From b88de33708d2b96e3e834a51ab3bd7cfab860fb9 Mon Sep 17 00:00:00 2001
From: zhangxingrong <zhangxingrong@uniontech.com>
Date: Mon, 15 Jul 2024 14:46:33 +0800
Subject: [PATCH] add upstream patch

---
 ...-various-issues-reported-by-Coverity.patch | 78 +++++++++++++++++++
 openscap.spec                                 |  6 +-
 2 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 backport-Fix-various-issues-reported-by-Coverity.patch

diff --git a/backport-Fix-various-issues-reported-by-Coverity.patch b/backport-Fix-various-issues-reported-by-Coverity.patch
new file mode 100644
index 0000000..30c4392
--- /dev/null
+++ b/backport-Fix-various-issues-reported-by-Coverity.patch
@@ -0,0 +1,78 @@
+From cb8d27d0507b3fa760d973724e2c84db375a6be5 Mon Sep 17 00:00:00 2001
+From: David du Colombier <djc@datadoghq.com>
+Date: Wed, 25 Oct 2023 11:32:00 +0200
+Subject: [PATCH] Fix various issues reported by Coverity
+
+ - oval_sexp_to_sysitem: null pointer derefrence
+ - probe_worker: insecure chroot
+ - inetlisteningservers_probe_main: uninitialized memory
+ - rpmverifypackage_additem: invalid type in argument to printf format specifier
+---
+ src/OVAL/oval_sexp.c                                    | 2 ++
+ src/OVAL/probes/probe/worker.c                          | 6 +++---
+ src/OVAL/probes/unix/linux/inetlisteningservers_probe.c | 4 ++++
+ src/OVAL/probes/unix/linux/rpmverifypackage_probe.c     | 2 +-
+ 4 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/OVAL/oval_sexp.c b/src/OVAL/oval_sexp.c
+index cb2bdbffd64..3c9d625555d 100644
+--- a/src/OVAL/oval_sexp.c
++++ b/src/OVAL/oval_sexp.c
+@@ -965,6 +965,8 @@ static struct oval_sysitem *oval_sexp_to_sysitem(struct oval_syschar_model *mode
+         } else {
+ 		family = item_name;
+ 		char *endptr = strchr(family, ':');
++		if (endptr == NULL)
++			goto cleanup;
+ 		*endptr = '\0';
+ 		name = endptr + 1;
+ 		endptr = strrchr(name, '_');
+diff --git a/src/OVAL/probes/probe/worker.c b/src/OVAL/probes/probe/worker.c
+index cedb339d237..fddc1b39653 100644
+--- a/src/OVAL/probes/probe/worker.c
++++ b/src/OVAL/probes/probe/worker.c
+@@ -1021,13 +1021,13 @@ SEXP_t *probe_worker(probe_t *probe, SEAP_msg_t *msg_in, int *ret)
+ 				dE("open(\".\") failed: %s", strerror(errno));
+ 				return NULL;
+ 			}
+-			if (chdir(rootdir) != 0) {
+-				dE("chdir failed: %s", strerror(errno));
+-			}
+ 
+ 			if (chroot(rootdir) != 0) {
+ 				dE("chroot failed: %s", strerror(errno));
+ 			}
++			if (chdir("/") != 0) {
++				dE("chdir failed: %s", strerror(errno));
++			}
+ 			/* NOTE: We're running in a different root directory.
+ 			 * Unless /proc, /sys are somehow emulated for the new
+ 			 * environment, they are not relevant and so are other
+diff --git a/src/OVAL/probes/unix/linux/inetlisteningservers_probe.c b/src/OVAL/probes/unix/linux/inetlisteningservers_probe.c
+index c600f0c9ef5..f3de85d886e 100644
+--- a/src/OVAL/probes/unix/linux/inetlisteningservers_probe.c
++++ b/src/OVAL/probes/unix/linux/inetlisteningservers_probe.c
+@@ -559,6 +559,10 @@ int inetlisteningservers_probe_main(probe_ctx *ctx, void *arg)
+ 
+         object = probe_ctx_getobject(ctx);
+ 	struct server_info *req = malloc(sizeof(struct server_info));
++	if (req == NULL)
++		return 0;
++	memset(req, 0, sizeof(*req));
++
+ 	req->protocol_ent = probe_obj_getent(object, "protocol", 1);
+ 	if (req->protocol_ent == NULL) {
+ 		err = PROBE_ENOVAL;
+diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
+index 87a91240757..90d053aaaed 100644
+--- a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
++++ b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
+@@ -428,7 +428,7 @@ static int rpmverifypackage_additem(probe_ctx *ctx, struct rpmverify_res *res)
+ 		SEXP_free(value);
+ 	}
+ 	if (res->vflags & VERIFY_SCRIPT) {
+-		dD("VERIFY_SCRIPT %d", res->vresults & VERIFY_SCRIPT);
++		dD("VERIFY_SCRIPT %lu", res->vresults & VERIFY_SCRIPT);
+ 		value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SCRIPT ? "1" : "0"), 1);
+ 		probe_item_ent_add(item, "verification_script_successful", NULL, value);
+ 		SEXP_free(value);
diff --git a/openscap.spec b/openscap.spec
index f408f46..336e24e 100644
--- a/openscap.spec
+++ b/openscap.spec
@@ -1,11 +1,12 @@
 Name:                      openscap
 Version:                   1.3.9
-Release:                   3
+Release:                   4
 Summary:                   An open source framework in order to provide a interface for using scap
 License:                   LGPLv2+
 URL:                       http://www.open-scap.org
 Source0:                   https://github.com/OpenSCAP/openscap/archive/%{version}.tar.gz
 Patch0:                    openscap-1.3.9-includes.patch
+Patch1:                    backport-Fix-various-issues-reported-by-Coverity.patch
 BuildRequires:             cmake >= 2.6 gcc gcc-c++ swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
 BuildRequires:             rpm-devel libgcrypt-devel pcre2-devel libacl-devel libselinux-devel libcap-devel libblkid-devel
 BuildRequires:             bzip2-devel asciidoc openldap-devel GConf2-devel dbus-devel chrpath libcurl-devel >= 7.12.0
@@ -141,6 +142,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/*
 
 %changelog
+* Mon Jul 15 2024 zhangxingrong-<zhangxingrong@uniontech.cn> - 1.3.9-4
+- Fix various issues reported by Coverity
+
 * Mon Mar 4 2024 liyanan <liyanan61@h-partners.com> - 1.3.9-3
 - fix implicit declarations due to missing include
 
-- 
Gitee