Package: libopenscap8
Version: 1.2.16-2
Severity: important
With Debian Buster, when I invoke "/bin/oscap oval eval --skip-valid
--results oval-definitions-buster.result.xml
oval-definitions-buster.xml" with the definition file downloaded from
https://www.debian.org/security/oval/oval-definitions-buster.xml the
evaluation fails with lots of segmentation faults in
/usr/lib/x86_64-linux-gnu/openscap/probe_dpkginfo
The following logs appear during execution:
Definition oval:org.debian:def:20177413: false
W: oscap: Can't receive message: 103, Software caused connection abort.
Definition oval:org.debian:def:20177407: error
[...]
Definition oval:org.debian:def:20177377: false
W: oscap: Can't receive message: 4, Interrupted system call.
E: oscap: Can't close sd: 10, No child processes.
E: oscap: Recv: retry limit (0) reached.
Definition oval:org.debian:def:20177376: true
W: oscap: Can't receive message: 4, Interrupted system call.
E: oscap: Can't close sd: 10, No child processes.
E: oscap: Recv: retry limit (0) reached.
Definition oval:org.debian:def:20177375: true
[...]
Can't connect to the probe [../../../src/OVAL/oval_probe_ext.c:468]
Invalid oval result type: -1.
[../../../../src/OVAL/results/oval_resultTest.c:179]
audit log:
type=ANOM_ABEND msg=audit(1563194718.360:317265): auid=0 uid=0 gid=0
ses=8882 pid=16312 comm="probe_worker"
exe="/usr/lib/x86_64-linux-gnu/openscap/probe_dpkginfo" sig=11 res=1
The process exits with return code 1 and no result file is generated.
The attached patch corrects this behaviour and makes the feature usable.
Upstream already has a bug report about the issue here:
https://github.com/OpenSCAP/openscap/issues/1367
Regards
--- a/src/OVAL/probes/unix/linux/dpkginfo-helper.cxx
+++ b/src/OVAL/probes/unix/linux/dpkginfo-helper.cxx
@@ -109,7 +109,7 @@
return reply;
}
-void * dpkginfo_free_reply(struct dpkginfo_reply_t *reply)
+void dpkginfo_free_reply(struct dpkginfo_reply_t *reply)
{
if (reply) {
free(reply->name);
--- a/src/OVAL/probes/unix/linux/dpkginfo-helper.h
+++ b/src/OVAL/probes/unix/linux/dpkginfo-helper.h
@@ -40,7 +40,7 @@
struct dpkginfo_reply_t * dpkginfo_get_by_name(const char *name, int *err);
-void * dpkginfo_free_reply(struct dpkginfo_reply_t *reply);
+void dpkginfo_free_reply(struct dpkginfo_reply_t *reply);
#ifdef __cplusplus
}