OpenSCAP/openscap/releases/download/$pkgver/openscap-$pkgver.tar.gz | 17 | source="https://github.com/OpenSCAP/openscap/releases/download/$pkgver/openscap-$pkgver.tar.gz |
18 | fix-ppc64le-path_max.patch | 18 | fix-ppc64le-path_max.patch |
19 | path_mounted.patch | 19 | path_mounted.patch |
20 | 0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch | ||
21 | 0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch | ||
22 | 0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch | ||
23 | " | 20 | " |
24 | 21 | ||
25 | prepare() { | 22 | prepare() { |
@@ -54,9 +51,6 @@ bashcomp() { | |||
54 | "$subpkgdir"/usr/share/bash-completion/completions/$pkgname | 51 | "$subpkgdir"/usr/share/bash-completion/completions/$pkgname |
55 | } | 52 | } |
56 | 53 | ||
57 | sha512sums="c42c59a19e3f71a4ef55daa82be7a2b66514dfe4a98b8e897a03d4785b25395a3508ff2457072d3ae123328a104cab054e64dcb52209ae77060542484439d859 openscap-1.3.1.tar.gz | 54 | sha512sums="7f41c223d9ca1228a03cc4d16c4ee57279ec55954aa0c5b9d8fc602e267ab1fbd31bbb102fd556563a37091c3307e09487f0a85992eaf01d70b5812455ab0235 openscap-1.3.2.tar.gz |
58 | 70bcc718e473862ecac22752ad553c5a520e42207688960403e3d7b9caefc7868fc4d81379a07d3c50fdd9373caab5ac91f758f306d1e3d2bbf355618674b611 fix-ppc64le-path_max.patch | 55 | 70bcc718e473862ecac22752ad553c5a520e42207688960403e3d7b9caefc7868fc4d81379a07d3c50fdd9373caab5ac91f758f306d1e3d2bbf355618674b611 fix-ppc64le-path_max.patch |
59 | f2157d6b1d31affe16edb184a287b69d28808123f1cc26a5a4238040d935517b307772b1f2d66271b8ee99b59a4d204930f9147b78478c83c36c7fc8718ec1d9 path_mounted.patch | 56 | f2157d6b1d31affe16edb184a287b69d28808123f1cc26a5a4238040d935517b307772b1f2d66271b8ee99b59a4d204930f9147b78478c83c36c7fc8718ec1d9 path_mounted.patch" |
60 | b95065c7bcb808fe85c971b1fc311f800a26a77391e7a652a3659ce0d5cb6bc89ea50d054d47a459078a9e6101ac44fb1fedc1e3cc84e101915b81f9b625cee5 0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch | ||
61 | dffa0244a20df1f7935ebbbf16f38a1d4e0db5ec770a47cd353d923abee8b9472cb6f380c5d022b27f50b59a9702bfd7ae943f17b9bfdd3634c921a939b7c76d 0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch | ||
62 | 539d4e6bbed1a16724a103e6d72e9e468ef3babdd55e1aa13e8fdf3202982dd1a3c8e17a41f1656051d826dc125539b6dec89885a44bf90980b500b2f7d1143b 0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch" | ||