testing/openscap: rebuild against new rpm

author: Leo <thinkabit.ukim@gmail.com> 2019-11-22 16:49:11 +0100
committer: Leo <thinkabit.ukim@gmail.com> 2019-11-22 17:09:21 +0100
commit: 875db1da67b9991c2e374417755cabf7ebc6a712 (patch)
tree: e26708c477c53adfdbf4304e592c6fb01489eb33 /testing/openscap
parent: 36d78873d234395da1fb703c3fa4162af61bdb38 (diff)
download: aports-875db1da67b9991c2e374417755cabf7ebc6a712.tar.bz2
aports-875db1da67b9991c2e374417755cabf7ebc6a712.tar.xz
4 files changed, 234 insertions, 5 deletions
diff --git a/testing/openscap/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch b/testing/openscap/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch
new file mode 100644
index 0000000000..aa78a80064
--- /dev/null
+++ b/testing/openscap/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch
@@ -0,0 +1,67 @@
+From e09334091d5678b666ea4e92d1a4b55838aa1a41 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Tue, 11 Jun 2019 16:12:55 +0300
+Subject: [PATCH 1/3] Handle rpmVerifyFile() removal in rpm >= 4.15
+
+Using rpmfiVerify() directly would be simpler but if upstream wants
+to preserve compatibility with older rpms...
+---
+ CMakeLists.txt                          |  1 +
+ src/OVAL/probes/unix/linux/rpm-helper.c | 12 ++++++++++++
+ src/OVAL/probes/unix/linux/rpm-helper.h |  5 +++++
+ 3 files changed, 18 insertions(+)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 720d8d8eb..058319599 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -132,6 +132,7 @@ if(RPM_FOUND)
+ 	check_library_exists("${RPM_LIBRARY}" headerFormat "" HAVE_HEADERFORMAT)
+ 	check_library_exists("${RPMIO_LIBRARY}" rpmFreeCrypto "" HAVE_RPMFREECRYPTO)
+ 	check_library_exists("${RPM_LIBRARY}" rpmFreeFilesystems "" HAVE_RPMFREEFILESYSTEMS)
++	check_library_exists("${RPM_LIBRARY}" rpmVerifyFile "" HAVE_RPMVERIFYFILE)
+ 	set(HAVE_RPMVERCMP 1)
+ endif()
+ 
+diff --git a/src/OVAL/probes/unix/linux/rpm-helper.c b/src/OVAL/probes/unix/linux/rpm-helper.c
+index bfb95c363..4d23cf202 100644
+--- a/src/OVAL/probes/unix/linux/rpm-helper.c
++++ b/src/OVAL/probes/unix/linux/rpm-helper.c
+@@ -32,6 +32,18 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data)
+ }
+ #endif
+ 
++#ifndef HAVE_RPMVERIFYFILE
++int rpmVerifyFile(const rpmts ts, const rpmfi fi,
++		rpmVerifyAttrs * res, rpmVerifyAttrs omitMask)
++{
++    rpmVerifyAttrs vfy = rpmfiVerify(fi, omitMask);
++    if (res)
++	*res = vfy;
++
++    return (vfy & RPMVERIFY_LSTATFAIL) ? 1 : 0;
++}
++#endif
++
+ void rpmLibsPreload()
+ {
+ 	// Don't load rpmrc files. The are useless for us,
+diff --git a/src/OVAL/probes/unix/linux/rpm-helper.h b/src/OVAL/probes/unix/linux/rpm-helper.h
+index 4e9af8702..f879a5a5b 100644
+--- a/src/OVAL/probes/unix/linux/rpm-helper.h
++++ b/src/OVAL/probes/unix/linux/rpm-helper.h
+@@ -87,6 +87,11 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data);
+ #define DISABLE_PLUGINS(ts) rpmDefineMacro(NULL,"__plugindir \"\"", 0);
+ #endif
+ 
++#ifndef HAVE_RPMVERIFYFILE
++int rpmVerifyFile(const rpmts ts, const rpmfi fi,
++                rpmVerifyAttrs * res, rpmVerifyAttrs omitMask);
++#endif
++
+ /**
+  * Preload libraries required by rpm
+  * It destroy error callback!
