diff -Nru openscap-1.2.16/debian/changelog openscap-1.2.16/debian/changelog --- openscap-1.2.16/debian/changelog 2023-01-31 13:27:43.000000000 +0100 +++ openscap-1.2.16/debian/changelog 2024-04-17 21:31:32.000000000 +0200 @@ -1,3 +1,9 @@ +openscap (1.2.16-2ubuntu3.4) focal; urgency=medium + + * Fix segfault in systemdunitdependency probe (LP: #2062389) + + -- Eduardo Barretto Wed, 17 Apr 2024 21:31:32 +0200 + openscap (1.2.16-2ubuntu3.3) focal; urgency=medium * Make dpkg version comparison less strict for epoch digit. (LP: #2004476) diff -Nru openscap-1.2.16/debian/patches/fix-systemdunitdependency-segfault.path openscap-1.2.16/debian/patches/fix-systemdunitdependency-segfault.path --- openscap-1.2.16/debian/patches/fix-systemdunitdependency-segfault.path 1970-01-01 01:00:00.000000000 +0100 +++ openscap-1.2.16/debian/patches/fix-systemdunitdependency-segfault.path 2024-04-17 21:31:03.000000000 +0200 @@ -0,0 +1,146 @@ +Backport of: +From 716092b64973030ed6e6e85a02f7cbe464e8cfc3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 27 Jan 2020 13:03:13 +0100 +Subject: [PATCH 1/6] Remove parameters that are always true + +This is a static function, called recursively, and the parameters +are always true. +--- + .../unix/linux/systemdunitdependency_probe.c | 80 +++++++++---------- + 1 file changed, 37 insertions(+), 43 deletions(-) + +Index: openscap-1.2.17/src/OVAL/probes/unix/linux/systemdunitdependency.c +=================================================================== +--- openscap-1.2.17.orig/src/OVAL/probes/unix/linux/systemdunitdependency.c ++++ openscap-1.2.17/src/OVAL/probes/unix/linux/systemdunitdependency.c +@@ -36,6 +36,8 @@ + #include "common/list.h" + #include + ++static void get_all_dependencies_by_unit(DBusConnection *conn, const char *unit, SEXP_t *item, struct oscap_htable *visited_units); ++ + static char *get_property_by_unit_path(DBusConnection *conn, const char *unit_path, const char *property) + { + DBusMessage *msg = NULL; +@@ -134,7 +136,38 @@ static bool is_unit_name_a_target(const + return strncmp(unit + len - suffix_len, suffix, suffix_len) == 0; + } + +-static void get_all_dependencies_by_unit(DBusConnection *conn, const char *unit, int(*callback)(const char *, void *), void *cbarg, bool include_requires, bool include_wants) ++static int add_unit_dependency(const char *dependency, SEXP_t *item, struct oscap_htable *visited_units) ++{ ++ if (oscap_htable_get(visited_units, dependency) != NULL) { ++ return 1; ++ } ++ oscap_htable_add(visited_units, dependency, (void *) true); ++ SEXP_t *se_dependency = SEXP_string_new(dependency, strlen(dependency)); ++ probe_item_ent_add(item, "dependency", NULL, se_dependency); ++ SEXP_free(se_dependency); ++ return 0; ++} ++ ++static void process_unit_property(const char *property, DBusConnection *conn, const char *path, SEXP_t *item, struct oscap_htable *visited_units) ++{ ++ char *values_s = get_property_by_unit_path(conn, path, property); ++ if (values_s) { ++ char **values = oscap_split(values_s, ", "); ++ for (int i = 0; values[i] != NULL; ++i) { ++ if (oscap_strcmp(values[i], "") == 0) { ++ continue; ++ } ++ ++ if (add_unit_dependency(values[i], item, visited_units) == 0) { ++ get_all_dependencies_by_unit(conn, values[i], item, visited_units); ++ } ++ } ++ free(values); ++ } ++ free(values_s); ++} ++ ++static void get_all_dependencies_by_unit(DBusConnection *conn, const char *unit, SEXP_t *item, struct oscap_htable *visited_units) + { + if (!unit || strcmp(unit, "(null)") == 0) + return; +@@ -145,66 +178,12 @@ static void get_all_dependencies_by_unit + + char *path = get_path_by_unit(conn, unit); + +- if (include_requires) { +- char *requires_s = get_property_by_unit_path(conn, path, "Requires"); +- if (requires_s) { +- char **requires = oscap_split(requires_s, ", "); +- for (int i = 0; requires[i] != NULL; ++i) { +- if (oscap_strcmp(requires[i], "") == 0) +- continue; +- +- if (callback(requires[i], cbarg) == 0) { +- get_all_dependencies_by_unit(conn, requires[i], +- callback, cbarg, +- include_requires, include_wants); +- } else { +- free(requires); +- free(requires_s); +- free(path); +- return; +- } +- } +- free(requires); +- } +- free(requires_s); +- } +- +- if (include_wants) { +- char *wants_s = get_property_by_unit_path(conn, path, "Wants"); +- if (wants_s) +- { +- char **wants = oscap_split(wants_s, ", "); +- for (int i = 0; wants[i] != NULL; ++i) { +- if (oscap_strcmp(wants[i], "") == 0) +- continue; +- +- if (callback(wants[i], cbarg) == 0) { +- get_all_dependencies_by_unit(conn, wants[i], +- callback, cbarg, +- include_requires, include_wants); +- } else { +- free(wants); +- free(wants_s); +- free(path); +- return; +- } +- } +- free(wants); +- } +- free(wants_s); +- } ++ process_unit_property("Requires", conn, path, item, visited_units); ++ process_unit_property("Wants", conn, path, item, visited_units); + + free(path); + } + +-static int dependency_callback(const char *dependency, void *cbarg) +-{ +- SEXP_t *item = (SEXP_t *)cbarg; +- SEXP_t *se_dependency = SEXP_string_new(dependency, strlen(dependency)); +- probe_item_ent_add(item, "dependency", NULL, se_dependency); +- return 0; +-} +- + static int unit_callback(const char *unit, void *cbarg) + { + struct unit_callback_vars *vars = (struct unit_callback_vars *)cbarg; +@@ -220,8 +199,9 @@ static int unit_callback(const char *uni + "unit", OVAL_DATATYPE_SEXP, se_unit, + NULL); + +- get_all_dependencies_by_unit(vars->dbus_conn, unit, +- dependency_callback, item, true, true); ++ struct oscap_htable *visited_units = oscap_htable_new(); ++ get_all_dependencies_by_unit(vars->dbus_conn, unit, item, visited_units); ++ oscap_htable_free(visited_units, NULL); + + probe_item_collect(vars->ctx, item); + SEXP_free(se_unit); diff -Nru openscap-1.2.16/debian/patches/series openscap-1.2.16/debian/patches/series --- openscap-1.2.16/debian/patches/series 2023-01-31 13:27:43.000000000 +0100 +++ openscap-1.2.16/debian/patches/series 2024-04-17 21:31:03.000000000 +0200 @@ -13,3 +13,4 @@ dpkg-version-comparison-3.patch debian-epoch-less-strict.patch allow-DS-session-to-continue-without-remote-resource.patch +fix-systemdunitdependency-segfault.path