diff --git a/.gitignore b/.gitignore index 945a894..21113d6 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,5 @@ aide-0.14.tar.gz.asc /aide-0.16b1.tar.gz /aide-0.16rc1.tar.gz /aide-0.16.tar.gz +/aide-0.19.2.tar.gz +/aide-0.19.2.tar.gz.asc diff --git a/aide-0.16-CVE-2021-45417.patch b/aide-0.16-CVE-2021-45417.patch deleted file mode 100644 index 1752df3..0000000 --- a/aide-0.16-CVE-2021-45417.patch +++ /dev/null @@ -1,123 +0,0 @@ -diff --git a/include/base64.h b/include/base64.h -index 0ff7116..381ef5d 100644 ---- a/include/base64.h -+++ b/include/base64.h -@@ -36,7 +36,6 @@ - #include - #include "types.h" - --#define B64_BUF 16384 - #define FAIL -1 - #define SKIP -2 - -diff --git a/src/base64.c b/src/base64.c -index fd01bac..1b0f301 100644 ---- a/src/base64.c -+++ b/src/base64.c -@@ -85,11 +85,9 @@ FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL - }; - - /* Returns NULL on error */ --/* FIXME Possible buffer overflow on outputs larger than B64_BUF */ - char* encode_base64(byte* src,size_t ssize) - { - char* outbuf; -- char* retbuf; - int pos; - int i, l, left; - unsigned long triple; -@@ -101,7 +99,10 @@ char* encode_base64(byte* src,size_t ssize) - error(240,"\n"); - return NULL; - } -- outbuf = (char *)malloc(sizeof(char)*B64_BUF); -+ -+ /* length of encoded base64 string (padded) */ -+ size_t length = sizeof(char)* ((ssize + 2) / 3) * 4; -+ outbuf = (char *)malloc(length + 1); - - /* Initialize working pointers */ - inb = src; -@@ -162,20 +163,14 @@ char* encode_base64(byte* src,size_t ssize) - inb++; - } - -- /* outbuf is not completely used so we use retbuf */ -- retbuf=(char*)malloc(sizeof(char)*(pos+1)); -- memcpy(retbuf,outbuf,pos); -- retbuf[pos]='\0'; -- free(outbuf); -+ outbuf[pos]='\0'; - -- return retbuf; -+ return outbuf; - } - --/* FIXME Possible buffer overflow on outputs larger than B64_BUF */ - byte* decode_base64(char* src,size_t ssize, size_t *ret_len) - { - byte* outbuf; -- byte* retbuf; - char* inb; - int i; - int l; -@@ -188,10 +183,18 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len) - if (!ssize||src==NULL) - return NULL; - -+ /* exit on unpadded input */ -+ if (ssize % 4) { -+ error(3, "decode_base64: '%s' has invalid length (missing padding characters?)", src); -+ return NULL; -+ } -+ -+ /* calculate length of decoded string, substract padding chars if any (ssize is >= 4) */ -+ size_t length = sizeof(byte) * ((ssize / 4) * 3)- (src[ssize-1] == '=') - (src[ssize-2] == '='); - - /* Initialize working pointers */ - inb = src; -- outbuf = (byte *)malloc(sizeof(byte)*B64_BUF); -+ outbuf = (byte *)malloc(length + 1); - - l = 0; - triple = 0; -@@ -243,15 +246,11 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len) - inb++; - } - -- retbuf=(byte*)malloc(sizeof(byte)*(pos+1)); -- memcpy(retbuf,outbuf,pos); -- retbuf[pos]='\0'; -- -- free(outbuf); -+ outbuf[pos]='\0'; - - if (ret_len) *ret_len = pos; - -- return retbuf; -+ return outbuf; - } - - size_t length_base64(char* src,size_t ssize) -diff --git a/src/db.c b/src/db.c -index 858240d..62c4faa 100644 ---- a/src/db.c -+++ b/src/db.c -@@ -664,13 +664,15 @@ db_line* db_char2line(char** ss,int db){ - - time_t base64totime_t(char* s){ - -+ if(strcmp(s,"0")==0){ -+ return 0; -+ } - byte* b=decode_base64(s,strlen(s),NULL); - char* endp; - -- if (b==NULL||strcmp(s,"0")==0) { -+ if (b==NULL) { - - /* Should we print error here? */ -- free(b); - - return 0; - } else { diff --git a/aide-0.16-CVE-2025-54389-part1.patch b/aide-0.16-CVE-2025-54389-part1.patch deleted file mode 100644 index b600868..0000000 --- a/aide-0.16-CVE-2025-54389-part1.patch +++ /dev/null @@ -1,292 +0,0 @@ -diff --git a/ChangeLog b/ChangeLog -index 263c438f4a2a38edc45f91c0d5a216112a8fa38c..6aa3de30b76ae98bebe89df49a7041bc6e50df25 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,27 +1,31 @@ -+2025-08-07 Hannes von Haugwitz -+ * Escape control characters in report and log output (CVE-2025-54389), -+ thanks to Rajesh Pangare for reporting this issue -+ - 2016-07-25 Hannes von Haugwitz -- * Release version 0.16 -+ * Release version 0.16 - - 2016-07-11 Hannes von Haugwitz - * Fix example aide.conf (xattr -> xattrs) - * aide.conf.5: update "SELECTION LINES" section - * Released version 0.16rc1 - - 2016-07-10 Hannes von Haugwitz - * Fix compilation with latest libaudit - * Use AC_PROG_CC_C99 instead of AC_PROG_CC - * Add AM_PROG_CC_C_O - * aide.conf.in: logfile -> file - * Update README - * Update manual pages (aide.1 and aide.conf.5) - - 2016-07-07 Hannes von Haugwitz - * Adapt manual to version 0.16 - - 2016-06-08 Hannes von Haugwitz - * Add missing break statements - - 2016-04-15 Hannes von Haugwitz - * Released version 0.16b1 - - 2016-04-13 Hannes von Haugwitz - * Fix spelling errors -diff --git a/include/util.h b/include/util.h -index 79988536c974ca83b14696380f6006031e0fa5e4..68e6ee2a905856bc7b73f1a67633585e0c1d814d 100644 ---- a/include/util.h -+++ b/include/util.h -@@ -22,48 +22,51 @@ - #ifndef _UTIL_H_INCLUDED - #define _UTIL_H_INCLUDED - #include - #include - #include "db_config.h" - - #define HEXD2ASC(x) (((x) < 10) ? ((x) + '0') : ((x) - 10 + 'A')) - - #define ASC2HEXD(x) (((x) >= '0' && (x) <= '9') ? \ - ((x) - '0') : (toupper(x) - 'A' + 10)) - - #define ISXDIGIT(x) isxdigit ((unsigned char)(x)) - - #define CLEANDUP(x) (contains_unsafe (x) ? encode_string (x) : strdup (x)) - - #ifndef HAVE_STRICMP - # define stricmp(a,b) strcasecmp( (a), (b) ) - #endif - - int cmpurl(url_t*, url_t*); - - url_t* parse_url(char*); - - int contains_unsafe(const char*); - -+char *strnesc(const char *, size_t); -+char *stresc(const char *); -+ - void decode_string(char*); - - char* encode_string(const char*); - - char* perm_to_char(mode_t perm); - - void sig_handler(int signal); - - void init_sighandler(void); - - char *expand_tilde(char * path); - - #ifndef HAVE_STRNSTR - char* strnstr(char* haystack,char* needle,int n); - #endif - - #ifndef HAVE_STRNLEN - size_t strnlen(const char *s, size_t maxlen); - #endif - - int syslog_facility_lookup(char *); - - #endif -diff --git a/src/aide.c b/src/aide.c -index f85c1b4b95301eb3e2cf9212093751f39ea49b10..b9b2e325cfffcd4f9f3ce4c0ae3d06dce7a6956b 100644 ---- a/src/aide.c -+++ b/src/aide.c -@@ -164,54 +164,58 @@ static int read_param(int argc,char**argv) - error(0,_("-B must have a parameter\n")); - exit(INVALID_ARGUMENT_ERROR); - } - break; - } - case 'A': { - if (optarg!=NULL) { - int errorno=commandconf('A',optarg); - if (errorno!=0){ - error(0,_("Configuration error in after statement:%s\n"),optarg); - exit(INVALID_CONFIGURELINE_ERROR); - } - } else { - error(0,_("-A must have a parameter\n")); - exit(INVALID_ARGUMENT_ERROR); - } - break; - } - case 'l': { - if (optarg!=NULL) { - const char* pcre_error; - int pcre_erroffset; - conf->limit=malloc(strlen(optarg)+1); - strcpy(conf->limit,optarg); - if((conf->limit_crx=pcre_compile(conf->limit, PCRE_ANCHORED, &pcre_error, &pcre_erroffset, NULL)) == NULL) { -- error(0,_("Error in limit regexp '%s' at %i: %s\n"), conf->limit, pcre_erroffset, pcre_error); -+ char *limit_safe = stresc(conf->limit); -+ error(0,_("Error in limit regexp '%s' at %i: %s\n"), limit_safe, pcre_erroffset, pcre_error); -+ free(limit_safe); - exit(INVALID_ARGUMENT_ERROR); - } -- error(200,_("Limit set to '%s'\n"), conf->limit); -+ char *limit_safe = stresc(conf->limit); -+ error(200,_("Limit set to '%s'\n"), limit_safe); -+ free(limit_safe); - } else { - error(0,_("-l must have an argument\n")); - exit(INVALID_ARGUMENT_ERROR); - } - break; - } - case 'r': { - if(optarg!=NULL) { - do_repurldef(optarg); - }else { - error(0,_("-r must have an argument\n")); - } - break; - } - case 'i': { - if(conf->action==0){ - conf->action=DO_INIT; - }else { - error(0, - _("Cannot have multiple commands on a single commandline.\n")); - exit(INVALID_ARGUMENT_ERROR); - }; - break; - } - case 'C': { -diff --git a/src/util.c b/src/util.c -index ea438273296fbac24fb5d83cd0f2661aa93c0c0a..c39ff352d7fd707471b6d6add8c099a3ca643b9d 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -2,89 +2,128 @@ - * - * Copyright (C) 1999-2002,2004-2006,2010,2011,2013,2016 Rami Lehti, Pablo - * Virolainen, Mike Markley, Richard van den Berg, Hannes von Haugwitz - * $Header$ - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - - #include "aide.h" - #include - #include - #include - #include -+#include - #include - #include - #include - /*for locale support*/ - #include "locale-aide.h" - /*for locale support*/ - - - #ifndef MAXHOSTNAMELEN - #define MAXHOSTNAMELEN 256 - #endif - - #include "report.h" - #include "db_config.h" - #include "util.h" - - #define URL_UNSAFE " <>\"#%{}|\\^~[]`@:\033'" - #define ISPRINT(c) (isascii(c) && isprint(c)) - - static const char* url_name[] = { - "file", "stdin", "stdout", "stderr", "fd", "sql", "syslog", "database", "https", "http", "ftp" }; - - static const int url_value[] = { - url_file, url_stdin, url_stdout,url_stderr,url_fd, url_sql, url_syslog, url_database, url_https, url_http, url_ftp }; - - const int url_ntypes=sizeof(url_value)/sizeof(URL_TYPE); - - int cmpurl(url_t* u1,url_t* u2) - { - if(u1->type!= u2->type){ - return RETFAIL; - }; - if(strcmp(u1->value,u2->value)!=0){ - return RETFAIL; - } - - return RETOK; - }; - -+static size_t escape_str(const char *unescaped_str, char *str, size_t s) { -+ size_t n = 0; -+ size_t i = 0; -+ char c; -+ while (i < s && (c = unescaped_str[i])) { -+ if ((c >= 0 && (c < 0x1f || c == 0x7f)) || -+ (c == '\\' && isdigit(unescaped_str[i+1]) -+ && isdigit(unescaped_str[i+2]) -+ && isdigit(unescaped_str[i+3]) -+ ) ) { -+ if (str) { snprintf(&str[n], 5, "\\%03o", c); } -+ n += 4; -+ } else { -+ if (str) { str[n] = c; } -+ n++; -+ } -+ i++; -+ } -+ if (str) { str[n] = '\0'; } -+ n++; -+ return n; -+} -+ -+char *strnesc(const char *unescaped_str, size_t s) { -+ int n = escape_str(unescaped_str, NULL, s); -+ char *str = malloc(n); -+ if (str == NULL) { -+ error(0, "malloc: failed to allocate %d bytes of memory\n", n); -+ exit(EXIT_FAILURE); -+ } -+ escape_str(unescaped_str, str, s); -+ return str; -+} -+ -+char *stresc(const char *unescaped_str) { -+ return strnesc(unescaped_str, strlen(unescaped_str)); -+} -+ - url_t* parse_url(char* val) - { - url_t* u=NULL; - char* r=NULL; - char* val_copy=NULL; - int i=0; - - if(val==NULL){ - return NULL; - } - - u=(url_t*)malloc(sizeof(url_t)); - - /* We don't want to modify the original hence strdup(val) */ - val_copy=strdup(val); - for(r=val_copy;r[0]!=':'&&r[0]!='\0';r++); - - if(r[0]!='\0'){ - r[0]='\0'; - r++; - } - u->type=url_unknown; - for(i=0;itype=url_value[i]; - diff --git a/aide-0.16-CVE-2025-54389-part2.patch b/aide-0.16-CVE-2025-54389-part2.patch deleted file mode 100644 index e5045cd..0000000 --- a/aide-0.16-CVE-2025-54389-part2.patch +++ /dev/null @@ -1,91 +0,0 @@ -diff -U0 aide-0.16/ChangeLog.orig aide-0.16/ChangeLog -diff -up aide-0.16/doc/aide.1.in.orig aide-0.16/doc/aide.1.in -diff -up aide-0.16/doc/aide.1.orig aide-0.16/doc/aide.1 -diff -up aide-0.16/include/util.h.orig aide-0.16/include/util.h -diff -up aide-0.16/src/aide.c.orig aide-0.16/src/aide.c -diff -up aide-0.16/src/compare_db.c.orig aide-0.16/src/compare_db.c ---- aide-0.16/src/compare_db.c.orig 2025-08-20 16:40:25.219559352 +0200 -+++ aide-0.16/src/compare_db.c 2025-08-20 16:40:33.945999660 +0200 -@@ -526,15 +526,24 @@ static void print_line(seltree* node) { - } - } - summary[length]='\0'; -- error(2,"\n%s: %s", summary, (node->checked&NODE_REMOVED?node->old_data:node->new_data)->filename); -+ const char *rawname = (node->checked&NODE_REMOVED?node->old_data:node->new_data)->filename; -+ char *filename_safe = stresc(rawname); -+ error(2,"\n%s: %s", summary, filename_safe); -+ free(filename_safe); - free(summary); summary=NULL; - } else { - if (node->checked&NODE_ADDED) { -- error(2,"added: %s\n",(node->new_data)->filename); -+ char *filename_safe = stresc((node->new_data)->filename); -+ error(2,"added: %s\n",filename_safe); -+ free(filename_safe); - } else if (node->checked&NODE_REMOVED) { -- error(2,"removed: %s\n",(node->old_data)->filename); -+ char *filename_safe = stresc((node->old_data)->filename); -+ error(2,"removed: %s\n",filename_safe); -+ free(filename_safe); - } else if (node->checked&NODE_CHANGED) { -- error(2,"changed: %s\n",(node->new_data)->filename); -+ char *filename_safe = stresc((node->new_data)->filename); -+ error(2,"changed: %s\n",filename_safe); -+ free(filename_safe); - } - } - } -@@ -552,6 +561,9 @@ static void print_dbline_attributes(db_l - error(2,"%s: ", file_type); - } - error(2,"%s\n", (nline==NULL?oline:nline)->filename); -+ char *filename_safe = stresc((nline==NULL?oline:nline)->filename); -+ error(2,"%s\n", filename_safe); -+ free(filename_safe); - attrs=force_attrs|(~(ignored_changed_attrs)&changed_attrs); - for (j=0; j < length; ++j) { - if (details_attributes[j]&attrs) { -@@ -559,21 +571,35 @@ static void print_dbline_attributes(db_l - nnumber=get_attribute_values(details_attributes[j], nline, &nvalue); - i = 0; - while (i= 0 || nlen-p*k >= 0) { - c = k*(p-1); - if (!onumber) { -- error(2," %s%-9s%c %-*c %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p, ' ', p-1, nlen-c>0?