Oscap xccdf invocation will segfault, maybe due to libxslt patch

joexona · April 22, 2025, 8:04pm

for context, we run a “tailored” XCCDF scan as part of our CI pipeline for our AlmaLinux-based appliance.

we noticed the pipeline fail recently; please find below a quick way to reproduce:

docker run --rm -it almalinux:9
dnf install -y openscap scap-security-guide

the following RPM versions are installed:

==============================================================================================================================================================================================
 Package                                           Architecture                         Version                                                 Repository                               Size
==============================================================================================================================================================================================
Installing:
 openscap                                          x86_64                               1:1.3.10-2.el9_3.alma.1                                 appstream                               1.9 M
 scap-security-guide                               noarch                               0.1.75-1.el9_5.alma.1                                   appstream                               854 k
Installing dependencies:
 dbus-libs                                         x86_64                               1:1.12.20-8.el9                                         baseos                                  151 k
 libtool-ltdl                                      x86_64                               2.4.6-46.el9                                            appstream                                34 k
 libxslt                                           x86_64                               1.1.34-9.el9_5.2                                        appstream                               239 k
 openscap-scanner                                  x86_64                               1:1.3.10-2.el9_3.alma.1                                 appstream                                57 k
 procps-ng                                         x86_64                               3.3.17-14.el9                                           baseos                                  332 k
 xml-common                                        noarch                               0.6.3-58.el9                                            appstream                                31 k
 xmlsec1                                           x86_64                               1.2.29-13.el9                                           appstream                               188 k
 xmlsec1-openssl                                   x86_64                               1.2.29-13.el9                                           appstream                                89 k

Transaction Summary
==============================================================================================================================================================================================

then, run oscap xccdf with the following arguments:

oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_ospp \
  --results-arf xccdf_results.xml \
  --report xccdf_report.html \
  /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xml

you’ll see the usual set of pass/fail output regarding various rules. however, before completing successfully, you’ll see:

realloc failed !
Segmentation fault (core dumped)

i tried adding --fetch-remote-resources, but the end result was the same.

this issue can be worked around by using the following, leading me to believe the problem is sourced in the most recent update of libxslt:

rpm -e --nodeps libxslt
dnf install -y libxslt-1.1.34-9.el9_5.1

joexona · April 23, 2025, 5:46pm

it appears that the --report flag is what’s causing the issue here (with libxslt-1.1.34-9.el9_5.2 in play):

by omitting it and running the following (without “downgrading” libxslt), oscap xccdf does not segfault:

oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_ospp \
  --results-arf xccdf_results.xml \
  /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xml

joexona · April 23, 2025, 6:02pm

one last note – we also use oscap oval eval for vulnerability management.

in order to avoid failing that particular test (using the latest OVAL feed data provided by AlmaLinux), we’re going to (for now) work around this by:

omitting the --report flag of both oval and xccdf invocations
generate the respective “results XML” files
use the temporary libxslt downgrade
use of the respective generate subcommands to generate the desired HTML reports