Backport fix for CVE-2021-45417
Resolves: rhbz#2041950
This commit is contained in:
parent
d838342cc6
commit
32051f4193
123
aide-0.16-CVE-2021-45417.patch
Normal file
123
aide-0.16-CVE-2021-45417.patch
Normal file
@ -0,0 +1,123 @@
|
|||||||
|
diff --git a/include/base64.h b/include/base64.h
|
||||||
|
index 0ff7116..381ef5d 100644
|
||||||
|
--- a/include/base64.h
|
||||||
|
+++ b/include/base64.h
|
||||||
|
@@ -36,7 +36,6 @@
|
||||||
|
#include <assert.h>
|
||||||
|
#include "types.h"
|
||||||
|
|
||||||
|
-#define B64_BUF 16384
|
||||||
|
#define FAIL -1
|
||||||
|
#define SKIP -2
|
||||||
|
|
||||||
|
diff --git a/src/base64.c b/src/base64.c
|
||||||
|
index fd01bac..1b0f301 100644
|
||||||
|
--- a/src/base64.c
|
||||||
|
+++ b/src/base64.c
|
||||||
|
@@ -85,11 +85,9 @@ FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL
|
||||||
|
};
|
||||||
|
|
||||||
|
/* Returns NULL on error */
|
||||||
|
-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */
|
||||||
|
char* encode_base64(byte* src,size_t ssize)
|
||||||
|
{
|
||||||
|
char* outbuf;
|
||||||
|
- char* retbuf;
|
||||||
|
int pos;
|
||||||
|
int i, l, left;
|
||||||
|
unsigned long triple;
|
||||||
|
@@ -101,7 +99,10 @@ char* encode_base64(byte* src,size_t ssize)
|
||||||
|
error(240,"\n");
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
- outbuf = (char *)malloc(sizeof(char)*B64_BUF);
|
||||||
|
+
|
||||||
|
+ /* length of encoded base64 string (padded) */
|
||||||
|
+ size_t length = sizeof(char)* ((ssize + 2) / 3) * 4;
|
||||||
|
+ outbuf = (char *)malloc(length + 1);
|
||||||
|
|
||||||
|
/* Initialize working pointers */
|
||||||
|
inb = src;
|
||||||
|
@@ -162,20 +163,14 @@ char* encode_base64(byte* src,size_t ssize)
|
||||||
|
inb++;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* outbuf is not completely used so we use retbuf */
|
||||||
|
- retbuf=(char*)malloc(sizeof(char)*(pos+1));
|
||||||
|
- memcpy(retbuf,outbuf,pos);
|
||||||
|
- retbuf[pos]='\0';
|
||||||
|
- free(outbuf);
|
||||||
|
+ outbuf[pos]='\0';
|
||||||
|
|
||||||
|
- return retbuf;
|
||||||
|
+ return outbuf;
|
||||||
|
}
|
||||||
|
|
||||||
|
-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */
|
||||||
|
byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
|
||||||
|
{
|
||||||
|
byte* outbuf;
|
||||||
|
- byte* retbuf;
|
||||||
|
char* inb;
|
||||||
|
int i;
|
||||||
|
int l;
|
||||||
|
@@ -188,10 +183,18 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
|
||||||
|
if (!ssize||src==NULL)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
+ /* exit on unpadded input */
|
||||||
|
+ if (ssize % 4) {
|
||||||
|
+ error(3, "decode_base64: '%s' has invalid length (missing padding characters?)", src);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* calculate length of decoded string, substract padding chars if any (ssize is >= 4) */
|
||||||
|
+ size_t length = sizeof(byte) * ((ssize / 4) * 3)- (src[ssize-1] == '=') - (src[ssize-2] == '=');
|
||||||
|
|
||||||
|
/* Initialize working pointers */
|
||||||
|
inb = src;
|
||||||
|
- outbuf = (byte *)malloc(sizeof(byte)*B64_BUF);
|
||||||
|
+ outbuf = (byte *)malloc(length + 1);
|
||||||
|
|
||||||
|
l = 0;
|
||||||
|
triple = 0;
|
||||||
|
@@ -243,15 +246,11 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
|
||||||
|
inb++;
|
||||||
|
}
|
||||||
|
|
||||||
|
- retbuf=(byte*)malloc(sizeof(byte)*(pos+1));
|
||||||
|
- memcpy(retbuf,outbuf,pos);
|
||||||
|
- retbuf[pos]='\0';
|
||||||
|
-
|
||||||
|
- free(outbuf);
|
||||||
|
+ outbuf[pos]='\0';
|
||||||
|
|
||||||
|
if (ret_len) *ret_len = pos;
|
||||||
|
|
||||||
|
- return retbuf;
|
||||||
|
+ return outbuf;
|
||||||
|
}
|
||||||
|
|
||||||
|
size_t length_base64(char* src,size_t ssize)
|
||||||
|
diff --git a/src/db.c b/src/db.c
|
||||||
|
index 858240d..62c4faa 100644
|
||||||
|
--- a/src/db.c
|
||||||
|
+++ b/src/db.c
|
||||||
|
@@ -664,13 +664,15 @@ db_line* db_char2line(char** ss,int db){
|
||||||
|
|
||||||
|
time_t base64totime_t(char* s){
|
||||||
|
|
||||||
|
+ if(strcmp(s,"0")==0){
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
byte* b=decode_base64(s,strlen(s),NULL);
|
||||||
|
char* endp;
|
||||||
|
|
||||||
|
- if (b==NULL||strcmp(s,"0")==0) {
|
||||||
|
+ if (b==NULL) {
|
||||||
|
|
||||||
|
/* Should we print error here? */
|
||||||
|
- free(b);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
} else {
|
@ -1,7 +1,7 @@
|
|||||||
Summary: Intrusion detection environment
|
Summary: Intrusion detection environment
|
||||||
Name: aide
|
Name: aide
|
||||||
Version: 0.16
|
Version: 0.16
|
||||||
Release: 21%{?dist}
|
Release: 100%{?dist}
|
||||||
URL: http://sourceforge.net/projects/aide
|
URL: http://sourceforge.net/projects/aide
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
|
|
||||||
@ -39,6 +39,8 @@ Patch7: aide-0.16-crash-elf.patch
|
|||||||
Patch8: aide-configure.patch
|
Patch8: aide-configure.patch
|
||||||
Patch9: aide-static-analysis.patch
|
Patch9: aide-static-analysis.patch
|
||||||
|
|
||||||
|
Patch10: aide-0.16-CVE-2021-45417.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
AIDE (Advanced Intrusion Detection Environment) is a file integrity
|
AIDE (Advanced Intrusion Detection Environment) is a file integrity
|
||||||
checker and intrusion detection program.
|
checker and intrusion detection program.
|
||||||
@ -84,6 +86,10 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
|
|||||||
%dir %attr(0700,root,root) %{_localstatedir}/log/aide
|
%dir %attr(0700,root,root) %{_localstatedir}/log/aide
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jan 24 2022 Radovan Sroka <rsroka@redhat.com> - 0.16-100
|
||||||
|
- backport fix for CVE-2021-45417
|
||||||
|
Resolves: rhbz#2041950
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.16-21
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.16-21
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
Related: rhbz#1991688
|
Related: rhbz#1991688
|
||||||
|
Loading…
Reference in New Issue
Block a user