&nvalue[i][c]:""); -+ error(2," %s%-9s%c %-*c %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p, ' ', p-1, nlen-c>0?&nvalue_safe[c]:""); - } else if (!nnumber) { -- error(2," %s%-9s%c %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p-1, olen-c>0?&ovalue[i][c]:""); -+ error(2," %s%-9s%c %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p-1, olen-c>0?&ovalue_safe[c]:""); - } else { -- error(2," %s%-9s%c %-*.*s| %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p, p-1, olen-c>0?&ovalue[i][c]:"", p-1, nlen-c>0?&nvalue[i][c]:""); -+ error(2," %s%-9s%c %-*.*s| %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p, p-1, olen-c>0?&ovalue_safe[c]:"", p-1, nlen-c>0?&nvalue_safe[c]:""); - } - k++; - } - ++i; -+ free(ovalue_safe); -+ free(nvalue_safe); - } - for(i=0; i < onumber; ++i) { free(ovalue[i]); ovalue[i]=NULL; } free(ovalue); ovalue=NULL; - for(i=0; i < nnumber; ++i) { free(nvalue[i]); nvalue[i]=NULL; } free(nvalue); nvalue=NULL; -diff -up aide-0.16/src/error.c.orig aide-0.16/src/error.c -diff -up aide-0.16/src/gen_list.c.orig aide-0.16/src/gen_list.c -diff -up aide-0.16/src/util.c.orig aide-0.16/src/util.c diff --git a/aide-0.16-CVE-2025-54389.patch b/aide-0.16-CVE-2025-54389.patch deleted file mode 100644 index 7263d0e..0000000 --- a/aide-0.16-CVE-2025-54389.patch +++ /dev/null @@ -1,1662 +0,0 @@ -diff --git a/ChangeLog b/ChangeLog -index 263c438f4a2a38edc45f91c0d5a216112a8fa38c..5d286a8e07d0b3235f97272223175a1dd85848b2 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,27 +1,30 @@ -+2025-08-07 Hannes von Haugwitz -+ * Escape control characters in report and log output (CVE-2025-54389) -+ - 2016-07-25 Hannes von Haugwitz -- * Release version 0.16 -+ * Release version 0.16 - - 2016-07-11 Hannes von Haugwitz - * Fix example aide.conf (xattr -> xattrs) - * aide.conf.5: update "SELECTION LINES" section - * Released version 0.16rc1 - - 2016-07-10 Hannes von Haugwitz - * Fix compilation with latest libaudit - * Use AC_PROG_CC_C99 instead of AC_PROG_CC - * Add AM_PROG_CC_C_O - * aide.conf.in: logfile -> file - * Update README - * Update manual pages (aide.1 and aide.conf.5) - - 2016-07-07 Hannes von Haugwitz - * Adapt manual to version 0.16 - - 2016-06-08 Hannes von Haugwitz - * Add missing break statements - - 2016-04-15 Hannes von Haugwitz - * Released version 0.16b1 - - 2016-04-13 Hannes von Haugwitz - * Fix spelling errors -diff --git a/doc/aide.1.in b/doc/aide.1.in -index 932810eebd2eda353c2f30ce89a042e5f9d69a51..e932b8d0273e9144b09b3e1f8cf61cba2be12155 100644 ---- a/doc/aide.1.in -+++ b/doc/aide.1.in -@@ -71,51 +71,61 @@ output. See aide.conf (5) section URLS for available values. - Prints out the standard help message. - .PP - .SH DIAGNOSTICS - Normally, the exit status is 0 if no errors occurred. Except when the - .BR --check , - .BR --compare " or" - .B --update - command was requested, in which case the exit status is defined as: - .IP "1 * (new files detected?) +" - .IP "2 * (removed files detected?) +" - .IP "4 * (changed files detected?)" - .PP - Additionally, the following exit codes are defined for generic error - conditions: - .IP "14 Error writing error" - .IP "15 Invalid argument error" - .IP "16 Unimplemented function error" - .IP "17 Invalid configureline error" - .IP "18 IO error" - .IP "19 Version mismatch error" - .PP - .SH NOTES - Please note that due to mmap issues, aide cannot be terminated with - SIGTERM. Use SIGKILL to terminate. - -+.IP "Checksum encoding" -+ - The checksums in the database and in the output are by default base64 - encoded (see also report_base16 option). - To decode them you can use the following shell command: - - echo | base64 \-d | hexdump \-v \-e '32/1 "%02x" "\\n"' - -+.IP "Control characters" -+ -+Control characters (00-31 and 127) are always escaped in log and plain report -+output. They are escaped by a literal backslash (\\) followed by exactly 3 -+digits representing the character in octal notation (e.g. a newline is output -+as "\\012"). A literal backslash is not escaped unless it is followed by 3 digits -+(0-9), in this case the literal backslash is escaped as "\\134". -+ - .PP - .SH FILES - .IP \fB@sysconfdir@/aide.conf\fR - Default aide configuration file. - .IP \fB@localstatedir@/lib/aide/aide.db\fR - Default aide database. - .IP \fB@localstatedir@/lib/aide/aide.db.new\fR - Default aide output database. - .SH SEE ALSO - .BR aide.conf (5) - .BR manual.html - .SH BUGS - There are probably bugs in this release. Please report them - at http://sourceforge.net/projects/aide . Bug fixes are more than welcome. - Unified diffs are preferred. - .SH DISCLAIMER - All trademarks are the property of their respective owners. - No animals were harmed while making this webpage or this piece of - software. Although some pizza delivery guy's feelings were hurt. - .BR -diff --git a/include/util.h b/include/util.h -index 79988536c974ca83b14696380f6006031e0fa5e4..68e6ee2a905856bc7b73f1a67633585e0c1d814d 100644 ---- a/include/util.h -+++ b/include/util.h -@@ -22,48 +22,51 @@ - #ifndef _UTIL_H_INCLUDED - #define _UTIL_H_INCLUDED - #include - #include - #include "db_config.h" - - #define HEXD2ASC(x) (((x) < 10) ? ((x) + '0') : ((x) - 10 + 'A')) - - #define ASC2HEXD(x) (((x) >= '0' && (x) <= '9') ? \ - ((x) - '0') : (toupper(x) - 'A' + 10)) - - #define ISXDIGIT(x) isxdigit ((unsigned char)(x)) - - #define CLEANDUP(x) (contains_unsafe (x) ? encode_string (x) : strdup (x)) - - #ifndef HAVE_STRICMP - # define stricmp(a,b) strcasecmp( (a), (b) ) - #endif - - int cmpurl(url_t*, url_t*); - - url_t* parse_url(char*); - - int contains_unsafe(const char*); - -+char *strnesc(const char *, size_t); -+char *stresc(const char *); -+ - void decode_string(char*); - - char* encode_string(const char*); - - char* perm_to_char(mode_t perm); - - void sig_handler(int signal); - - void init_sighandler(void); - - char *expand_tilde(char * path); - - #ifndef HAVE_STRNSTR - char* strnstr(char* haystack,char* needle,int n); - #endif - - #ifndef HAVE_STRNLEN - size_t strnlen(const char *s, size_t maxlen); - #endif - - int syslog_facility_lookup(char *); - - #endif -diff --git a/src/aide.c b/src/aide.c -index 8dd38b7c5a7130cc1136d0ee30f5addc9c2226e5..2b7eee14b6e1d4351ca5ddc9387344bd88a8951c 100644 ---- a/src/aide.c -+++ b/src/aide.c -@@ -164,54 +164,60 @@ static int read_param(int argc,char**argv) - error(0,_("-B must have a parameter\n")); - exit(INVALID_ARGUMENT_ERROR); - } - break; - } - case 'A': { - if (optarg!=NULL) { - int errorno=commandconf('A',optarg); - if (errorno!=0){ - error(0,_("Configuration error in after statement:%s\n"),optarg); - exit(INVALID_CONFIGURELINE_ERROR); - } - } else { - error(0,_("-A must have a parameter\n")); - exit(INVALID_ARGUMENT_ERROR); - } - break; - } - case 'l': { - if (optarg!=NULL) { - const char* pcre_error; - int pcre_erroffset; - conf->limit=malloc(strlen(optarg)+1); - strcpy(conf->limit,optarg); - if((conf->limit_crx=pcre_compile(conf->limit, PCRE_ANCHORED, &pcre_error, &pcre_erroffset, NULL)) == NULL) { -- error(0,_("Error in limit regexp '%s' at %i: %s\n"), conf->limit, pcre_erroffset, pcre_error); -+ char *limit_safe = stresc(conf->limit); -+ error(0,_("Error in limit regexp '%s' at %i: %s\n"), limit_safe, pcre_erroffset, pcre_error); -+ free(limit_safe); - exit(INVALID_ARGUMENT_ERROR); - } -- error(200,_("Limit set to '%s'\n"), conf->limit); -+ { -+ char *limit_safe = stresc(conf->limit); -+ error(200,_("Limit set to '%s'\n"), limit_safe); -+ free(limit_safe); -+ } - } else { - error(0,_("-l must have an argument\n")); - exit(INVALID_ARGUMENT_ERROR); - } - break; - } - case 'r': { - if(optarg!=NULL) { - do_repurldef(optarg); - }else { - error(0,_("-r must have an argument\n")); - } - break; - } - case 'i': { - if(conf->action==0){ - conf->action=DO_INIT; - }else { - error(0, - _("Cannot have multiple commands on a single commandline.\n")); - exit(INVALID_ARGUMENT_ERROR); - }; - break; - } - case 'C': { -@@ -566,53 +572,57 @@ int main(int argc,char**argv) - if(cmpurl(conf->db_in_url,conf->db_out_url)==RETOK){ - error(4,_("WARNING:Input and output database urls are the same.\n")); - if((conf->action&DO_INIT)&&(conf->action&DO_COMPARE)){ - error(0,_("Input and output database urls cannot be the same " - "when doing database update\n")); - exit(INVALID_ARGUMENT_ERROR); - } - if(conf->action&DO_DIFF){ - error(0,_("Both input databases cannot be the same " - "when doing database compare\n")); - exit(INVALID_ARGUMENT_ERROR); - } - }; - if((conf->action&DO_DIFF)&&(!(conf->db_new_url)||!(conf->db_in_url))){ - error(0,_("Must have both input databases defined for " - "database compare.\n")); - exit(INVALID_ARGUMENT_ERROR); - } - if (conf->action&(DO_INIT|DO_COMPARE) && conf->root_prefix_length > 0) { - DIR *dir; - if((dir = opendir(conf->root_prefix)) != NULL) { - closedir(dir); - } else { - char* er=strerror(errno); - if (er!=NULL) { -- error(0,"opendir() for root prefix %s failed: %s\n", conf->root_prefix,er); -+ char *rp_safe = stresc(conf->root_prefix); -+ error(0,"opendir() for root prefix %s failed: %s\n", rp_safe,er); -+ free(rp_safe); - } else { -- error(0,"opendir() for root prefix %s failed: %i\n", conf->root_prefix,errno); -+ char *rp_safe = stresc(conf->root_prefix); -+ error(0,"opendir() for root prefix %s failed: %i\n", rp_safe,errno); -+ free(rp_safe); - } - exit(INVALID_ARGUMENT_ERROR); - } - } - #ifdef WITH_MHASH - byte* dig=NULL; - char* digstr=NULL; - - if(conf->config_check&&FORCECONFIGMD){ - error(0,"Can't give config checksum when compiled with --enable-forced_configmd\n"); - exit(INVALID_ARGUMENT_ERROR); - } - - if((conf->do_configmd||conf->config_check)&& conf->confmd!=0){ - /* The patch automatically adds a newline so will also have to add it. */ - if(newlinelastinconfig==0){ - mhash(conf->confmd,"\n",1); - }; - mhash(conf->confmd, NULL,0); - dig=(byte*)malloc(sizeof(byte)*mhash_get_block_size(conf->confhmactype)); - mhash_deinit(conf->confmd,(void*)dig); - digstr=encode_base64(dig,mhash_get_block_size(conf->confhmactype)); - - if(!conf->config_check||FORCECONFIGMD){ - if(strncmp(digstr,conf->old_confmdstr,strlen(digstr))!=0){ -diff --git a/src/compare_db.c b/src/compare_db.c -index c17828d3e8b732096e00253f21623339f2168ccf..41e216527a9b05b90f1b601a61279fd408e2df71 100644 ---- a/src/compare_db.c -+++ b/src/compare_db.c -@@ -504,175 +504,225 @@ static void print_line(seltree* node) { - c = '<'; - } - u = '='; - break; - } - if (summary_attributes[i]&node->changed_attrs&(forced_attrs|(~ignored_changed_attrs))) { - summary[i]=c; - } else if (summary_attributes[i]&((node->old_data)->attr&~((node->new_data)->attr)&(forced_attrs|~(ignored_removed_attrs)))) { - summary[i]=r; - } else if (summary_attributes[i]&~((node->old_data)->attr)&(node->new_data)->attr&(forced_attrs|~(ignored_added_attrs))) { - summary[i]=a; - } else if (summary_attributes[i]& ( - (((node->old_data)->attr&~((node->new_data)->attr)&ignored_removed_attrs))| - (~((node->old_data)->attr)&(node->new_data)->attr&ignored_added_attrs)| - (((node->old_data)->attr&(node->new_data)->attr)&ignored_changed_attrs) - ) ) { - summary[i]=g; - } else if (summary_attributes[i]&((node->old_data)->attr&(node->new_data)->attr)) { - summary[i]=u; - } else { - summary[i]=s; - } - } - } - summary[length]='\0'; -- error(2,"\n%s: %s", summary, (node->checked&NODE_REMOVED?node->old_data:node->new_data)->filename); -+ { -+ char *filename_safe = stresc((node->checked&NODE_REMOVED?node->old_data:node->new_data)->filename); -+ error(2,"\n%s: %s", summary, filename_safe); -+ free(filename_safe); -+ } - free(summary); summary=NULL; - } else { - if (node->checked&NODE_ADDED) { -- error(2,"added: %s\n",(node->new_data)->filename); -+ { -+ char *filename_safe = stresc((node->new_data)->filename); -+ error(2,"added: %s\n",filename_safe); -+ free(filename_safe); -+ } - } else if (node->checked&NODE_REMOVED) { -- error(2,"removed: %s\n",(node->old_data)->filename); -+ { -+ char *filename_safe = stresc((node->old_data)->filename); -+ error(2,"removed: %s\n",filename_safe); -+ free(filename_safe); -+ } - } else if (node->checked&NODE_CHANGED) { -- error(2,"changed: %s\n",(node->new_data)->filename); -+ { -+ char *filename_safe = stresc((node->new_data)->filename); -+ error(2,"changed: %s\n",filename_safe); -+ free(filename_safe); -+ } - } - } - } - - static void print_dbline_attributes(db_line* oline, db_line* nline, DB_ATTR_TYPE - changed_attrs, DB_ATTR_TYPE force_attrs) { - char **ovalue, **nvalue; - int onumber, nnumber, olen, nlen, i, j, k, c; - int length = sizeof(details_attributes)/sizeof(DB_ATTR_TYPE); - int p = (width_details-(width_details%2?13:14))/2; - DB_ATTR_TYPE attrs; - error(2,"\n"); - char *file_type = get_file_type_string((nline==NULL?oline:nline)->perm); - if (file_type) { - error(2,"%s: ", file_type); - } -- error(2,"%s\n", (nline==NULL?oline:nline)->filename); -+ { -+ char *filename_safe = stresc((nline==NULL?oline:nline)->filename); -+ error(2,"%s\n", filename_safe); -+ free(filename_safe); -+ } - attrs=force_attrs|(~(ignored_changed_attrs)&changed_attrs); - for (j=0; j < length; ++j) { - if (details_attributes[j]&attrs) { - onumber=get_attribute_values(details_attributes[j], oline, &ovalue); - nnumber=get_attribute_values(details_attributes[j], nline, &nvalue); - i = 0; - while (i= 0 || nlen-p*k >= 0) { - c = k*(p-1); - if (!onumber) { -- error(2," %s%-9s%c %-*c %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p, ' ', p-1, nlen-c>0?