+-- 
+2.22.0
+
diff --git a/testing/openscap/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch b/testing/openscap/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch
new file mode 100644
index 0000000000..4294235348
--- /dev/null
+++ b/testing/openscap/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch
@@ -0,0 +1,99 @@
+From 9db9474dd092a67e37af54a2eb898cea625a98cd Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Tue, 11 Jun 2019 16:12:56 +0300
+Subject: [PATCH 2/3] Refer to the RPMVERIFY_* constants instead of VERIFY_*
+ counterparts
+
+The RPMVERIFY_* values always refer to corresponding file verification
+attributes, which is what we're dealing with here. The VERIFY_*
+constants do not exist in all versions, and include things that
+do not make any sense at all for files anyway, such as VERIFY_DEPS
+and VERIFY_SCRIPT which are package-level operations and VERIFY_SIGNATURE
+and VERIFY_DIGEST which are not verify operations at all.
+---
+ src/OVAL/probes/unix/linux/rpmverify_probe.c  | 21 ++++++----------
+ .../probes/unix/linux/rpmverifyfile_probe.c   | 25 +++++++++----------
+ 2 files changed, 20 insertions(+), 26 deletions(-)
+
+diff --git a/src/OVAL/probes/unix/linux/rpmverify_probe.c b/src/OVAL/probes/unix/linux/rpmverify_probe.c
+index 07bd09d84..dbc9523ba 100644
+--- a/src/OVAL/probes/unix/linux/rpmverify_probe.c
++++ b/src/OVAL/probes/unix/linux/rpmverify_probe.c
+@@ -303,19 +303,14 @@ typedef struct {
+ } rpmverify_bhmap_t;
+ 
+ const rpmverify_bhmap_t rpmverify_bhmap[] = {
+-        { "nodeps",        (uint64_t)VERIFY_DEPS      },
+-        { "nodigest",      (uint64_t)VERIFY_DIGEST    },
+-        { "nofiles",       (uint64_t)VERIFY_FILES     },
+-        { "noscripts",     (uint64_t)VERIFY_SCRIPT    },
+-        { "nosignature",   (uint64_t)VERIFY_SIGNATURE },
+-        { "nolinkto",      (uint64_t)VERIFY_LINKTO    },
+-        { "nomd5",         (uint64_t)VERIFY_MD5       },
+-        { "nosize",        (uint64_t)VERIFY_SIZE      },
+-        { "nouser",        (uint64_t)VERIFY_USER      },
+-        { "nogroup",       (uint64_t)VERIFY_GROUP     },
+-        { "nomtime",       (uint64_t)VERIFY_MTIME     },
+-        { "nomode",        (uint64_t)VERIFY_MODE      },
+-        { "nordev",        (uint64_t)VERIFY_RDEV      },
++        { "nolinkto",      (uint64_t)RPMVERIFY_LINKTO    },
++        { "nomd5",         (uint64_t)RPMVERIFY_MD5       },
++        { "nosize",        (uint64_t)RPMVERIFY_FILESIZE  },
++        { "nouser",        (uint64_t)RPMVERIFY_USER      },
++        { "nogroup",       (uint64_t)RPMVERIFY_GROUP     },
++        { "nomtime",       (uint64_t)RPMVERIFY_MTIME     },
++        { "nomode",        (uint64_t)RPMVERIFY_MODE      },
++        { "nordev",        (uint64_t)RPMVERIFY_RDEV      },
+         { "noconfigfiles", RPMVERIFY_SKIP_CONFIG      },
+         { "noghostfiles",  RPMVERIFY_SKIP_GHOST       }
+ };
+diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
+index d81728ebe..10fcdf8df 100644
+--- a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
++++ b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
+@@ -83,11 +83,10 @@ struct rpmverify_res {
+ 	 * They all have the same value (1) - see 'rpm/rpmvf.h'.
+ 	 */
+ 	#define RPMVERIFY_FILEDIGEST RPMVERIFY_MD5
+-	#define VERIFY_FILEDIGEST VERIFY_MD5
+-	/* VERIFY_CAPS is not supported in older rpmlib.
++	/* RPMVERIFY_CAPS is not supported in older rpmlib.
+ 	 * We can set it to 0 because 0 is neutral to bit OR operation.
