|
 |
ac15c6 |
From f141dfd0311ec2be4c4c27814d9d6693551cfd76 Mon Sep 17 00:00:00 2001
|
|
|
ac15c6 |
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
|
ac15c6 |
Date: Thu, 27 Jan 2022 15:00:33 +0100
|
|
|
ac15c6 |
Subject: [PATCH 1/3] Fix shellcheck warning
|
|
|
ac15c6 |
|
|
|
ac15c6 |
Addressing:
|
|
|
ac15c6 |
|
|
|
ac15c6 |
Error: SHELLCHECK_WARNING (CWE-138): [#def1]
|
|
|
ac15c6 |
/usr/libexec/oscap-remediate:110:12: error[SC2145]: Argument mixes string and array. Use * or separate argument.
|
|
|
ac15c6 |
108| args+=( "--remediate" )
|
|
|
ac15c6 |
109| args+=( "${OSCAP_REMEDIATE_DS}" )
|
|
|
ac15c6 |
110|-> log "Args: ${args[@]}"
|
|
|
ac15c6 |
111|
|
|
|
ac15c6 |
112| # Now we are good to go
|
|
|
ac15c6 |
---
|
|
|
ac15c6 |
utils/oscap-remediate | 2 +-
|
|
|
ac15c6 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
ac15c6 |
|
|
|
ac15c6 |
diff --git a/utils/oscap-remediate b/utils/oscap-remediate
|
|
|
ac15c6 |
index fc0b7715f..52e29aa66 100755
|
|
|
ac15c6 |
--- a/utils/oscap-remediate
|
|
|
ac15c6 |
+++ b/utils/oscap-remediate
|
|
|
ac15c6 |
@@ -107,7 +107,7 @@ args+=( ${OSCAP_REMEDIATE_HTML_REPORT:+"--report=${OSCAP_REMEDIATE_HTML_REPORT}"
|
|
|
ac15c6 |
args+=( "--progress-full" )
|
|
|
ac15c6 |
args+=( "--remediate" )
|
|
|
ac15c6 |
args+=( "${OSCAP_REMEDIATE_DS}" )
|
|
|
ac15c6 |
-log "Args: ${args[@]}"
|
|
|
ac15c6 |
+log "Args: ${args[*]}"
|
|
|
ac15c6 |
|
|
|
ac15c6 |
# Now we are good to go
|
|
|
ac15c6 |
header="OpenSCAP is checking the system for compliance using"$'\n'"${profile_title}"$'\n\n'"Evaluating..."
|
|
|
ac15c6 |
|
|
|
ac15c6 |
From d3e7d5be1fcd55ef396de6070f877df0f2c2c58e Mon Sep 17 00:00:00 2001
|
|
|
ac15c6 |
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
|
ac15c6 |
Date: Thu, 27 Jan 2022 15:09:02 +0100
|
|
|
ac15c6 |
Subject: [PATCH 2/3] Remove superfluous strdup
|
|
|
ac15c6 |
|
|
|
ac15c6 |
We can do this because xccdf_session_set_rule calls strdup on the rule
|
|
|
ac15c6 |
parameter internally.
|
|
|
ac15c6 |
|
|
|
ac15c6 |
Addressing:
|
|
|
ac15c6 |
|
|
|
ac15c6 |
Error: RESOURCE_LEAK (CWE-772): [#def2] [important]
|
|
|
ac15c6 |
openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4148: alloc_fn: Storage is returned from allocation function "strdup".
|
|
|
ac15c6 |
openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4148: var_assign: Assigning: "n_rule" = storage returned from "strdup(rule)".
|
|
|
ac15c6 |
openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4149: noescape: Resource "n_rule" is not freed or pointed-to in "xccdf_session_set_rule".
|
|
|
ac15c6 |
openscap-1.3.6/build/swig/python3/CMakeFiles/_openscap_py.dir/openscapPYTHON_wrap.c:4150: leaked_storage: Variable "n_rule" going out of scope leaks the storage it points to.