&nvalue[i][c]:""); -+ error(2," %s%-9s%c %-*c %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p, ' ', p-1, nlen-c>0?&nv[c]:""); - } else if (!nnumber) { -- error(2," %s%-9s%c %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p-1, olen-c>0?&ovalue[i][c]:""); -+ error(2," %s%-9s%c %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p-1, olen-c>0?&ov[c]:""); - } else { -- error(2," %s%-9s%c %-*.*s| %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p, p-1, olen-c>0?&ovalue[i][c]:"", p-1, nlen-c>0?&nvalue[i][c]:""); -+ error(2," %s%-9s%c %-*.*s| %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p, p-1, olen-c>0?&ov[c]:"", p-1, nlen-c>0?&nv[c]:""); - } - k++; - } - ++i; -+ free(ov); -+ free(nv); - } - for(i=0; i < onumber; ++i) { free(ovalue[i]); ovalue[i]=NULL; } free(ovalue); ovalue=NULL; - for(i=0; i < nnumber; ++i) { free(nvalue[i]); nvalue[i]=NULL; } free(nvalue); nvalue=NULL; - } - } - } - - - static void print_dbline_attributes_syslog(db_line* oline, db_line* nline, DB_ATTR_TYPE - changed_attrs, DB_ATTR_TYPE force_attrs) { - char **ovalue, **nvalue; - int onumber, nnumber, i, j; - int length = sizeof(details_attributes)/sizeof(DB_ATTR_TYPE); - DB_ATTR_TYPE attrs; - char *file_type = get_file_type_string((nline==NULL?oline:nline)->perm); - if (file_type) { - error(0,"%s=", file_type); - } -- error(0,"%s", (nline==NULL?oline:nline)->filename); -+ { -+ char *filename_safe = stresc((nline==NULL?oline:nline)->filename); -+ error(0,"%s", filename_safe); -+ free(filename_safe); -+ } - attrs=force_attrs|(~(ignored_changed_attrs)&changed_attrs); - for (j=0; j < length; ++j) { - if (details_attributes[j]&attrs) { - onumber=get_attribute_values(details_attributes[j], oline, &ovalue); - nnumber=get_attribute_values(details_attributes[j], nline, &nvalue); - - if (details_attributes[j] == DB_ACL || details_attributes[j] == DB_XATTRS) { - - error(0, ";%s_old=|", details_string[j]); - - for (i = 0 ; i < onumber ; i++) { -- error(0, "%s|", ovalue[i]); -+ { -+ char *val_safe = stresc(ovalue[i]); -+ error(0, "%s|", val_safe); -+ free(val_safe); -+ } - } - - error(0, ";%s_new=|", details_string[j]); - - for (i = 0 ; i < nnumber ; i++) { -- error(0, "%s|", nvalue[i]); -+ { -+ char *val_safe = stresc(nvalue[i]); -+ error(0, "%s|", val_safe); -+ free(val_safe); -+ } - } - - } else { - -- error(0, ";%s_old=%s;%s_new=%s", details_string[j], *ovalue, details_string[j], *nvalue); -+ { -+ char *ov_safe = stresc(*ovalue); -+ char *nv_safe = stresc(*nvalue); -+ error(0, ";%s_old=%s;%s_new=%s", details_string[j], ov_safe, details_string[j], nv_safe); -+ free(ov_safe); -+ free(nv_safe); -+ } - - } - - for(i=0; i < onumber; ++i) { free(ovalue[i]); ovalue[i]=NULL; } free(ovalue); ovalue=NULL; - for(i=0; i < nnumber; ++i) { free(nvalue[i]); nvalue[i]=NULL; } free(nvalue); nvalue=NULL; - } - } - error(0, "\n"); - } - - static void print_attributes_added_node(db_line* line) { - print_dbline_attributes(NULL, line, 0, line->attr); - } - - static void print_attributes_removed_node(db_line* line) { - print_dbline_attributes(line, NULL, 0, line->attr); - } - - static void print_attributes_added_node_syslog(db_line* line) { - - char *file_type = get_file_type_string(line->perm); - if (file_type) { - error(0,"%s=", file_type); - } -- error(0,"%s; added\n", line->filename); -+ { -+ char *filename_safe = stresc(line->filename); -+ error(0,"%s; added\n", filename_safe); -+ free(filename_safe); -+ } - - } - - static void print_attributes_removed_node_syslog(db_line* line) { - - char *file_type = get_file_type_string(line->perm); - if (file_type) { - error(0,"%s=", file_type); - } -- error(0,"%s; removed\n", line->filename); -+ { -+ char *filename_safe = stresc(line->filename); -+ error(0,"%s; removed\n", filename_safe); -+ free(filename_safe); -+ } - - } - - static void terse_report(seltree* node) { - list* r=NULL; - if ((node->checked&(DB_OLD|DB_NEW)) != 0) { - ntotal += ((node->checked&DB_NEW) != 0); - if (!(node->checked&DB_OLD)){ - /* File is in new db but not old. (ADDED) */ - /* unless it was moved in */ - if (!((node->checked&NODE_ALLOW_NEW)||(node->checked&NODE_MOVED_IN))) { - nadd++; - node->checked|=NODE_ADDED; - } - } else if (!(node->checked&DB_NEW)){ - /* File is in old db but not new. (REMOVED) */ - /* unless it was moved out */ - if (!((node->checked&NODE_ALLOW_RM)||(node->checked&NODE_MOVED_OUT))) { - nrem++; - node->checked|=NODE_REMOVED; - } - } else if ((node->old_data!=NULL)&&(node->new_data!=NULL)){ - /* File is in both db's and the data is still there. (CHANGED) */ - if (!(node->checked&(NODE_MOVED_IN|NODE_MOVED_OUT))){ - nchg++; -@@ -739,51 +789,53 @@ static void print_syslog_format(seltree* node) { - } - - static void print_report_header() { - char *time; - int first = 1; - - time = malloc(time_string_len * sizeof (char)); - strftime(time, time_string_len, time_format, localtime(&(conf->start_time))); - error(2,_("Start timestamp: %s (AIDE " AIDEVERSION ")\n"), time); - free(time); time=NULL; - - error(0,_("AIDE")); - if(conf->action&(DO_COMPARE|DO_DIFF)) { - error(0,_(" found %sdifferences between %s%s!!\n"), (nadd||nrem||nchg)?"":"NO ", conf->action&DO_COMPARE?_("database and filesystem"):_("the two databases"), (nadd||nrem||nchg)?"":_(". Looks okay")); - if(conf->action&(DO_INIT)) { - error(0,_("New AIDE database written to %s\n"),conf->db_out_url->value); - } - } else { - error(0,_(" initialized database at %s\n"),conf->db_out_url->value); - } - - if(conf->config_version) - error(2,_("Config version used: %s\n"),conf->config_version); - - if (conf->limit != NULL) { -- error (2,_("Limit: %s"), conf->limit); -+ char *limit_safe = stresc(conf->limit); -+ error (2,_("Limit: %s"), limit_safe); -+ free(limit_safe); - first = 0; - } - if (conf->action&(DO_INIT|DO_COMPARE) && conf->root_prefix_length > 0) { - if (first) { first=0; } - else { error (2," | "); } - error (2,_("Root prefix: %s"),conf->root_prefix); - } - if (conf->verbose_level != 5) { - if (first) { first=0; } - else { error (2," | "); } - error (2,_("Verbose level: %d"), conf->verbose_level); - } - if (!first) { error (2,"\n"); } - if (ignored_added_attrs) { - error (2,_("Ignored added attributes: %s\n"),report_attrs(ignored_added_attrs)); - } - if (ignored_removed_attrs) { - error (2,_("Ignored removed attributes: %s\n"),report_attrs(ignored_removed_attrs)); - } - if (ignored_changed_attrs) { - error (2,_("Ignored changed attributes: %s\n"),report_attrs(ignored_changed_attrs)); - } - if (forced_attrs) { - error (2,_("Forced attributes: %s\n"),report_attrs(forced_attrs)); - } -diff --git a/src/db_disk.c b/src/db_disk.c -index 6161af38010633cbc2c4519a76e997c992439562..11f0d1c348a097a4175640e0f554979f7c74f7c1 100644 ---- a/src/db_disk.c -+++ b/src/db_disk.c -@@ -117,181 +117,197 @@ static char *name_construct (const char *s) - { - char *ret; - int len2 = strlen (r->path); - int len = len2 + strlen (s) + 2 + conf->root_prefix_length; - - if (r->path[len2 - 1] != '/') { - len++; - } - - ret = (char *) malloc (len); - ret[0] = (char) 0; - strcpy(ret, conf->root_prefix); - strcat (ret, r->path); - if (r->path[len2 - 1] != '/') { - strcat (ret, "/"); - } - strcat (ret, s); - return ret; - } - - void add_child (db_line * fil) - { - int i; - struct seltree *new_r; - -- error (255, "Adding child %s\n", fil->filename); -+ { -+ char *fname_safe = stresc(fil->filename); -+ error (255, "Adding child %s\n", fname_safe); -+ free(fname_safe); -+ } - - new_r = get_seltree_node (r, fil->filename); - if (new_r != NULL) { - if (S_ISDIR (fil->perm_o)) { - ; - } else { - new_r->checked |= NODE_CHECKED; - new_r->checked |= NODE_TRAVERSE; - } - return; - } - - new_r = malloc (sizeof (seltree)); - - new_r->attr = 0; - i = strlen (fil->filename); - - new_r->path = malloc (i + 1); - strncpy(new_r->path, fil->filename, i+1); - new_r->childs = NULL; - new_r->sel_rx_lst = NULL; - new_r->neg_rx_lst = NULL; - new_r->equ_rx_lst = NULL; - new_r->parent = r; - new_r->checked = 0; - new_r->new_data = NULL; - new_r->old_data = NULL; - if (S_ISDIR (fil->perm_o)) { - ; - } else { - new_r->checked |= NODE_CHECKED; - new_r->checked |= NODE_TRAVERSE; - } - r->childs = list_sorted_insert (r->childs, new_r, compare_node_by_path); - } - - static int get_file_status(char *filename, struct AIDE_STAT_TYPE *fs) { - int sres = 0; - sres = AIDE_LSTAT_FUNC(filename,fs); - if(sres == -1){ - char* er = strerror(errno); - if (er == NULL) { -- error(0,"get_file_status: lstat() failed for %s. strerror() failed for %i\n", filename, errno); -+ char *filename_safe = stresc(filename); -+ error(0,"get_file_status: lstat() failed for %s. strerror() failed for %i\n", filename_safe, errno); -+ free(filename_safe); - } else { -- error(0,"get_file_status: lstat() failed for %s: %s\n", filename, er); -+ char *filename_safe = stresc(filename); -+ error(0,"get_file_status: lstat() failed for %s: %s\n", filename_safe, er); -+ free(filename_safe); - } - } - return sres; - } - - /* - It might be a good idea to make this non recursive. - Now implemented with goto-statement. Yeah, it's ugly and easy. - */ - - db_line *db_readline_disk () - { - db_line *fil = NULL; - DB_ATTR_TYPE attr; - char *fullname; - int add = 0; - struct AIDE_STAT_TYPE fs; - - /* root needs special handling */ - if (!root_handled) { - root_handled = 1; - fullname=malloc((conf->root_prefix_length+2)*sizeof(char)); - strcpy(fullname, conf->root_prefix); - strcat (fullname, "/"); - if (!get_file_status(fullname, &fs)) { - add = check_rxtree (&fullname[conf->root_prefix_length], conf->tree, &attr, fs.st_mode); - error (240, "%s match=%d, tree=%p, attr=%llu\n", &fullname[conf->root_prefix_length], add, - conf->tree, attr); - - if (add > 0) { - fil = get_file_attrs (fullname, attr, &fs); - - error (240, "%s attr=%llu\n", &fullname[conf->root_prefix_length], attr); - - if (fil != NULL) { -- error (240, "%s attr=%llu\n", fil->filename, fil->attr); -+ { -+ char *fname_safe = stresc(fil->filename); -+ error (240, "%s attr=%llu\n", fname_safe, fil->attr); -+ free(fname_safe); -+ } - return fil; - } - } - } - free (fullname); - } - recursion: - next_in_dir (); - - if (in_this ()) { - - /* - Let's check if we have '.' or '..' entry. - If have, just skipit. - If don't do the 'normal' thing. - */ - if (strcmp (entp->d_name, ".") == 0 || strcmp (entp->d_name, "..") == 0) { - goto recursion; // return db_readline_disk(db); - } - - /* - Now we know that we actually can do something. - */ - - fullname = name_construct (entp->d_name); - - /* - Now we have a filename, which we must remember to free if it is - not used. - - Next thing is to see if we want to do something with it. - If not call, db_readline_disk again... - */ - - if (get_file_status(fullname, &fs)) { - free (fullname); - goto recursion; - } - add = check_rxtree (&fullname[conf->root_prefix_length], conf->tree, &attr, fs.st_mode); - error (240, "%s match=%d, tree=%p, attr=%llu\n", &fullname[conf->root_prefix_length], add, - conf->tree, attr); - - if (add > 0) { - fil = get_file_attrs (fullname, attr, &fs); - - error (240, "%s attr=%llu\n", &fullname[conf->root_prefix_length], attr); - - if (fil != NULL) { -- error (240, "%s attr=%llu\n", fil->filename, fil->attr); -+ { -+ char *fname_safe = stresc(fil->filename); -+ error (240, "%s attr=%llu\n", fname_safe, fil->attr); -+ free(fname_safe); -+ } - } else { - /* - Something went wrong during read process -> - Let's try next one. - */ - free (fullname); - goto recursion; // return db_readline_disk(db); - } - - if (add == 1) { - /* - add_children -> if dir, then add to children list. - */ - /* If ee are adding a file that is not a dir */ - /* add_child can make the determination and mark the tree - accordingly - */ - add_child (fil); - } else if (add == 2) { - /* - Don't add to children list. - */ - - /* - Should we do something? -diff --git a/src/db_sql.c b/src/db_sql.c -index 154579070ccacb6e9b6b8393b989eb50c843e71d..09a32504c317607150174d2bec0fcddf47992995 100644 ---- a/src/db_sql.c -+++ b/src/db_sql.c -@@ -16,50 +16,51 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - - #include "aide.h" - /*for locale support*/ - #include "locale-aide.h" - /*for locale support*/ - - #ifdef WITH_PSQL - - #include - #include - #include - #include - #include - #include "base64.h" - #include "db.h" - - #include "db_sql.h" - #include "db_config.h" - #include "libpq-fe.h" - #include "report.h" -+#include "util.h" - - #ifdef WITH_MHASH - #include - #endif - - char* db_get_sql(db_line*,db_config*); - - int _db_check_result(PGconn *conn, PGresult *res, char *query) - { - int status = 0; - int ret = RETOK; - - - if (!res || ( (PQresultStatus(res) != PGRES_COMMAND_OK) && - (PQresultStatus(res) != PGRES_TUPLES_OK) )){ - ret = RETFAIL; - if (res!