diff options
| author | Leo <thinkabit.ukim@gmail.com> | 2019-11-22 16:49:11 +0100 |
|---|---|---|
| committer | Leo <thinkabit.ukim@gmail.com> | 2019-11-22 17:09:21 +0100 |
| commit | 875db1da67b9991c2e374417755cabf7ebc6a712 (patch) | |
| tree | e26708c477c53adfdbf4304e592c6fb01489eb33 /testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch | |
| parent | 36d78873d234395da1fb703c3fa4162af61bdb38 (diff) | |
| download | aports-875db1da67b9991c2e374417755cabf7ebc6a712.tar.bz2 aports-875db1da67b9991c2e374417755cabf7ebc6a712.tar.xz | |
testing/openscap: rebuild against new rpm
Diffstat (limited to 'testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch')
| -rw-r--r-- | testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch b/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch new file mode 100644 index 0000000000..cc2be0ad3f --- /dev/null +++ b/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch @@ -0,0 +1,56 @@ +From efd08dd9d8453583f1e801ddb5ac0af65cc86f69 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen <pmatilai@redhat.com> +Date: Tue, 11 Jun 2019 16:12:57 +0300 +Subject: [PATCH 3/3] Drop bogus VERIFY_SIGNATURE and VERIFY_DIGEST checks + +VERIFY_SIGNATURE and VERIFY_DIGEST are not independent verification +checks, these checks are performed internally by rpm and failure in +either will cause the entire header failing to load. These flags allow +disabling that verification, but this doesn't make sense for openscap +and doesn't work this way in rpm >= 4.15 anyway. +--- + .../probes/unix/linux/rpmverifypackage_probe.c | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c +index ed6c714d8..06059ae47 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c ++++ b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c +@@ -69,9 +69,7 @@ typedef struct { + + const rpmverifypackage_bhmap_t rpmverifypackage_bhmap[] = { + { "nodeps", (uint64_t)VERIFY_DEPS , "--nodeps"}, +- { "nodigest", (uint64_t)VERIFY_DIGEST , "--nodigest"}, + { "noscripts", (uint64_t)VERIFY_SCRIPT , "--noscript"}, +- { "nosignature", (uint64_t)VERIFY_SIGNATURE , "--nosignature"} + }; + + struct rpmverify_res { +@@ -409,24 +407,12 @@ static int rpmverifypackage_additem(probe_ctx *ctx, struct rpmverify_res *res) + probe_item_ent_add(item, "dependency_check_passed", NULL, value); + SEXP_free(value); + } +- if (res->vflags & VERIFY_DIGEST) { +- dI("VERIFY_DIGEST %d", res->vresults & VERIFY_DIGEST); +- value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_DIGEST ? "1" : "0"), 1); +- probe_item_ent_add(item, "digest_check_passed", NULL, value); +- SEXP_free(value); +- } + if (res->vflags & VERIFY_SCRIPT) { + dI("VERIFY_SCRIPT %d", res->vresults & VERIFY_SCRIPT); + value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SCRIPT ? "1" : "0"), 1); + probe_item_ent_add(item, "verification_script_successful", NULL, value); + SEXP_free(value); + } +- if (res->vflags & VERIFY_SIGNATURE) { +- dI("VERIFY_SIGNATURE %d", res->vresults & VERIFY_SIGNATURE); +- value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SIGNATURE ? "1" : "0"), 1); +- probe_item_ent_add(item, "signature_check_passed", NULL, value); +- SEXP_free(value); +- } + + return probe_item_collect(ctx, item) == 2 ? 1 : 0; + } +-- +2.22.0 + |