|
|
|
ac15c6 |
4148| char *n_rule = strdup(rule);
|
|
|
ac15c6 |
4149| xccdf_session_set_rule(sess, n_rule);
|
|
|
ac15c6 |
4150|-> }
|
|
|
ac15c6 |
4151|
|
|
|
ac15c6 |
4152| void xccdf_session_free_py(struct xccdf_session *sess){
|
|
|
ac15c6 |
---
|
|
|
ac15c6 |
swig/openscap.i | 3 +--
|
|
|
ac15c6 |
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
|
ac15c6 |
|
|
|
ac15c6 |
diff --git a/swig/openscap.i b/swig/openscap.i
|
|
|
ac15c6 |
index 2fe1cce99..158a22675 100644
|
|
|
ac15c6 |
--- a/swig/openscap.i
|
|
|
ac15c6 |
+++ b/swig/openscap.i
|
|
|
ac15c6 |
@@ -559,8 +559,7 @@ struct xccdf_session {
|
|
|
ac15c6 |
};
|
|
|
ac15c6 |
|
|
|
ac15c6 |
void xccdf_session_set_rule_py(struct xccdf_session *sess, char *rule) {
|
|
|
ac15c6 |
- char *n_rule = strdup(rule);
|
|
|
ac15c6 |
- xccdf_session_set_rule(sess, n_rule);
|
|
|
ac15c6 |
+ xccdf_session_set_rule(sess, rule);
|
|
|
ac15c6 |
}
|
|
|
ac15c6 |
|
|
|
ac15c6 |
void xccdf_session_free_py(struct xccdf_session *sess){
|
|
|
ac15c6 |
|
|
|
ac15c6 |
From 6ef54336a018566a32f6a95177635ada7f20794e Mon Sep 17 00:00:00 2001
|
|
|
ac15c6 |
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
|
ac15c6 |
Date: Thu, 27 Jan 2022 15:16:02 +0100
|
|
|
ac15c6 |
Subject: [PATCH 3/3] Add a missing free
|
|
|
ac15c6 |
|
|
|
ac15c6 |
Addressing:
|
|
|
ac15c6 |
Error: RESOURCE_LEAK (CWE-772): [#def4] [important]
|
|
|
ac15c6 |
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2144: alloc_fn: Storage is returned from allocation function "oscap_htable_iterator_new".
|
|
|
ac15c6 |
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2144: var_assign: Assigning: "rit" = storage returned from "oscap_htable_iterator_new(policy->rules)".
|
|
|
ac15c6 |
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2145: noescape: Resource "rit" is not freed or pointed-to in "oscap_htable_iterator_has_more".
|
|
|
ac15c6 |
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2146: noescape: Resource "rit" is not freed or pointed-to in "oscap_htable_iterator_next_key".
|
|
|
ac15c6 |
openscap-1.3.6/src/XCCDF_POLICY/xccdf_policy.c:2150: leaked_storage: Variable "rit" going out of scope leaks the storage it points to.
|
|
|
ac15c6 |
2148| oscap_seterr(OSCAP_EFAMILY_XCCDF,
|
|
|
ac15c6 |
2149| "Rule '%s' not found in selected profile.", rule_id);
|
|
|
ac15c6 |
2150|-> return NULL;
|
|
|
ac15c6 |
2151| }
|
|
|
ac15c6 |
2152| }
|
|
|
ac15c6 |
---
|
|
|
ac15c6 |
src/XCCDF_POLICY/xccdf_policy.c | 1 +
|
|
|
ac15c6 |
1 file changed, 1 insertion(+)
|
|
|
ac15c6 |
|
|
|
ac15c6 |
diff --git a/src/XCCDF_POLICY/xccdf_policy.c b/src/XCCDF_POLICY/xccdf_policy.c
|
|
|
ac15c6 |
index b63853a38..4d4b7ad0a 100644
|
|
|
ac15c6 |
--- a/src/XCCDF_POLICY/xccdf_policy.c
|
|
|
ac15c6 |
+++ b/src/XCCDF_POLICY/xccdf_policy.c
|
|
|
ac15c6 |
@@ -2147,6 +2147,7 @@ struct xccdf_result * xccdf_policy_evaluate(struct xccdf_policy * policy)
|
|
|
ac15c6 |
if (oscap_htable_get(policy->rules_found, rule_id) == NULL) {
|
|
|
ac15c6 |
oscap_seterr(OSCAP_EFAMILY_XCCDF,
|
|
|
ac15c6 |
"Rule '%s' not found in selected profile.", rule_id);
|
|
|
ac15c6 |
+ oscap_htable_iterator_free(rit);
|
|
|
ac15c6 |
return NULL;
|
|
|
ac15c6 |
}
|
|
|
ac15c6 |
}
|