=NULL) { - error(0,"Sql error %s while doing %s\n", PQerrorMessage(conn), query); - } else { - error(0,"Sql error while doing %s.\n",query); - } - } else { - error(255,"Sql went ok.\n"); - status = 1; - } -@@ -281,51 +282,55 @@ db_line* db_readline_sql(int db, db_config* conf) { - db_readline_sql_byte((void*)&(rline->haval),db,db_haval, conf); - db_readline_sql_byte((void*)&(rline->gost),db,db_gost, conf); - #endif - db_readline_sql_char((void*)&(rline->fullpath),db,db_filename, conf); - rline->filename=rline->fullpath; - db_readline_sql_char((void*)&(rline->linkname),db,db_linkname, conf); - - db_readline_sql_int((void*)&(rline->perm),db,db_perm, conf); - db_readline_sql_int((void*)&(rline->uid),db,db_uid, conf); - db_readline_sql_int((void*)&(rline->gid),db,db_gid, conf); - db_readline_sql_int((void*)&(rline->inode),db,db_inode, conf); - db_readline_sql_int((void*)&(rline->nlink),db,db_lnkcount, conf); - - db_readline_sql_int((void*)&(rline->size),db,*db_osize, conf); - db_readline_sql_int((void*)&(rline->bcount),db,db_bcount, conf); - db_readline_sql_int((void*)&(rline->attr),db,db_attr, conf); - - db_readline_sql_time((void*)&(rline->atime),db,db_atime, conf); - db_readline_sql_time((void*)&(rline->ctime),db,db_ctime, conf); - db_readline_sql_time((void*)&(rline->mtime),db,db_mtime, conf); - #ifdef WITH_ACL - rline->acl=NULL; - #endif - ((psql_data*)(*db_filep))->curread++; - -- error(255,"filename %s\n",rline->filename); -+ { -+ char *filename_safe = stresc(rline->filename); -+ error(255,"filename %s\n",filename_safe); -+ free(filename_safe); -+ } - - return rline; - } - - - void sql_writeint(int data,char *s,int i){ - char t[10]; - t[0]=0; - if (i!=0) { - s = strcat(s,","); - } - sprintf(t,"%i",data); - - strcat(s,t); - - } - - void sql_writeoct(int data,char *s,int i){ - char t[10]; - t[0]=0; - if (i!=0) { - s = strcat(s,","); - } - sprintf(t,"%lo",data); - -diff --git a/src/do_md.c b/src/do_md.c -index 77d2e15f5f9cdba5168a92feaf2f97128e705f36..4a648b6f5ff14edd553a3f8d94b1171708ccadaf 100644 ---- a/src/do_md.c -+++ b/src/do_md.c -@@ -16,50 +16,51 @@ - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - - #include "aide.h" - - #ifndef _POSIX_C_SOURCE - #define _POSIX_C_SOURCE 200112L - #endif - - #include - #include - #include - #include - #include - #include - #include - #include - #include - #include - - #include "md.h" -+#include "util.h" - - #include "db_config.h" - #include "do_md.h" - #include "report.h" - #include "list.h" - /*for locale support*/ - #include "locale-aide.h" - /*for locale support*/ - - - /* This define should be somewhere else */ - #define READ_BLOCK_SIZE 16777216 - - #ifdef WITH_MHASH - #include - #endif /* WITH_MHASH */ - - /* Redhat 5.0 needs this */ - #ifdef HAVE_MMAP - #ifndef MAP_FAILED - #define MAP_FAILED (-1) - #endif /* MAP_FAILED */ - #define MMAP_BLOCK_SIZE 16777216 - #endif /* HAVE_MMAP */ - -@@ -206,55 +207,59 @@ void calc_md(struct AIDE_STAT_TYPE* old_fs,db_line* line) { - from we are about to calculate the hash is the correct one, - and we don't read from a pipe :) - */ - struct AIDE_STAT_TYPE fs; - int stat_diff,filedes; - #ifdef WITH_PRELINK - pid_t pid; - #endif - - error(255,"calc_md called\n"); - #ifdef _PARAMETER_CHECK_ - if (line==NULL) { - abort(); - } - #endif - - #ifdef HAVE_O_NOATIME - filedes=open(line->fullpath,O_RDONLY|O_NOATIME); - if(filedes<0) - #endif - filedes=open(line->fullpath,O_RDONLY); - - if (filedes==-1) { - char* er=strerror(errno); - if (er!=NULL) { -+ char *fp_safe = stresc(line->fullpath); - error(3,"do_md(): open() for %s failed: %s\n", -- line->fullpath,er); -+ fp_safe,er); -+ free(fp_safe); - } else { -+ char *fp_safe = stresc(line->fullpath); - error(3,"do_md(): open() for %s failed: %i\n", -- line->fullpath,errno); -+ fp_safe,errno); -+ free(fp_safe); - } - /* - Nop. Cannot cal hashes. Mark it. - */ - no_hash(line); - return; - } - - AIDE_FSTAT_FUNC(filedes,&fs); - if(!(line->attr&DB_RDEV)) - fs.st_rdev=0; - - #ifdef HAVE_POSIX_FADVISE - if (posix_fadvise(filedes,0,fs.st_size,POSIX_FADV_NOREUSE)!=0) { - error(255,"posix_fadvise error %s\n",strerror(errno)); - } else { - error(255,"posix_fadvise(%i,0,%li,POSIX_FADV_NOREUSE) ok\n",filedes,fs.st_size); - } - #endif - if ((stat_diff=stat_cmp(&fs,old_fs))==RETOK) { - /* - Now we have a 'valid' filehandle to read from a file. - */ - - #ifdef WITH_PRELINK -@@ -288,51 +293,55 @@ void calc_md(struct AIDE_STAT_TYPE* old_fs,db_line* line) { - off_t curpos=0; - - r_size=fs.st_size; - /* in mmap branch r_size is used as size remaining */ - while(r_size>0){ - if(r_sizefullpath,strerror(errno)); -+ { -+ char *fp_safe = stresc(line->fullpath); -+ error(0,"error mmap'ing %s: %s\n", fp_safe,strerror(errno)); -+ free(fp_safe); -+ } - close(filedes); - close_md(&mdc); - return; - } - conf->catch_mmap=1; - if (update_md(&mdc,buf,size)!=RETOK) { - error(0,"Message digest failed during update\n"); - close(filedes); - close_md(&mdc); - munmap(buf,size); - return; - } - munmap(buf,size); - conf->catch_mmap=0; - } - /* we have used MMAP, let's return */ - close_md(&mdc); - md2line(&mdc,line); - close(filedes); - return; - #ifdef WITH_PRELINK - } - #endif - #endif /* not HAVE_MMAP */ - // buf=malloc(READ_BLOCK_SIZE); -@@ -491,53 +500,61 @@ void acl2line(db_line* line) { - ret->acl_d = NULL; - else - { - tmp = acl_to_text(acl_d, NULL); - if (!tmp || !*tmp) - ret->acl_d = NULL; - else - ret->acl_d = strdup(tmp); - acl_free(tmp); - } - - acl_free(acl_a); - acl_free(acl_d); - } - line->acl = ret; - #endif - #ifdef WITH_SUN_ACL - if(DB_ACL&line->attr) { /* There might be a bug here. */ - int res; - line->acl=malloc(sizeof(acl_type)); - line->acl->entries=acl(line->fullpath,GETACLCNT,0,NULL); - if (line->acl->entries==-1) { - char* er=strerror(errno); - line->acl->entries=0; - if (er==NULL) { -- error(0,"ACL query failed for %s. strerror failed for %i\n",line->fullpath,errno); -+ { -+ char *fp_safe = stresc(line->fullpath); -+ error(0,"ACL query failed for %s. strerror failed for %i\n",fp_safe,errno); -+ free(fp_safe); -+ } - } else { -- error(0,"ACL query failed for %s:%s\n",line->fullpath,er); -+ { -+ char *fp_safe = stresc(line->fullpath); -+ error(0,"ACL query failed for %s:%s\n",fp_safe,er); -+ free(fp_safe); -+ } - } - } else { - line->acl->acl=malloc(sizeof(aclent_t)*line->acl->entries); - res=acl(line->fullpath,GETACL,line->acl->entries,line->acl->acl); - if (res==-1) { - error(0,"ACL error %s\n",strerror(errno)); - } else { - if (res!=line->acl->entries) { - error(0,"Tried to read %i acl but got %i\n",line->acl->entries,res); - } - } - } - }else{ - line->acl=NULL; - } - #endif - } - #endif - - #ifdef WITH_XATTR - static xattrs_type *xattr_new(void) { - xattrs_type *ret = NULL; - - ret = malloc(sizeof(xattrs_type)); - ret->num = 0; -@@ -571,100 +588,112 @@ static void xattr_add(xattrs_type *xattrs, const char *key, const char - - xattrs->num += 1; - } - - void xattrs2line(db_line *line) { - /* get all generic user xattrs. */ - xattrs_type *xattrs = NULL; - static ssize_t xsz = 1024; - static char *xatrs = NULL; - ssize_t xret = -1; - - if (!(DB_XATTRS&line->attr)) - return; - - /* assume memory allocs work, like rest of AIDE code... */ - if (!xatrs) xatrs = malloc(xsz); - - while (((xret = llistxattr(line->fullpath, xatrs, xsz)) == -1) && (errno == ERANGE)) { - xsz <<= 1; - xatrs = realloc(xatrs, xsz); - } - - if ((xret == -1) && ((errno == ENOSYS) || (errno == ENOTSUP))) { - line->attr&=(~DB_XATTRS); - } else if (xret == -1) { -- error(0, "listxattrs failed for %s:%s\n", line->fullpath, strerror(errno)); -+ { -+ char *fp_safe = stresc(line->fullpath); -+ error(0, "listxattrs failed for %s:%s\n", fp_safe, strerror(errno)); -+ free(fp_safe); -+ } - } else if (xret) { - const char *attr = xatrs; - static ssize_t asz = 1024; - static char *val = NULL; - - if (!val) val = malloc(asz); - - xattrs = xattr_new(); - - while (xret > 0) { - size_t len = strlen(attr); - ssize_t aret = 0; - - if (strncmp(attr, "user.", strlen("user.")) && - strncmp(attr, "root.", strlen("root."))) - goto next_attr; /* only store normal xattrs, and SELinux */ - - while (((aret = getxattr(line->fullpath, attr, val, asz)) == - -1) && (errno == ERANGE)) { - asz <<= 1; - val = realloc (val, asz); - } - - if (aret != -1) - xattr_add(xattrs, attr, val, aret); - else if (errno != ENOATTR) -- error(0, "getxattr failed for %s:%s\n", line->fullpath, strerror(errno)); -+ { -+ char *fp_safe = stresc(line->fullpath); -+ error(0, "getxattr failed for %s:%s\n", fp_safe, strerror(errno)); -+ free(fp_safe); -+ } - - next_attr: - attr += len + 1; - xret -= len + 1; - } - } - - line->xattrs = xattrs; - } - #endif - - #ifdef WITH_SELINUX - void selinux2line(db_line *line) { - char *cntx = NULL; - - if (!(DB_SELINUX&line->attr)) - return; - - if (lgetfilecon_raw(line->fullpath, &cntx) == -1) { - line->attr&=(~DB_SELINUX); - if ((errno != ENOATTR) && (errno != EOPNOTSUPP)) -- error(0, "lgetfilecon_raw failed for %s:%s\n", line->fullpath, strerror(errno)); -+ { -+ char *fp_safe = stresc(line->fullpath); -+ error(0, "lgetfilecon_raw failed for %s:%s\n", fp_safe, strerror(errno)); -+ free(fp_safe); -+ } - return; - } - - line->cntx = strdup(cntx); - - freecon(cntx); - } - #endif - - #ifdef WITH_E2FSATTRS - void e2fsattrs2line(db_line* line) { - unsigned long flags; - if (DB_E2FSATTRS&line->attr) { - if (fgetflags(line->fullpath, &flags) == 0) { - line->e2fsattrs=flags; - } else { - line->attr&=(~DB_E2FSATTRS); - line->e2fsattrs=0; - } - } else { - line->e2fsattrs=0; - } - } - #endif - -diff --git a/src/gen_list.c b/src/gen_list.c -index ab257811485831b1db1b027a94b5c0447a92f923..5b4a93eef28e1930a52e8156df661ca999035f54 100644 ---- a/src/gen_list.c -+++ b/src/gen_list.c -@@ -16,50 +16,51 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - - #include "aide.h" - - #include - #include - #include - #include - #include - #include - #include - #include - #include - #include - #include - - #include "report.h" - #include "list.h" - #include "gen_list.h" - #include "seltree.h" - #include "db.h" -+#include "util.h" - #include "db_config.h" - #include "commandconf.h" - #include "report.h" - /*for locale support*/ - #include "locale-aide.h" - /*for locale support*/ - - #define CLOCK_SKEW 5 - - #ifdef WITH_MHASH - #include - #endif - #include "md.h" - #include "do_md.h" - - void hsymlnk(db_line* line); - void fs2db_line(struct AIDE_STAT_TYPE* fs,db_line* line); - void calc_md(struct AIDE_STAT_TYPE* old_fs,db_line* line); - void no_hash(db_line* line); - - static DB_ATTR_TYPE get_special_report_group(char* group) { - DB_ATTR_TYPE attr = get_groupval(group); - return attr==DB_ATTR_UNDEF?0:attr; - } - -@@ -971,103 +972,127 @@ static void add_file_to_tree(seltree* tree,db_line* file,int db, - } - } - - int check_rxtree(char* filename,seltree* tree,DB_ATTR_TYPE* attr, mode_t perm) - { - int retval=0; - char * tmp=NULL; - char * parentname=NULL; - seltree* pnode=NULL; - - parentname=strdup(filename); - tmp=strrchr(parentname,'/'); - if(tmp!