+ 	 */
+-	#define VERIFY_CAPS 0
++	#define RPMVERIFY_CAPS 0
+ #endif
+ 
+ #define RPMVERIFY_LOCK   RPM_MUTEX_LOCK(&g_rpm->mutex)
+@@ -423,18 +422,18 @@ typedef struct {
+ } rpmverifyfile_bhmap_t;
+ 
+ const rpmverifyfile_bhmap_t rpmverifyfile_bhmap[] = {
+-	{ "nolinkto",      (uint64_t)VERIFY_LINKTO    },
+-	{ "nomd5",	 (uint64_t)VERIFY_MD5       }, // deprecated since OVAL 5.11.1
+-	{ "nosize",	(uint64_t)VERIFY_SIZE      },
+-	{ "nouser",	(uint64_t)VERIFY_USER      },
+-	{ "nogroup",       (uint64_t)VERIFY_GROUP     },
+-	{ "nomtime",       (uint64_t)VERIFY_MTIME     },
+-	{ "nomode",	(uint64_t)VERIFY_MODE      },
+-	{ "nordev",	(uint64_t)VERIFY_RDEV      },
++	{ "nolinkto",      (uint64_t)RPMVERIFY_LINKTO    },
++	{ "nomd5",	 (uint64_t)RPMVERIFY_MD5       }, // deprecated since OVAL 5.11.1
++	{ "nosize",	(uint64_t)RPMVERIFY_FILESIZE      },
++	{ "nouser",	(uint64_t)RPMVERIFY_USER      },
++	{ "nogroup",       (uint64_t)RPMVERIFY_GROUP     },
++	{ "nomtime",       (uint64_t)RPMVERIFY_MTIME     },
++	{ "nomode",	(uint64_t)RPMVERIFY_MODE      },
++	{ "nordev",	(uint64_t)RPMVERIFY_RDEV      },
+ 	{ "noconfigfiles", RPMVERIFY_SKIP_CONFIG      },
+ 	{ "noghostfiles",  RPMVERIFY_SKIP_GHOST       },
+-	{ "nofiledigest", (uint64_t)VERIFY_FILEDIGEST },
+-	{ "nocaps", (uint64_t)VERIFY_CAPS }
++	{ "nofiledigest", (uint64_t)RPMVERIFY_FILEDIGEST },
++	{ "nocaps", (uint64_t)RPMVERIFY_CAPS }
+ };
+ 
+ int rpmverifyfile_probe_main(probe_ctx *ctx, void *arg)
+-- 
+2.22.0
+
diff --git a/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch b/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch
new file mode 100644
index 0000000000..cc2be0ad3f
--- /dev/null
+++ b/testing/openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch
@@ -0,0 +1,56 @@
+From efd08dd9d8453583f1e801ddb5ac0af65cc86f69 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Tue, 11 Jun 2019 16:12:57 +0300
+Subject: [PATCH 3/3] Drop bogus VERIFY_SIGNATURE and VERIFY_DIGEST checks
+
+VERIFY_SIGNATURE and VERIFY_DIGEST are not independent verification
+checks, these checks are performed internally by rpm and failure in
+either will cause the entire header failing to load. These flags allow
+disabling that verification, but this doesn't make sense for openscap
+and doesn't work this way in rpm >= 4.15 anyway.
+---
+ .../probes/unix/linux/rpmverifypackage_probe.c     | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
+index ed6c714d8..06059ae47 100644
+--- a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
++++ b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
+@@ -69,9 +69,7 @@ typedef struct {
+ 
+ const rpmverifypackage_bhmap_t rpmverifypackage_bhmap[] = {
+ 	{ "nodeps",        (uint64_t)VERIFY_DEPS      , "--nodeps"},
+-	{ "nodigest",      (uint64_t)VERIFY_DIGEST    , "--nodigest"},
+ 	{ "noscripts",     (uint64_t)VERIFY_SCRIPT    , "--noscript"},
+-	{ "nosignature",   (uint64_t)VERIFY_SIGNATURE , "--nosignature"}
+ };
+ 
+ struct rpmverify_res {
+@@ -409,24 +407,12 @@ static int rpmverifypackage_additem(probe_ctx *ctx, struct rpmverify_res *res)
+ 		probe_item_ent_add(item, "dependency_check_passed", NULL, value);
+ 		SEXP_free(value);
+ 	}
+-	if (res->vflags & VERIFY_DIGEST) {
+-		dI("VERIFY_DIGEST %d", res->vresults & VERIFY_DIGEST);
+-		value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_DIGEST ? "1" : "0"), 1);
+-		probe_item_ent_add(item, "digest_check_passed", NULL, value);