=parentname){ - *tmp='\0'; - }else { - - if(parentname[1]!='\0'){ - /* we are in the root dir */ - parentname[1]='\0'; - } - } - - if(conf->limit!=NULL) { - retval=pcre_exec(conf->limit_crx, NULL, filename, strlen(filename), 0, PCRE_PARTIAL_SOFT, NULL, 0); - if (retval >= 0) { -- error(220, "check_rxtree: %s does match limit: %s\n", filename, conf->limit); -+ char *fname_safe = stresc(filename); -+ char *limit_safe = conf->limit?stresc(conf->limit):NULL; -+ error(220, "check_rxtree: %s does match limit: %s\n", fname_safe, limit_safe?limit_safe:""); -+ free(fname_safe); -+ free(limit_safe); - } else if (retval == PCRE_ERROR_PARTIAL) { -- error(220, "check_rxtree: %s does PARTIAL match limit: %s\n", filename, conf->limit); -+ char *fname_safe = stresc(filename); -+ char *limit_safe = conf->limit?stresc(conf->limit):NULL; -+ error(220, "check_rxtree: %s does PARTIAL match limit: %s\n", fname_safe, limit_safe?limit_safe:""); - if(S_ISDIR(perm) && get_seltree_node(tree,filename)==NULL){ -- error(220, "check_rxtree: creating new seltree node for '%s'\n", filename); -+ error(220, "check_rxtree: creating new seltree node for '%s'\n", fname_safe); - new_seltree_node(tree,filename,0,NULL); - } -+ free(fname_safe); -+ free(limit_safe); - return -1; - } else { -- error(220, "check_rxtree: %s does NOT match limit: %s\n", filename, conf->limit); -+ char *fname_safe = stresc(filename); -+ char *limit_safe = conf->limit?stresc(conf->limit):NULL; -+ error(220, "check_rxtree: %s does NOT match limit: %s\n", fname_safe, limit_safe?limit_safe:""); -+ free(fname_safe); -+ free(limit_safe); - return -2; - } - } - - pnode=get_seltree_node(tree,parentname); - - *attr=0; - retval=check_node_for_match(pnode,filename, perm, 0,attr); - - free(parentname); - - return retval; - } - - db_line* get_file_attrs(char* filename,DB_ATTR_TYPE attr, struct AIDE_STAT_TYPE *fs) - { - db_line* line=NULL; - time_t cur_time; - - if(!(attr&DB_RDEV)) - fs->st_rdev=0; - /* - Get current time for future time notification. - */ - cur_time=time(NULL); - - if (cur_time==(time_t)-1) { - char* er=strerror(errno); - if (er==NULL) { - error(0,_("Can not get current time. strerror failed for %i\n"),errno); - } else { - error(0,_("Can not get current time with reason %s\n"),er); - } - } else { - - if(fs->st_atime>cur_time){ -- error(CLOCK_SKEW,_("%s atime in future\n"),filename); -+ { -+ char *fname_safe = stresc(filename); -+ error(CLOCK_SKEW,_("%s atime in future\n"),fname_safe); -+ free(fname_safe); -+ } - } - if(fs->st_mtime>cur_time){ -- error(CLOCK_SKEW,_("%s mtime in future\n"),filename); -+ { -+ char *fname_safe = stresc(filename); -+ error(CLOCK_SKEW,_("%s mtime in future\n"),fname_safe); -+ free(fname_safe); -+ } - } - if(fs->st_ctime>cur_time){ -- error(CLOCK_SKEW,_("%s ctime in future\n"),filename); -+ { -+ char *fname_safe = stresc(filename); -+ error(CLOCK_SKEW,_("%s ctime in future\n"),fname_safe); -+ free(fname_safe); -+ } - } - } - - /* - Malloc if we have something to store.. - */ - - line=(db_line*)malloc(sizeof(db_line)); - - memset(line,0,sizeof(db_line)); - - /* - We want filename - */ - - line->attr=attr|DB_FILENAME; - - /* - Just copy some needed fields. - */ - - line->fullpath=filename; - line->filename=&filename[conf->root_prefix_length]; - line->perm_o=fs->st_mode; - line->size_o=fs->st_size; -@@ -1198,51 +1223,55 @@ void populate_tree(seltree* tree) - initdbwarningprinted=1; - } - } - } - } - if(conf->action&DO_INIT) { - write_tree(tree); - } - } - - void hsymlnk(db_line* line) { - - if((S_ISLNK(line->perm_o))){ - int len=0; - #ifdef WITH_ACL - if(conf->no_acl_on_symlinks!=1) { - line->attr&=(~DB_ACL); - } - #endif - - if(conf->warn_dead_symlinks==1) { - struct AIDE_STAT_TYPE fs; - int sres; - sres=AIDE_STAT_FUNC(line->fullpath,&fs); - if (sres!=0 && sres!=EACCES) { -- error(4,"Dead symlink detected at %s\n",line->fullpath); -+ { -+ char *fp_safe = stresc(line->fullpath); -+ error(4,"Dead symlink detected at %s\n",fp_safe); -+ free(fp_safe); -+ } - } - if(!(line->attr&DB_RDEV)) - fs.st_rdev=0; - } - /* - Is this valid?? - No, We should do this elsewhere. - */ - line->linkname=(char*)malloc(_POSIX_PATH_MAX+1); - if(line->linkname==NULL){ - error(0,_("malloc failed in hsymlnk()\n")); - abort(); - } - - /* - Remember to nullify the buffer, because man page says - - readlink places the contents of the symbolic link path in - the buffer buf, which has size bufsiz. readlink does not - append a NUL character to buf. It will truncate the con- - tents (to a length of bufsiz characters), in case the - buffer is too small to hold all of the contents. - - */ - memset(line->linkname,0,_POSIX_PATH_MAX+1); -diff --git a/src/util.c b/src/util.c -index 21c75a2f176270f47f480c8143984e8a00ce8780..7e3da74a6acbf6e656b833591972be06fb1ae0f1 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -82,101 +82,142 @@ url_t* parse_url(char* val) - - if(r[0]!='\0'){ - r[0]='\0'; - r++; - } - u->type=url_unknown; - for(i=0;itype=url_value[i]; - break; - } - } - - switch (u->type) { - case url_file : { - if(r[0]=='/'&&(r+1)[0]=='/'&&(r+2)[0]=='/'){ - u->value=strdup(r+2); - break; - } - if(r[0]=='/'&&(r+1)[0]=='/'&&(r+2)[0]!='/'){ - char*hostname=(char*)malloc(sizeof(char)*MAXHOSTNAMELEN); - char* t=r+2; - r+=2; - for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++); - if(r[0]=='\0'){ -- error(0,"Invalid file-URL,no path after hostname: file:%s\n",t); -+ char *t_safe = stresc(t); -+ error(0,"Invalid file-URL,no path after hostname: file:%s\n",t_safe); -+ free(t_safe); - free(u); - free(val_copy); - free(hostname); -- return NULL; -+ return NULL; - } - u->value=strdup(r); - r[0]='\0'; - if(gethostname(hostname,MAXHOSTNAMELEN)==-1){ - strncpy(hostname,"localhost",MAXHOSTNAMELEN); - } - - if( (strcmp(t,"localhost")==0)||(strcmp(t,hostname)==0)){ - free(hostname); - break; - } else { -- error(0,"Invalid file-URL, cannot use hostname other than localhost or %s: file:%s\n",hostname,u->value); -+ char *value_safe = stresc(u->value); -+ error(0,"Invalid file-URL, cannot use hostname other than localhost or %s: file:%s\n",hostname,value_safe); -+ free(value_safe); - free(u->value); - free(u); - free(val_copy); -- free(hostname); -- return NULL; -+ free(hostname); -+ return NULL; - } - - break; - } - u->value=strdup(r); - - break; - } - case url_https : - case url_http : - case url_ftp : { - u->value=strdup(val); - break; - } - case url_unknown : { - error(0,"Unknown URL-type:%s\n",val_copy); - break; - } - default : { - u->value=strdup(r); - break; - } - } - - free(val_copy); - - return u; - } - -+static size_t escape_str(const char *unescaped_str, char *str, size_t s) { -+ size_t n = 0; -+ size_t i = 0; -+ char c; -+ while (i < s && (c = unescaped_str[i])) { -+ if ((c >= 0 && (c < 0x1f || c == 0x7f)) || -+ (c == '\\' && isdigit(unescaped_str[i+1]) -+ && isdigit(unescaped_str[i+2]) -+ && isdigit(unescaped_str[i+3]))) { -+ if (str) { snprintf(&str[n], 5, "\\%03o", c); } -+ n += 4; -+ } else { -+ if (str) { str[n] = c; } -+ n++; -+ } -+ i++; -+ } -+ if (str) { str[n] = '\0'; } -+ n++; -+ return n; -+} -+ -+char *strnesc(const char *unescaped_str, size_t s) { -+ int n = escape_str(unescaped_str, NULL, s); -+ char *str = malloc(n); -+ if (str == NULL) { -+ error(0, "malloc: failed to allocate %d bytes of memory\n", n); -+ exit(1); -+ } -+ escape_str(unescaped_str, str, s); -+ return str; -+} -+ -+char *stresc(const char *unescaped_str) { -+ return strnesc(unescaped_str, strlen(unescaped_str)); -+} -+ - /* Returns 1 if the string contains unsafe characters, 0 otherwise. */ - int contains_unsafe (const char *s) - { - for (; *s; s++) - if (strchr (URL_UNSAFE,(int) *s)||!ISPRINT((int)*s)) - return 1; - return 0; - } - - /* Decodes the forms %xy in a URL to the character the hexadecimal - code of which is xy. xy are hexadecimal digits from - [0123456789ABCDEF] (case-insensitive). If x or y are not - hex-digits or `%' precedes `\0', the sequence is inserted - literally. */ - - void decode_string (char* s) - { - char *p = s; - - for (; *s; s++, p++) - { - if (*s != '%') - *p = *s; - else - { - diff --git a/aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch b/aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch deleted file mode 100644 index 0c4fc17..0000000 --- a/aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch +++ /dev/null @@ -1,58 +0,0 @@ -From c7caa6027c92b28aa11b8da74d56357e12f56d67 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20Kope=C4=8Dek?= -Date: Wed, 20 Feb 2019 12:00:56 +0100 -Subject: [PATCH] Use LDADD for adding curl library to the linker command - ---- - Makefile.am | 2 +- - configure.ac | 5 +++-- - 2 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 4b05d7a..1541d56 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -55,7 +55,7 @@ if USE_CURL - aide_SOURCES += include/fopen.h src/fopen.c - endif - --aide_LDADD = -lm @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@ -+aide_LDADD = -lm @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@ @CURLLIB@ - AM_CFLAGS = @AIDE_DEFS@ -W -Wall -g - AM_CPPFLAGS = -I$(top_srcdir) \ - -I$(top_srcdir)/include \ -diff --git a/configure.ac b/configure.ac -index 3598ebe..0418c59 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -702,24 +702,25 @@ if test x$with_zlib = xyes; then - compoptionstring="${compoptionstring}WITH_ZLIB\\n" - fi - -+CURLLIB= - if test x$with_curl = xyes; then - AC_PATH_PROG(curlconfig, "curl-config") - if test "_$curlconfig" != _ ; then - CURL_CFLAGS=`$curlconfig --cflags` -- CURL_LIBS=`$curlconfig --libs` -+ CURLLIB=`$curlconfig --libs` - else - AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.]) - fi - AC_CHECK_HEADERS(curl/curl.h,, - [AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])]) - CFLAGS="$CFLAGS $CURL_CFLAGS" -- LDFLAGS="$LDFLAGS $CURL_LIBS" - AC_CHECK_LIB(curl,curl_easy_init,havecurl=yes, - [AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])] - ) - AC_DEFINE(WITH_CURL,1,[use curl]) - compoptionstring="${compoptionstring}WITH_CURL\\n" - fi -+AC_SUBST(CURLLIB) - AM_CONDITIONAL(USE_CURL, test x$havecurl = xyes) - - AC_ARG_WITH(mhash, --- -2.20.1 - diff --git a/aide-0.16-crash-elf.patch b/aide-0.16-crash-elf.patch deleted file mode 100644 index 5aa3472..0000000 --- a/aide-0.16-crash-elf.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- ./src/do_md.c 2018-03-19 05:10:19.994957024 -0400 -+++ ./src/do_md.c 2018-03-19 05:19:05.829957024 -0400 -@@ -135,8 +135,13 @@ - continue; - - while (!bingo && (data = elf_getdata (scn, data)) != NULL) { -- int maxndx = data->d_size / shdr.sh_entsize; -+ int maxndx; - int ndx; -+ -+ if (shdr.sh_entsize != 0) -+ maxndx = data->d_size / shdr.sh_entsize; -+ else -+ continue; - - for (ndx = 0; ndx < maxndx; ++ndx) { - (void) gelf_getdyn (data, ndx, &dyn); diff --git a/aide-0.16-crypto-disable-haval-and-others.patch b/aide-0.16-crypto-disable-haval-and-others.patch deleted file mode 100644 index a066fd9..0000000 --- a/aide-0.16-crypto-disable-haval-and-others.patch +++ /dev/null @@ -1,153 +0,0 @@ -diff -up ./include/md.h.crypto ./include/md.h ---- ./include/md.h.crypto 2016-07-25 22:56:55.000000000 +0200 -+++ ./include/md.h 2018-08-29 15:00:30.827491299 +0200 -@@ -149,6 +149,7 @@ int init_md(struct md_container*); - int update_md(struct md_container*,void*,ssize_t); - int close_md(struct md_container*); - void md2line(struct md_container*,struct db_line*); -+DB_ATTR_TYPE get_available_crypto(); - - - #endif /*_MD_H_INCLUDED*/ -diff -up ./src/aide.c.crypto ./src/aide.c ---- ./src/aide.c.crypto 2018-08-29 15:00:30.825491309 +0200 -+++ ./src/aide.c 2018-08-29 15:00:30.827491299 +0200 -@@ -349,7 +349,7 @@ static void setdefaults_before_config() - - conf->db_attrs = 0; - #if defined(WITH_MHASH) || defined(WITH_GCRYPT) -- conf->db_attrs |= DB_MD5|DB_TIGER|DB_HAVAL|DB_CRC32|DB_SHA1|DB_RMD160|DB_SHA256|DB_SHA512; -+ conf->db_attrs |= get_available_crypto(); - #ifdef WITH_MHASH - conf->db_attrs |= DB_GOST; - #ifdef HAVE_MHASH_WHIRLPOOL -diff -up ./src/md.c.crypto ./src/md.c ---- ./src/md.c.crypto 2018-08-29 15:00:30.823491319 +0200 -+++ ./src/md.c 2018-08-29 15:02:28.013903479 +0200 -@@ -78,6 +78,49 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) { - return r; - } - -+const char * hash_gcrypt2str(int i) { -+ char * r = "?"; -+#ifdef WITH_GCRYPT -+ switch (i) { -+ case GCRY_MD_MD5: { -+ r = "MD5"; -+ break; -+ } -+ case GCRY_MD_SHA1: { -+ r = "SHA1"; -+ break; -+ } -+ case GCRY_MD_RMD160: { -+ r = "RMD160"; -+ break; -+ } -+ case GCRY_MD_TIGER: { -+ r = "TIGER"; -+ break; -+ } -+ case GCRY_MD_HAVAL: { -+ r = "HAVAL"; -+ break; -+ } -+ case GCRY_MD_SHA256: { -+ r = "SHA256"; -+ break; -+ } -+ case GCRY_MD_SHA512: { -+ r = "SHA512"; -+ break; -+ } -+ case GCRY_MD_CRC32: { -+ r = "CRC32"; -+ break; -+ } -+ default: -+ break; -+ } -+#endif -+ return r; -+} -+ - DB_ATTR_TYPE hash_mhash2attr(int i) { - DB_ATTR_TYPE r=0; - #ifdef WITH_MHASH -@@ -163,6 +206,44 @@ DB_ATTR_TYPE hash_mhash2attr(int i) { - Initialise md_container according it's todo_attr field - */ - -+DB_ATTR_TYPE get_available_crypto() { -+ -+ DB_ATTR_TYPE ret = 0; -+ -+/* -+ * This function is usually called before config processing -+ * and default verbose level is 5 -+ */ -+#define lvl 255 -+ -+ error(lvl, "get_available_crypto called\n"); -+ -+#ifdef WITH_GCRYPT -+ -+ /* -+ * some initialization for FIPS -+ */ -+ gcry_check_version(NULL); -+ error(lvl, "Found algos:"); -+ -+ for(int i=0;i<=HASH_GCRYPT_COUNT;i++) { -+ -+ if ( (hash_gcrypt2attr(i) & HASH_USE_GCRYPT) == 0 ) -+ continue; -+ -+ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) == 0) { -+ ret |= hash_gcrypt2attr(i); -+ error(lvl, " %s", hash_gcrypt2str(i)); -+ } -+ } -+ error(lvl, "\n"); -+ -+#endif -+ -+ error(lvl, "get_available_crypto_returned with %lld\n", ret); -+ return ret; -+} -+ - int init_md(struct md_container* md) { - - int i; -@@ -201,18 +282,27 @@ int init_md(struct md_container* md) { - } - #endif - #ifdef WITH_GCRYPT -- if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ -+ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ - error(0,"gcrypt_md_open failed\n"); - exit(IO_ERROR); - } - for(i=0;i<=HASH_GCRYPT_COUNT;i++) { -+ -+ - if (((hash_gcrypt2attr(i)&HASH_USE_GCRYPT)&md->todo_attr)!=0) { -- DB_ATTR_TYPE h=hash_gcrypt2attr(i); -- error(255,"inserting %llu\n",h); -+ -+ DB_ATTR_TYPE h=hash_gcrypt2attr(i); -+ -+ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) != 0) { -+ error(0,"Algo %s is not available\n", hash_gcrypt2str(i)); -+ exit(-1); -+ } -+ -+ error(255,"inserting %llu\n",h); - if(gcry_md_enable(md->mdh,i)==GPG_ERR_NO_ERROR){ - md->calc_attr|=h; - } else { -- error(0,"gcry_md_enable %i failed",i); -+ error(0,"gcry_md_enable %i failed\n",i); - md->todo_attr&=~h; - } - } diff --git a/aide-0.16b1-fipsfix.patch b/aide-0.16b1-fipsfix.patch deleted file mode 100644 index 434d74e..0000000 --- a/aide-0.16b1-fipsfix.patch +++ /dev/null @@ -1,103 +0,0 @@ -diff -up ./src/aide.c.orig ./aide-0.16b1/src/aide.c ---- ./src/aide.c.orig 2016-07-12 11:10:08.013158385 +0200 -+++ ./src/aide.c 2016-07-12 11:30:54.867833064 +0200 -@@ -511,9 +511,28 @@ int main(int argc,char**argv) - #endif - umask(0177); - init_sighandler(); -- - setdefaults_before_config(); - -+#if WITH_GCRYPT -+ error(255,"Gcrypt library initialization\n"); -+ /* -+ * Initialize libgcrypt as per -+ * http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html -+ * -+ * -+ */ -+ gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0); -+ gcry_control(GCRYCTL_INIT_SECMEM, 1); -+ -+ if(!gcry_check_version(GCRYPT_VERSION)) { -+ error(0,"libgcrypt version mismatch\n"); -+ exit(VERSION_MISMATCH_ERROR); -+ } -+ -+ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); -+#endif /* WITH_GCRYPT */ -+ -+ - if(read_param(argc,argv)==RETFAIL){ - error(0, _("Invalid argument\n") ); - exit(INVALID_ARGUMENT_ERROR); -@@ -646,6 +665,9 @@ int main(int argc,char**argv) - } - #endif - } -+#ifdef WITH_GCRYPT -+ gcry_control(GCRYCTL_TERM_SECMEM, 0); -+#endif /* WITH_GCRYPT */ - return RETOK; - } - const char* aide_key_3=CONFHMACKEY_03; -diff -up ./src/md.c.orig ./aide-0.16b1/src/md.c ---- ./src/md.c.orig 2016-04-15 23:30:16.000000000 +0200 -+++ ./src/md.c 2016-07-12 11:35:04.007675329 +0200 -@@ -201,14 +201,7 @@ int init_md(struct md_container* md) { - } - #endif - #ifdef WITH_GCRYPT -- error(255,"Gcrypt library initialization\n"); -- if(!gcry_check_version(GCRYPT_VERSION)) { -- error(0,"libgcrypt version mismatch\n"); -- exit(VERSION_MISMATCH_ERROR); -- } -- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); -- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); -- if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){ -+ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ - error(0,"gcrypt_md_open failed\n"); - exit(IO_ERROR); - } -@@ -299,7 +292,7 @@ int close_md(struct md_container* md) { - - /*. There might be more hashes in the library. Add those here.. */ - -- gcry_md_reset(md->mdh); -+ gcry_md_close(md->mdh); - #endif - - #ifdef WITH_MHASH -diff -up ./src/util.c.orig ./aide-0.16b1/src/util.c ---- ./src/util.c.orig 2016-07-12 11:39:17.023437355 +0200 -+++ ./src/util.c 2016-07-12 11:39:51.618721157 +0200 -@@ -519,28 +519,5 @@ int syslog_facility_lookup(char *s) - return(AIDE_SYSLOG_FACILITY); - } - --/* We need these dummy stubs to fool the linker into believing that -- we do not need them at link time */ -- --void* dlopen(char*filename,int flag) --{ -- return NULL; --} -- --void* dlsym(void*handle,char*symbol) --{ -- return NULL; --} -- --void* dlclose(void*handle) --{ -- return NULL; --} -- --const char* dlerror(void) --{ -- return NULL; --} -- - const char* aide_key_2=CONFHMACKEY_02; - const char* db_key_2=DBHMACKEY_02; diff --git a/aide-0.16rc1-man.patch b/aide-0.16rc1-man.patch deleted file mode 100644 index 4715552..0000000 --- a/aide-0.16rc1-man.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up ./doc/aide.1.in.orig ./doc/aide.1.in ---- ./doc/aide.1.in.orig 2016-07-12 16:10:01.724595895 +0200 -+++ ./doc/aide.1.in 2016-07-12 16:06:21.968639822 +0200 -@@ -103,9 +103,9 @@ echo | base64 \-d | h - .SH FILES - .IP \fB@sysconfdir@/aide.conf\fR - Default aide configuration file. --.IP \fB@sysconfdir@/aide.db\fR -+.IP \fB@localstatedir@/lib/aide/aide.db\fR - Default aide database. --.IP \fB@sysconfdir@/aide.db.new\fR -+.IP \fB@localstatedir@/lib/aide/aide.db.new\fR - Default aide output database. - .SH SEE ALSO - .BR aide.conf (5) diff --git a/aide-configure.patch b/aide-configure.patch deleted file mode 100644 index e9030eb..0000000 --- a/aide-configure.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff --color -ru a/configure.ac b/configure.ac ---- a/configure.ac 2021-05-20 09:31:11.686987129 +0200 -+++ b/configure.ac 2021-05-20 09:39:43.369967457 +0200 -@@ -784,11 +784,11 @@ - [if test "x$withval" = "xmd5" ;then - CONFIGHMACTYPE="MHASH_MD5" - else if test "x$withval" = "xsha1" ;then -- CONFIGHMACTYPE="MHASH_SHA1" -+ CONFIGHMACTYPE="MHASH_SHA1" - else if test "x$withval" = "xsha256" ;then -- CONFIGHMACTYPE="MHASH_SHA256" -+ CONFIGHMACTYPE="MHASH_SHA256" - else if test "x$withval" = "xsha512" ;then -- CONFIGHMACTYPE="MHASH_SHA512" -+ CONFIGHMACTYPE="MHASH_SHA512" - else - echo "Valid parameters for --with-confighmactype are md5, sha1, sha256 and sha512" - exit 1 -@@ -799,7 +799,6 @@ - AC_DEFINE_UNQUOTED(CONFIGHMACTYPE,$CONFIGHMACTYPE,[hash type for config file check])], - [ - AC_DEFINE_UNQUOTED(CONFIGHMACTYPE,MHASH_MD5,[hash type for config file check])] --, - ) - - AC_ARG_WITH([confighmackey], -@@ -846,18 +845,18 @@ - - AC_ARG_WITH([dbhmactype], - AC_HELP_STRING([--with-dbhmactype=TYPE], -- [Hash type to use for checking db. Valid values are md5 and sha1.]), -+ [Hash type to use for checking db. Valid values are md5, sha1, sha256 and sha512.]), - [if test "x$withval" = "xmd5" ;then - DBHMACTYPE="MHASH_MD5" - else if test "x$withval" = "xsha1" ;then -- DBHMACTYPE="MHASH_SHA1" -+ DBHMACTYPE="MHASH_SHA1" - else if test "x$withval" = "xsha256" ;then -- CONFIGHMACTYPE="MHASH_SHA256" -+ DBHMACTYPE="MHASH_SHA256" - else if test "x$withval" = "xsha512" ;then -- CONFIGHMACTYPE="MHASH_SHA512" -+ DBHMACTYPE="MHASH_SHA512" - else -- echo "Valid parameters for --with-dbhmactype are md5, sha1, sha256 and sha512" -- exit 1 -+ echo "Valid parameters for --with-dbhmactype are md5, sha1, sha256 and sha512" -+ exit 1 - fi - fi - fi diff --git a/aide-db-problem.patch b/aide-db-problem.patch deleted file mode 100644 index 1994284..0000000 --- a/aide-db-problem.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up aide-0.16/src/commandconf.c.rhcase03736158 aide-0.16/src/commandconf.c ---- aide-0.16/src/commandconf.c.rhcase03736158 2024-03-01 11:06:35.305712992 +0100 -+++ aide-0.16/src/commandconf.c 2024-03-01 11:08:07.726499878 +0100 -@@ -306,6 +306,7 @@ int db_input_wrapper(char* buf, int max_ - retval=0; - buf[0]='\0'; - }else { -+ buf[0]='\0'; - if((retval=gzread(*db_gzp,buf,max_size))<0){ - error(0,_("gzread() failed: gzerr=%s!\n"),gzerror(*db_gzp,&err)); - retval=0; diff --git a/aide-static-analysis.patch b/aide-static-analysis.patch deleted file mode 100644 index 78b79ce..0000000 --- a/aide-static-analysis.patch +++ /dev/null @@ -1,171 +0,0 @@ -Only in b: config.log -diff --color -ru a/contrib/sshaide.sh b/contrib/sshaide.sh ---- a/contrib/sshaide.sh 2016-07-25 22:56:55.000000000 +0200 -+++ b/contrib/sshaide.sh 2021-05-20 11:11:24.112542472 +0200 -@@ -260,7 +260,7 @@ - _randword=`grep -n . ${_wordlist} | grep "^${_linenum}:" | cut -d: -f2` - - # If $_randword has anything other than lower-case chars, try again -- (echo ${_randword} | LC_ALL=C grep '[^a-z]' 2>&1 >> /dev/null \ -+ ({ echo ${_randword} | LC_ALL=C grep '[^a-z]' 2>&1; } >> /dev/null \ - && gen_rand_word ) || \ - - # Return the word -diff --color -ru a/src/commandconf.c b/src/commandconf.c ---- a/src/commandconf.c 2021-05-20 10:37:53.842382143 +0200 -+++ b/src/commandconf.c 2021-05-25 14:16:43.278526146 +0200 -@@ -313,7 +313,7 @@ - } else { - /* gzread returns 0 even if uncompressed bytes were read*/ - error(240,"nread=%d,strlen(buf)=%lu,errno=%s,gzerr=%s\n", -- retval,(unsigned long)strnlen((char*)buf, max_size), -+ retval,(unsigned long)strnlen((char*)buf, retval), - strerror(errno),gzerror(*db_gzp,&err)); - if(retval==0){ - retval=strnlen((char*)buf, max_size); -@@ -836,6 +836,11 @@ - } - break; - } -+ default: { -+ error(0,"Unsupported dbtype.\n"); -+ free(u); -+ break; -+ } - } - } - free(val); -@@ -900,7 +905,7 @@ - } else { - error_init(u,0); - } -- -+ free(u->value); - free(u); - } - -diff --color -ru a/src/db_disk.c b/src/db_disk.c ---- a/src/db_disk.c 2021-05-20 10:37:53.842382143 +0200 -+++ b/src/db_disk.c 2021-05-20 12:37:00.081493364 +0200 -@@ -125,10 +125,10 @@ - - ret = (char *) malloc (len); - ret[0] = (char) 0; -- strncpy(ret, conf->root_prefix, conf->root_prefix_length+1); -- strncat (ret, r->path, len2); -+ strcpy(ret, conf->root_prefix); -+ strcat (ret, r->path); - if (r->path[len2 - 1] != '/') { -- strncat (ret, "/", 1); -+ strcat (ret, "/"); - } - strcat (ret, s); - return ret; -@@ -207,8 +207,8 @@ - if (!root_handled) { - root_handled = 1; - fullname=malloc((conf->root_prefix_length+2)*sizeof(char)); -- strncpy(fullname, conf->root_prefix, conf->root_prefix_length+1); -- strncat (fullname, "/", 1); -+ strcpy(fullname, conf->root_prefix); -+ strcat (fullname, "/"); - if (!get_file_status(&fullname[conf->root_prefix_length], &fs)) { - add = check_rxtree (&fullname[conf->root_prefix_length], conf->tree, &attr, fs.st_mode); - error (240, "%s match=%d, tree=%p, attr=%llu\n", &fullname[conf->root_prefix_length], add, -@@ -346,8 +346,8 @@ - error (255, "r->childs %p, r->parent %p,r->checked %i\n", - r->childs, r->parent, r->checked); - fullname=malloc((conf->root_prefix_length+strlen(r->path)+1)*sizeof(char)); -- strncpy(fullname, conf->root_prefix, conf->root_prefix_length+1); -- strncat(fullname, r->path, strlen(r->path)); -+ strcpy(fullname, conf->root_prefix); -+ strcat(fullname, r->path); - dirh=open_dir(fullname); - if (! dirh) { - -@@ -441,8 +441,8 @@ - - - char* fullname=malloc((conf->root_prefix_length+2)*sizeof(char)); -- strncpy(fullname, conf->root_prefix, conf->root_prefix_length+1); -- strncat (fullname, "/", 1); -+ strcpy(fullname, conf->root_prefix); -+ strcat (fullname, "/"); - dirh=open_dir(fullname); - free(fullname); - -diff --color -ru a/src/error.c b/src/error.c ---- a/src/error.c 2021-05-20 10:37:53.836382037 +0200 -+++ b/src/error.c 2021-05-21 11:49:09.781313097 +0200 -@@ -125,7 +125,7 @@ - fh=be_init(0,url,0); - if(fh!