+-		SEXP_free(value);
+-	}
+ 	if (res->vflags & VERIFY_SCRIPT) {
+ 		dI("VERIFY_SCRIPT %d", res->vresults & VERIFY_SCRIPT);
+ 		value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SCRIPT ? "1" : "0"), 1);
+ 		probe_item_ent_add(item, "verification_script_successful", NULL, value);
+ 		SEXP_free(value);
+ 	}
+-	if (res->vflags & VERIFY_SIGNATURE) {
+-		dI("VERIFY_SIGNATURE %d", res->vresults & VERIFY_SIGNATURE);
+-		value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SIGNATURE ? "1" : "0"), 1);
+-		probe_item_ent_add(item, "signature_check_passed", NULL, value);
+-		SEXP_free(value);
+-	}
+ 
+ 	return probe_item_collect(ctx, item) == 2 ? 1 : 0;
+ }
+-- 
+2.22.0
+
diff --git a/testing/openscap/APKBUILD b/testing/openscap/APKBUILD
index 237b31418c..c5dc0e2d23 100644
--- a/testing/openscap/APKBUILD
+++ b/testing/openscap/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=openscap
 pkgver=1.3.1
-pkgrel=5
+pkgrel=6
 pkgdesc="NIST Certified SCAP 1.2 toolkit"
 url="https://www.open-scap.org/tools/openscap-base/"
 arch="all"
@@ -14,9 +14,13 @@ makedepends="cmake python3-dev dbus-dev dbus-glib-dev bash libselinux-dev
 	libbz2 util-linux-dev nss-dev"
 options="!check"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-bash-completion:bashcomp:noarch"
-source="https://github.com/OpenSCAP/openscap/releases/download/$pkgver/$pkgname-$pkgver.tar.gz
-fix-ppc64le-path_max.patch
-path_mounted.patch"
+source="https://github.com/OpenSCAP/openscap/releases/download/$pkgver/openscap-$pkgver.tar.gz
+	fix-ppc64le-path_max.patch
+	path_mounted.patch
+	0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch
+	0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch
+	0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch
+	"
 
 prepare() {
 	default_prepare
@@ -52,4 +56,7 @@ bashcomp() {
 
 sha512sums="c42c59a19e3f71a4ef55daa82be7a2b66514dfe4a98b8e897a03d4785b25395a3508ff2457072d3ae123328a104cab054e64dcb52209ae77060542484439d859  openscap-1.3.1.tar.gz
 70bcc718e473862ecac22752ad553c5a520e42207688960403e3d7b9caefc7868fc4d81379a07d3c50fdd9373caab5ac91f758f306d1e3d2bbf355618674b611  fix-ppc64le-path_max.patch
-f2157d6b1d31affe16edb184a287b69d28808123f1cc26a5a4238040d935517b307772b1f2d66271b8ee99b59a4d204930f9147b78478c83c36c7fc8718ec1d9  path_mounted.patch"
+f2157d6b1d31affe16edb184a287b69d28808123f1cc26a5a4238040d935517b307772b1f2d66271b8ee99b59a4d204930f9147b78478c83c36c7fc8718ec1d9  path_mounted.patch
+b95065c7bcb808fe85c971b1fc311f800a26a77391e7a652a3659ce0d5cb6bc89ea50d054d47a459078a9e6101ac44fb1fedc1e3cc84e101915b81f9b625cee5  0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch
+dffa0244a20df1f7935ebbbf16f38a1d4e0db5ec770a47cd353d923abee8b9472cb6f380c5d022b27f50b59a9702bfd7ae943f17b9bfdd3634c921a939b7c76d  0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch
+539d4e6bbed1a16724a103e6d72e9e468ef3babdd55e1aa13e8fdf3202982dd1a3c8e17a41f1656051d826dc125539b6dec89885a44bf90980b500b2f7d1143b  0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch"
author	Leo <thinkabit.ukim@gmail.com>	2019-11-22 16:49:11 +0100
committer	Leo <thinkabit.ukim@gmail.com>	2019-11-22 17:09:21 +0100
commit	875db1da67b9991c2e374417755cabf7ebc6a712 (patch)
tree	e26708c477c53adfdbf4304e592c6fb01489eb33 /testing/openscap
parent	36d78873d234395da1fb703c3fa4162af61bdb38 (diff)
download	aports-875db1da67b9991c2e374417755cabf7ebc6a712.tar.bz2 aports-875db1da67b9991c2e374417755cabf7ebc6a712.tar.xz