=NULL) { - conf->report_fd=list_append(conf->report_fd,(void*)fh); -- conf->report_url=list_append(conf->report_url,(void*)url); -+ conf->report_url=list_append(conf->report_url,(void*)strdup(url)); - return RETOK; - } - -diff --color -ru a/src/util.c b/src/util.c ---- a/src/util.c 2021-05-20 10:37:53.843382160 +0200 -+++ b/src/util.c 2021-05-25 11:04:39.507278771 +0200 -@@ -105,13 +105,15 @@ - for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++); - if(r[0]=='\0'){ - error(0,"Invalid file-URL,no path after hostname: file:%s\n",t); -+ free(u); -+ free(val_copy); - free(hostname); - return NULL; - } - u->value=strdup(r); - r[0]='\0'; - if(gethostname(hostname,MAXHOSTNAMELEN)==-1){ -- strncpy(hostname,"localhost", 10); -+ strncpy(hostname,"localhost",MAXHOSTNAMELEN); - } - - if( (strcmp(t,"localhost")==0)||(strcmp(t,hostname)==0)){ -@@ -119,6 +121,9 @@ - break; - } else { - error(0,"Invalid file-URL, cannot use hostname other than localhost or %s: file:%s\n",hostname,u->value); -+ free(u->value); -+ free(u); -+ free(val_copy); - free(hostname); - return NULL; - } -@@ -229,6 +234,10 @@ - int i=0; - - pc=(char*)malloc(sizeof(char)*11); -+ if (!pc) { -+ error(0, "Memory allocation failed.\n"); -+ return NULL; -+ } - for(i=0;i<10;i++){ - pc[i]='-'; - } -@@ -369,14 +378,17 @@ - - if (path != NULL) { - if (path[0] == '~') { -- if((homedir=getenv("HOME")) != NULL) { -+ if ((homedir=getenv("HOME")) != NULL) { - path_len = strlen(path+sizeof(char)); - homedir_len = strlen(homedir); - full_len = homedir_len+path_len; - full = malloc(sizeof(char) * (full_len+1)); -- strncpy(full, homedir, homedir_len); -- strncpy(full+homedir_len, path+sizeof(char), path_len); -- full[full_len] = '\0'; -+ if (!full) { -+ error(0, "Memory allocation failed.\n"); -+ return path; -+ } -+ strcpy(full, homedir); -+ strcat(full, path+sizeof(char)); - free(path); - /* Don't free(homedir); because it is not safe on some platforms */ - path = full; diff --git a/aide-tmpfiles.conf b/aide-tmpfiles.conf new file mode 100644 index 0000000..ec8f4b4 --- /dev/null +++ b/aide-tmpfiles.conf @@ -0,0 +1,2 @@ +d /var/log/aide 0700 root root - +d /var/lib/aide 0700 root root - diff --git a/aide.spec b/aide.spec index 532444d..30d6ead 100644 --- a/aide.spec +++ b/aide.spec @@ -1,21 +1,26 @@ Summary: Intrusion detection environment Name: aide -Version: 0.16 -Release: 105%{?dist} -URL: http://sourceforge.net/projects/aide +Version: 0.19.2 +Release: 1%{?dist} +URL: https://github.com/aide/aide License: GPLv2+ -Source0: %{url}/files/aide/%{version}/%{name}-%{version}.tar.gz -Source1: aide.conf -Source2: README.quickstart -Source3: aide.logrotate +Source0: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz +Source1: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz.asc +# gpg2 --recv-keys 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931 +# gpg2 --export --export-options export-minimal 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931 >gpgkey-aide.gpg +Source2: gpgkey-aide.gpg +Source3: aide.conf +Source4: README.quickstart +Source5: aide.logrotate +Source6: aide-tmpfiles.conf BuildRequires: gcc BuildRequires: make BuildRequires: bison flex BuildRequires: pcre-devel -BuildRequires: libgpg-error-devel libgcrypt-devel +BuildRequires: libgpg-error-devel nettle-devel BuildRequires: zlib-devel BuildRequires: libcurl-devel BuildRequires: libacl-devel @@ -23,40 +28,27 @@ BuildRequires: pkgconfig(libselinux) BuildRequires: libattr-devel BuildRequires: e2fsprogs-devel BuildRequires: audit-libs-devel -BuildRequires: autoconf automake libtool - -# Customize the database file location in the man page. -Patch1: aide-0.16rc1-man.patch -# fix aide in FIPS mode -Patch2: aide-0.16b1-fipsfix.patch -# Bug 1674637 - aide: FTBFS in Fedora rawhide/f30 -Patch3: aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch - -Patch4: aide-0.15-syslog-format.patch -Patch5: aide-0.16-crypto-disable-haval-and-others.patch -Patch6: coverity.patch -Patch7: aide-0.16-crash-elf.patch -Patch8: aide-configure.patch -Patch9: aide-static-analysis.patch -Patch10: aide-0.16-CVE-2021-45417.patch -Patch11: aide-db-problem.patch -Patch12: rootPrefix.patch -Patch13: aide-0.16-CVE-2025-54389.patch +BuildRequires: autoconf automake libtool autoconf-archive +BuildRequires: systemd-rpm-macros +# For verifying signatures +BuildRequires: gnupg2 %description AIDE (Advanced Intrusion Detection Environment) is a file integrity checker and intrusion detection program. %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -cp -a %{S:2} . +cp -a %{SOURCE4} . %build autoreconf -ivf %configure \ --disable-static \ --with-config_file=%{_sysconfdir}/aide.conf \ - --with-gcrypt \ + --without-gcrypt \ + --with-nettle \ --with-zlib \ --with-curl \ --with-posix-acl \ @@ -70,14 +62,16 @@ autoreconf -ivf %install %make_install bindir=%{_sbindir} -install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:1} -install -Dpm0644 %{S:3} %{buildroot}%{_sysconfdir}/logrotate.d/aide +install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{SOURCE3} +install -Dpm0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/aide mkdir -p %{buildroot}%{_localstatedir}/log/aide mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide +# Install tmpfiles config +install -Dpm0644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/aide.conf %files %license COPYING -%doc AUTHORS ChangeLog NEWS README doc/manual.html contrib/ +%doc AUTHORS ChangeLog NEWS README %doc README.quickstart %{_sbindir}/aide %{_mandir}/man1/*.1* @@ -86,8 +80,19 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide %config(noreplace) %{_sysconfdir}/logrotate.d/aide %dir %attr(0700,root,root) %{_localstatedir}/lib/aide %dir %attr(0700,root,root) %{_localstatedir}/log/aide +%{_tmpfilesdir}/aide.conf %changelog +* Tue Sep 16 2025 Attila Lakatos - 0.19.2-1 +RHEL 9.8.0 ERRATUM +- rebase to 0.19.2 +Resolves: RHEL-110573 +- Switch to libnettle for hashing +- prevent aide from crashing if database is a HTTPS URL +Resolves: RHEL-76014 +- prevent aide from exiting if a file is truncated during check +Resolves: RHEL-1569 + * Wed Aug 20 2025 Attila Lakatos - 0.16-105 RHEL 9.7 ERRATUM - CVE-2025-54389 aide: improper output neutralization enables bypassing diff --git a/coverity.patch b/coverity.patch deleted file mode 100644 index 9b981be..0000000 --- a/coverity.patch +++ /dev/null @@ -1,642 +0,0 @@ -diff -up ./include/be.h.coverity ./include/be.h ---- ./include/be.h.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./include/be.h 2018-10-10 19:27:18.680632681 +0200 -@@ -22,6 +22,6 @@ - #define _BE_H_INCLUDED - #include "db_config.h" - --FILE* be_init(int inout,url_t* u,int iszipped); -+void* be_init(int inout,url_t* u,int iszipped); - - #endif /* _BE_H_INCLUDED */ -diff -up ./include/db_config.h.coverity ./include/db_config.h ---- ./include/db_config.h.coverity 2018-10-10 19:27:18.672632611 +0200 -+++ ./include/db_config.h 2018-10-10 19:27:18.681632689 +0200 -@@ -376,7 +376,7 @@ typedef struct db_config { - #endif - - url_t* initial_report_url; -- FILE* initial_report_fd; -+ void* initial_report_fd; - - /* report_url is a list of url_t*s */ - list* report_url; -diff -up ./src/aide.c.coverity ./src/aide.c ---- ./src/aide.c.coverity 2018-10-10 19:27:18.678632663 +0200 -+++ ./src/aide.c 2018-10-10 19:27:18.681632689 +0200 -@@ -278,7 +278,7 @@ static void setdefaults_before_config() - error(0,_("Couldn't get hostname")); - free(s); - } else { -- s=(char*)realloc((void*)s,strlen(s)+1); -+ // s=(char*)realloc((void*)s,strlen(s)+1); - do_define("HOSTNAME",s); - } - -@@ -506,8 +506,6 @@ static void setdefaults_after_config() - int main(int argc,char**argv) - { - int errorno=0; -- byte* dig=NULL; -- char* digstr=NULL; - - #ifdef USE_LOCALE - setlocale(LC_ALL,""); -@@ -544,6 +542,10 @@ int main(int argc,char**argv) - } - - errorno=commandconf('C',conf->config_file); -+ if (errorno==RETFAIL){ -+ error(0,_("Configuration error\n")); -+ exit(INVALID_CONFIGURELINE_ERROR); -+ } - - errorno=commandconf('D',""); - if (errorno==RETFAIL){ -@@ -594,6 +596,9 @@ int main(int argc,char**argv) - } - } - #ifdef WITH_MHASH -+ byte* dig=NULL; -+ char* digstr=NULL; -+ - if(conf->config_check&&FORCECONFIGMD){ - error(0,"Can't give config checksum when compiled with --enable-forced_configmd\n"); - exit(INVALID_ARGUMENT_ERROR); -diff -up ./src/base64.c.coverity ./src/base64.c ---- ./src/base64.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/base64.c 2018-10-10 19:27:18.681632689 +0200 -@@ -209,6 +209,7 @@ byte* decode_base64(char* src,size_t ssi - case FAIL: - error(3, "decode_base64: Illegal character: %c\n", *inb); - error(230, "decode_base64: Illegal line:\n%s\n", src); -+ free(outbuf); - return NULL; - break; - case SKIP: -@@ -260,7 +261,7 @@ size_t length_base64(char* src,size_t ss - int l; - int left; - size_t pos; -- unsigned long triple; -+ //unsigned long triple; - - error(235, "decode base64\n"); - /* Exit on empty input */ -@@ -273,7 +274,7 @@ size_t length_base64(char* src,size_t ss - inb = src; - - l = 0; -- triple = 0; -+ //triple = 0; - pos=0; - left = ssize; - /* -@@ -293,7 +294,7 @@ size_t length_base64(char* src,size_t ss - case SKIP: - break; - default: -- triple = triple<<6 | (0x3f & i); -+ //triple = triple<<6 | (0x3f & i); - l++; - break; - } -@@ -302,10 +303,10 @@ size_t length_base64(char* src,size_t ss - switch(l) - { - case 2: -- triple = triple>>4; -+ //triple = triple>>4; - break; - case 3: -- triple = triple>>2; -+ //triple = triple>>2; - break; - default: - break; -@@ -314,7 +315,7 @@ size_t length_base64(char* src,size_t ss - { - pos++; - } -- triple = 0; -+ //triple = 0; - l = 0; - } - inb++; -diff -up ./src/be.c.coverity ./src/be.c ---- ./src/be.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/be.c 2018-10-10 19:27:18.681632689 +0200 -@@ -117,9 +117,9 @@ static char* get_first_value(char** in){ - - #endif - --FILE* be_init(int inout,url_t* u,int iszipped) -+void* be_init(int inout,url_t* u,int iszipped) - { -- FILE* fh=NULL; -+ void* fh=NULL; - long a=0; - char* err=NULL; - int fd; -diff -up ./src/commandconf.c.coverity ./src/commandconf.c ---- ./src/commandconf.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/commandconf.c 2018-10-10 19:27:18.682632698 +0200 -@@ -106,7 +106,7 @@ int commandconf(const char mode,const ch - rv=0; - } else { - -- rv=access(config,R_OK); -+ if (config != NULL) rv=access(config,R_OK); - if(rv==-1){ - error(0,_("Cannot access config file: %s: %s\n"),config,strerror(errno)); - } -@@ -166,14 +166,11 @@ int commandconf(const char mode,const ch - int conf_input_wrapper(char* buf, int max_size, FILE* in) - { - int retval=0; -- int c=0; -- char* tmp=NULL; -- void* key=NULL; -- int keylen=0; - - /* FIXME Add support for gzipped config. :) */ - #ifdef WITH_MHASH - /* Read a character at a time until we are doing md */ -+ int c=0; - if(conf->do_configmd){ - retval=fread(buf,1,max_size,in); - }else { -@@ -185,6 +182,9 @@ int conf_input_wrapper(char* buf, int ma - #endif - - #ifdef WITH_MHASH -+ char* tmp=NULL; -+ void* key=NULL; -+ int keylen=0; - if(conf->do_configmd||conf->config_check){ - if(((conf->do_configmd==1)&&conf->config_check)||!conf->confmd){ - if(conf->do_configmd==1){ -@@ -276,6 +276,9 @@ int db_input_wrapper(char* buf, int max_ - #endif - break; - } -+ default: { -+ return 0; -+ } - } - - #ifdef WITH_CURL -@@ -651,7 +654,6 @@ int handle_endif(int doit,int allow_else - case 0 : { - conferror("@@endif or @@else expected"); - return -1; -- count=0; - } - - default : { -@@ -816,6 +818,7 @@ void do_dbdef(int dbtype,char* val) - if(u==NULL||u->type==url_unknown||u->type==url_stdout - ||u->type==url_stderr) { - error(0,_("Unsupported input URL-type:%s\n"),val); -+ free(u); - } - else { - *conf_db_url=u; -@@ -825,6 +828,7 @@ void do_dbdef(int dbtype,char* val) - case DB_WRITE: { - if(u==NULL||u->type==url_unknown||u->type==url_stdin){ - error(0,_("Unsupported output URL-type:%s\n"),val); -+ free(u); - } - else{ - conf->db_out_url=u; -@@ -848,6 +852,7 @@ void do_dbindef(char* val) - if(u==NULL||u->type==url_unknown||u->type==url_stdout - ||u->type==url_stderr) { - error(0,_("Unsupported input URL-type:%s\n"),val); -+ free(u); - } - else { - conf->db_in_url=u; -@@ -869,6 +874,7 @@ void do_dboutdef(char* val) - * both input and output urls */ - if(u==NULL||u->type==url_unknown||u->type==url_stdin){ - error(0,_("Unsupported output URL-type:%s\n"),val); -+ free(u); - } - else{ - conf->db_out_url=u; -@@ -894,7 +900,8 @@ void do_repurldef(char* val) - } else { - error_init(u,0); - } -- -+ -+ free(u); - } - - void do_verbdef(char* val) -@@ -984,7 +991,7 @@ void do_report_ignore_e2fsattrs(char* va - break; - } - } -- *val++; -+ val++; - } - } - #endif -diff -up ./src/compare_db.c.coverity ./src/compare_db.c ---- ./src/compare_db.c.coverity 2018-10-10 19:27:18.673632619 +0200 -+++ ./src/compare_db.c 2018-10-10 19:27:18.682632698 +0200 -@@ -312,7 +312,7 @@ static int acl2array(acl_type* acl, char - if (conf->syslog_format) { - *values = malloc(2 * sizeof(char*)); - -- char *A, *D = ""; -+ char *A= "", *D = ""; - - if (acl->acl_a) { A = acl->acl_a; } - if (acl->acl_d) { D = acl->acl_d; } -diff -up ./src/conf_lex.l.coverity ./src/conf_lex.l ---- ./src/conf_lex.l.coverity 2018-10-10 19:27:18.673632619 +0200 -+++ ./src/conf_lex.l 2018-10-10 19:27:18.682632698 +0200 -@@ -133,7 +133,7 @@ int var_in_conflval=0; - [\ \t]*\n { - conf_lineno++; - return (TNEWLINE); -- BEGIN 0; -+// BEGIN 0; - } - - \+ { -diff -up ./src/db.c.coverity ./src/db.c ---- ./src/db.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/db.c 2018-10-10 19:27:18.683632707 +0200 -@@ -27,6 +27,7 @@ - #include "db_file.h" - #include "db_disk.h" - #include "md.h" -+#include "fopen.h" - - #ifdef WITH_PSQL - #include "db_sql.h" -@@ -269,6 +270,9 @@ db_line* db_readline(int db){ - db_order=&(conf->db_new_order); - break; - } -+ default: { -+ return NULL; -+ } - } - - switch (db_url->type) { -@@ -368,7 +372,7 @@ db_line* db_char2line(char** ss,int db){ - - int i; - db_line* line=(db_line*)malloc(sizeof(db_line)*1); -- int* db_osize=0; -+ int* db_osize=NULL; - DB_FIELD** db_order=NULL; - - switch (db) { -@@ -382,6 +386,10 @@ db_line* db_char2line(char** ss,int db){ - db_order=&(conf->db_new_order); - break; - } -+ default: { -+ free(line); -+ return NULL; -+ } - } - - -@@ -601,7 +609,9 @@ db_line* db_char2line(char** ss,int db){ - size_t vsz = 0; - - tval = strtok(NULL, ","); -- line->xattrs->ents[num].key = db_readchar(strdup(tval)); -+ char * tmp = strdup(tval); -+ line->xattrs->ents[num].key = db_readchar(tmp); -+ free(tmp); - tval = strtok(NULL, ","); - val = base64tobyte(tval, strlen(tval), &vsz); - line->xattrs->ents[num].val = val; -@@ -648,6 +658,8 @@ db_line* db_char2line(char** ss,int db){ - - default : { - error(0,_("Not implemented in db_char2line %i \n"),(*db_order)[i]); -+ free_db_line(line); -+ free(line); - return NULL; - } - -@@ -826,7 +838,7 @@ void db_close() { - case url_ftp: - { - if (conf->db_out!=NULL) { -- url_fclose(conf->db_out); -+ url_fclose((URL_FILE*)conf->db_out); - } - break; - } -diff -up ./src/db_disk.c.coverity ./src/db_disk.c ---- ./src/db_disk.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/db_disk.c 2018-10-10 19:28:00.108995089 +0200 -@@ -79,9 +79,15 @@ static DIR *open_dir(char* path) { - - static void next_in_dir (void) - { -+ - #ifdef HAVE_READDIR_R -- if (dirh != NULL) -+ if (dirh != NULL) { -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wdeprecated-declarations" - rdres = AIDE_READDIR_R_FUNC (dirh, entp, resp); -+#pragma GCC diagnostic pop -+ } -+ - #else - #ifdef HAVE_READDIR - if (dirh != NULL) { -diff -up ./src/db_file.c.coverity ./src/db_file.c ---- ./src/db_file.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/db_file.c 2018-10-10 19:27:18.683632707 +0200 -@@ -171,7 +171,7 @@ int dofprintf( const char* s,...) - int db_file_read_spec(int db){ - - int i=0; -- int* db_osize=0; -+ int* db_osize=NULL; - DB_FIELD** db_order=NULL; - - switch (db) { -@@ -187,6 +187,9 @@ int db_file_read_spec(int db){ - db_lineno=&db_new_lineno; - break; - } -+ default: { -+ return RETFAIL; -+ } - } - - *db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD)); -@@ -198,13 +201,10 @@ int db_file_read_spec(int db){ - int l; - - -- /* Yes... we do not check if realloc returns nonnull */ -- -- *db_order=(DB_FIELD*) -- realloc((void*)*db_order, -+ void * tmp = realloc((void*)*db_order, - ((*db_osize)+1)*sizeof(DB_FIELD)); -- -- if(*db_order==NULL){ -+ if (tmp != NULL) *db_order=(DB_FIELD*) tmp; -+ else { - return RETFAIL; - } - -@@ -291,8 +291,8 @@ char** db_readline_file(int db){ - int* domd=NULL; - #ifdef WITH_MHASH - MHASH* md=NULL; --#endif - char** oldmdstr=NULL; -+#endif - int* db_osize=0; - DB_FIELD** db_order=NULL; - FILE** db_filep=NULL; -@@ -302,9 +302,9 @@ char** db_readline_file(int db){ - case DB_OLD: { - #ifdef WITH_MHASH - md=&(conf->dboldmd); -+ oldmdstr=&(conf->old_dboldmdstr); - #endif - domd=&(conf->do_dboldmd); -- oldmdstr=&(conf->old_dboldmdstr); - - db_osize=&(conf->db_in_size); - db_order=&(conf->db_in_order); -@@ -316,9 +316,9 @@ char** db_readline_file(int db){ - case DB_NEW: { - #ifdef WITH_MHASH - md=&(conf->dbnewmd); -+ oldmdstr=&(conf->old_dbnewmdstr); - #endif - domd=&(conf->do_dbnewmd); -- oldmdstr=&(conf->old_dbnewmdstr); - - db_osize=&(conf->db_new_size); - db_order=&(conf->db_new_order); -@@ -328,7 +328,9 @@ char** db_readline_file(int db){ - break; - } - } -- -+ -+ if (db_osize == NULL) return NULL; -+ - if (*db_osize==0) { - db_buff(db,*db_filep); - -@@ -737,8 +739,6 @@ int db_writespec_file(db_config* dbconf) - int i=0; - int j=0; - int retval=1; -- void*key=NULL; -- int keylen=0; - struct tm* st; - time_t tim=time(&tim); - st=localtime(&tim); -@@ -750,6 +750,8 @@ int db_writespec_file(db_config* dbconf) - - #ifdef WITH_MHASH - /* From hereon everything must MD'd before write to db */ -+ void*key=NULL; -+ int keylen=0; - if((key=get_db_key())!=NULL){ - keylen=get_db_key_len(); - dbconf->do_dbnewmd=1; -diff -up ./src/do_md.c.coverity ./src/do_md.c ---- ./src/do_md.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/do_md.c 2018-10-10 19:27:18.683632707 +0200 -@@ -202,7 +202,6 @@ void calc_md(struct AIDE_STAT_TYPE* old_ - and we don't read from a pipe :) - */ - struct AIDE_STAT_TYPE fs; -- int sres=0; - int stat_diff,filedes; - #ifdef WITH_PRELINK - pid_t pid; -@@ -237,7 +236,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_ - return; - } - -- sres=AIDE_FSTAT_FUNC(filedes,&fs); -+ AIDE_FSTAT_FUNC(filedes,&fs); - if(!(line->attr&DB_RDEV)) - fs.st_rdev=0; - -@@ -331,7 +330,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_ - } - #endif - #endif /* not HAVE_MMAP */ -- buf=malloc(READ_BLOCK_SIZE); -+// buf=malloc(READ_BLOCK_SIZE); - #if READ_BLOCK_SIZE>SSIZE_MAX - #error "READ_BLOCK_SIZE" is too large. Max value is SSIZE_MAX, and current is READ_BLOCK_SIZE - #endif -diff -up ./src/gen_list.c.coverity ./src/gen_list.c ---- ./src/gen_list.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/gen_list.c 2018-10-10 19:27:18.684632716 +0200 -@@ -843,15 +843,15 @@ static void add_file_to_tree(seltree* tr - DB_ATTR_TYPE localignorelist=0; - DB_ATTR_TYPE ignored_added_attrs, ignored_removed_attrs, ignored_changed_attrs; - -+ if(file==NULL){ -+ error(0, "add_file_to_tree was called with NULL db_line\n"); -+ } -+ - node=get_seltree_node(tree,file->filename); - - if(!node){ - node=new_seltree_node(tree,file->filename,0,NULL); - } -- -- if(file==NULL){ -- error(0, "add_file_to_tree was called with NULL db_line\n"); -- } - - /* add note to this node which db has modified it */ - node->checked|=db; -diff -up ./src/md.c.coverity ./src/md.c ---- ./src/md.c.coverity 2018-10-10 19:27:18.679632672 +0200 -+++ ./src/md.c 2018-10-10 19:27:18.684632716 +0200 -@@ -36,8 +36,8 @@ - */ - - DB_ATTR_TYPE hash_gcrypt2attr(int i) { -- DB_ATTR_TYPE r=0; - #ifdef WITH_GCRYPT -+ DB_ATTR_TYPE r=0; - switch (i) { - case GCRY_MD_MD5: { - r=DB_MD5; -@@ -74,13 +74,15 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) { - default: - break; - } --#endif - return r; -+#else /* !WITH_GCRYPT */ -+ return 0; -+#endif - } - - const char * hash_gcrypt2str(int i) { -- char * r = "?"; - #ifdef WITH_GCRYPT -+ char * r = "?"; - switch (i) { - case GCRY_MD_MD5: { - r = "MD5"; -@@ -117,13 +119,17 @@ const char * hash_gcrypt2str(int i) { - default: - break; - } --#endif - return r; -+#else /* !WITH_GCRYPT */ -+ return "?"; -+#endif - } - -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wunused-parameter" - DB_ATTR_TYPE hash_mhash2attr(int i) { -- DB_ATTR_TYPE r=0; - #ifdef WITH_MHASH -+ DB_ATTR_TYPE r=0; - switch (i) { - case MHASH_CRC32: { - r=DB_CRC32; -@@ -198,10 +204,15 @@ DB_ATTR_TYPE hash_mhash2attr(int i) { - default: - break; - } --#endif -+ - return r; -+#else /*!WITH_MHASH */ -+ return 0; -+#endif - } - -+#pragma GCC diagnostic pop -+ - /* - Initialise md_container according it's todo_attr field - */ -@@ -317,7 +328,6 @@ int init_md(struct md_container* md) { - */ - - int update_md(struct md_container* md,void* data,ssize_t size) { -- int i; - - error(255,"update_md called\n"); - -@@ -328,6 +338,7 @@ int update_md(struct md_container* md,vo - #endif - - #ifdef WITH_MHASH -+ int i; - - for(i=0;i<=HASH_MHASH_COUNT;i++) { - if (md->mhash_mdh[i]!=MHASH_FAILED) { -@@ -348,7 +359,6 @@ int update_md(struct md_container* md,vo - */ - - int close_md(struct md_container* md) { -- int i; - #ifdef _PARAMETER_CHECK_ - if (md==NULL) { - return RETFAIL; -@@ -356,6 +366,7 @@ int close_md(struct md_container* md) { - #endif - error(255,"close_md called \n"); - #ifdef WITH_MHASH -+ int i; - for(i=0;i<=HASH_MHASH_COUNT;i++) { - if (md->mhash_mdh[i]!=MHASH_FAILED) { - mhash (md->mhash_mdh[i], NULL, 0); -diff -up ./src/util.c.coverity ./src/util.c ---- ./src/util.c.coverity 2018-10-10 19:27:18.670632593 +0200 -+++ ./src/util.c 2018-10-10 19:27:18.684632716 +0200 -@@ -105,13 +105,15 @@ url_t* parse_url(char* val) - for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++); - if(r[0]=='\0'){ - error(0,"Invalid file-URL,no path after hostname: file:%s\n",t); -+ free(hostname); - return NULL; - } - u->value=strdup(r); - r[0]='\0'; - if(gethostname(hostname,MAXHOSTNAMELEN)==-1){ -- strncpy(hostname,"localhost", 10); -+ strncpy(hostname,"localhost", 10); - } -+ - if( (strcmp(t,"localhost")==0)||(strcmp(t,hostname)==0)){ - free(hostname); - break; -@@ -120,7 +122,7 @@ url_t* parse_url(char* val) - free(hostname); - return NULL; - } -- free(hostname); -+ - break; - } - u->value=strdup(r); diff --git a/coverity2.patch b/coverity2.patch deleted file mode 100644 index 5052ba3..0000000 --- a/coverity2.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --up ./src/compare_db.c ./src/compare_db.c ---- ./src/compare_db.c -+++ ./src/compare_db.c -@@ -438,7 +438,11 @@ snprintf(*values[0], l, "%s",s); - } else { - *values = malloc(1 * sizeof (char*)); - if (DB_FTYPE&attr) { -- easy_string(get_file_type_string(line->perm)) -+ char *file_type = get_file_type_string(line->perm); -+ if (!file_type) { -+ error(2,"%s: ", file_type); -+ } -+ easy_string(file_type) - } else if (DB_LINKNAME&attr) { - easy_string(line->linkname) - easy_number((DB_SIZE|DB_SIZEG),size,"%li") -diff -up ./src/db_file.c ./src/db_file.c ---- ./src/db_file.c -+++ ./src/db_file.c -@@ -194,6 +194,10 @@ int db_file_read_spec(int db){ - - *db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD)); - -+ if (*db_order == NULL){ -+ error(1,"malloc for *db_order failed in %s", __func__); -+ } -+ - while ((i=db_scan())!=TNEWLINE){ - switch (i) { - - diff --git a/gpgkey-aide.gpg b/gpgkey-aide.gpg new file mode 100644 index 0000000..350078c Binary files /dev/null and b/gpgkey-aide.gpg differ diff --git a/rootPrefix.patch b/rootPrefix.patch deleted file mode 100644 index 30a6e9d..0000000 --- a/rootPrefix.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -Naur aide-0.16.orig/src/db_disk.c aide-0.16/src/db_disk.c ---- aide-0.16.orig/src/db_disk.c 2024-03-11 16:45:06.594013966 -0400 -+++ aide-0.16/src/db_disk.c 2024-03-11 16:45:06.584013966 -0400 -@@ -209,7 +209,7 @@ - fullname=malloc((conf->root_prefix_length+2)*sizeof(char)); - strcpy(fullname, conf->root_prefix); - strcat (fullname, "/"); -- if (!get_file_status(&fullname[conf->root_prefix_length], &fs)) { -+ if (!get_file_status(fullname, &fs)) { - add = check_rxtree (&fullname[conf->root_prefix_length], conf->tree, &attr, fs.st_mode); - error (240, "%s match=%d, tree=%p, attr=%llu\n", &fullname[conf->root_prefix_length], add, - conf->tree, attr); -@@ -255,7 +255,7 @@ - If not call, db_readline_disk again... - */ - -- if (get_file_status(&fullname[conf->root_prefix_length], &fs)) { -+ if (get_file_status(fullname, &fs)) { - free (fullname); - goto recursion; - } diff --git a/sources b/sources index abe8169..0b47fd8 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (aide-0.16.tar.gz) = 29ad97756e3e2fb21dc332ed03b494a1c73e621266f8622ec80bdba23092a38ee975b97f3cff2330e4c16e64e2f672259eea9291ca706a4009e7399b4e14e6a7 +SHA512 (aide-0.19.2.tar.gz) = 08506c2302e34794fa08a27caaa1e714ba736d46351c577234f2c3d2623ea82b243b3318061a369a46d6961a782f42fbb8edd42d1d4de6949e7fc30c87865830 +SHA512 (aide-0.19.2.tar.gz.asc) = ebc04f22a49ec6b378dca4930574edcd46919281297bc1d5e09f5839a6fab3a38762462b7d852a82b7045313f9c24208bfff49a561d8afd04e9116be7096169a