rpms
/
aide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:imports/c8-beta/aide-0.16-8.el8
Branches Tags
rpms:c8
rpms:c9s
rpms:c8s
rpms:c9
rpms:c8-beta
rpms:c9-beta
rpms:imports/c8s/aide-0.16-14.el8_5.1
rpms:imports/c9/aide-0.16-100.el9
rpms:imports/c8-beta/aide-0.16-14.el8_5.1
rpms:imports/c9-beta/aide-0.16-100.el9
rpms:imports/c8/aide-0.16-14.el8_5.1
rpms:imports/c9-beta/aide-0.16-21.el9
rpms:imports/c8-beta/aide-0.16-14.el8
rpms:imports/c8-beta/aide-0.16-11.el8
rpms:imports/c8-beta/aide-0.16-8.el8
rpms:imports/c8s/aide-0.16-14.el8
rpms:imports/c8s/aide-0.16-13.el8
rpms:imports/c8s/aide-0.16-12.el8
rpms:imports/c8/aide-0.16-14.el8
rpms:imports/c8/aide-0.16-11.el8
rpms:imports/c8/aide-0.16-8.el8
...
compare: rpms:c8
Branches Tags
rpms:c9s
rpms:c8s
rpms:c9
rpms:c8-beta
rpms:c9-beta
rpms:c8
rpms:imports/c8s/aide-0.16-14.el8_5.1
rpms:imports/c9/aide-0.16-100.el9
rpms:imports/c8-beta/aide-0.16-14.el8_5.1
rpms:imports/c9-beta/aide-0.16-100.el9
rpms:imports/c8/aide-0.16-14.el8_5.1
rpms:imports/c9-beta/aide-0.16-21.el9
rpms:imports/c8-beta/aide-0.16-14.el8
rpms:imports/c8-beta/aide-0.16-11.el8
rpms:imports/c8-beta/aide-0.16-8.el8
rpms:imports/c8s/aide-0.16-14.el8
rpms:imports/c8s/aide-0.16-13.el8
rpms:imports/c8s/aide-0.16-12.el8
rpms:imports/c8/aide-0.16-14.el8
rpms:imports/c8/aide-0.16-11.el8
rpms:imports/c8/aide-0.16-8.el8

No commits in common. "imports/c8-beta/aide-0.16-8.el8" and "c8" have entirely different histories.
imports/c8 ... c8

5 changed files with 394 additions and 107 deletions
Show Stats Expand all files Collapse all files

123
SOURCES/aide-0.16-CVE-2021-45417.patch Normal file
View File

@ -0,0 +1,123 @@
diff --git a/include/base64.h b/include/base64.h
index 0ff7116..381ef5d 100644
--- a/include/base64.h
+++ b/include/base64.h
@@ -36,7 +36,6 @@
#include <assert.h>
#include "types.h"
-#define B64_BUF 16384
#define FAIL -1
#define SKIP -2
diff --git a/src/base64.c b/src/base64.c
index fd01bac..1b0f301 100644
--- a/src/base64.c
+++ b/src/base64.c
@@ -85,11 +85,9 @@ FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL
};
/* Returns NULL on error */
-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */
char* encode_base64(byte* src,size_t ssize)
{
char* outbuf;
- char* retbuf;
int pos;
int i, l, left;
unsigned long triple;
@@ -101,7 +99,10 @@ char* encode_base64(byte* src,size_t ssize)
error(240,"\n");
return NULL;
}
- outbuf = (char *)malloc(sizeof(char)*B64_BUF);
+
+ /* length of encoded base64 string (padded) */
+ size_t length = sizeof(char)* ((ssize + 2) / 3) * 4;
+ outbuf = (char *)malloc(length + 1);
/* Initialize working pointers */
inb = src;
@@ -162,20 +163,14 @@ char* encode_base64(byte* src,size_t ssize)
inb++;
}
- /* outbuf is not completely used so we use retbuf */
- retbuf=(char*)malloc(sizeof(char)*(pos+1));
- memcpy(retbuf,outbuf,pos);
- retbuf[pos]='\0';
- free(outbuf);
+ outbuf[pos]='\0';
- return retbuf;
+ return outbuf;
}
-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */
byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
{
byte* outbuf;
- byte* retbuf;
char* inb;
int i;
int l;
@@ -188,10 +183,18 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
if (!ssize||src==NULL)
return NULL;
+ /* exit on unpadded input */
+ if (ssize % 4) {
+ error(3, "decode_base64: '%s' has invalid length (missing padding characters?)", src);
+ return NULL;
+ }
+
+ /* calculate length of decoded string, substract padding chars if any (ssize is >= 4) */
+ size_t length = sizeof(byte) * ((ssize / 4) * 3)- (src[ssize-1] == '=') - (src[ssize-2] == '=');
/* Initialize working pointers */
inb = src;
- outbuf = (byte *)malloc(sizeof(byte)*B64_BUF);
+ outbuf = (byte *)malloc(length + 1);
l = 0;
triple = 0;
@@ -243,15 +246,11 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
inb++;
}
- retbuf=(byte*)malloc(sizeof(byte)*(pos+1));
- memcpy(retbuf,outbuf,pos);
- retbuf[pos]='\0';
-
- free(outbuf);
+ outbuf[pos]='\0';
if (ret_len) *ret_len = pos;
- return retbuf;
+ return outbuf;
}
size_t length_base64(char* src,size_t ssize)
diff --git a/src/db.c b/src/db.c
index 858240d..62c4faa 100644
--- a/src/db.c
+++ b/src/db.c
@@ -664,13 +664,15 @@ db_line* db_char2line(char** ss,int db){
time_t base64totime_t(char* s){
+ if(strcmp(s,"0")==0){
+ return 0;
+ }
byte* b=decode_base64(s,strlen(s),NULL);
char* endp;
- if (b==NULL||strcmp(s,"0")==0) {
+ if (b==NULL) {
/* Should we print error here? */
- free(b);
return 0;
} else {

296
SOURCES/aide.conf
View File

@ -51,8 +51,6 @@ report_url=stdout
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
@ -65,150 +63,245 @@ ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = FIPSR+sha512
# Sane
# NORMAL = R+sha512
NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs
# Access control only
PERMS = p+i+u+g+acl+selinux
PERMS = p+u+g+acl+selinux+xattrs
# Logfile are special, in that they often change
LOG = >
LOG = p+u+g+n+S+acl+selinux+xattrs
# Just do sha256 and sha512 hashes
LSPP = FIPSR+sha512
# Content + file type.
CONTENT = sha512+ftype
# Extended content + file type + access.
CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512
# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
/boot CONTENT_EX
/opt CONTENT
# Admins dot files constantly change, just check perms
/root/\..* PERMS
# Otherwise get all of /root.
/root CONTENT_EX
# These are too volatile
!/usr/src
!/usr/tmp
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
# Otherwise get all of /usr.
/usr CONTENT_EX
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
# trusted databases
/etc/hosts$ CONTENT_EX
/etc/host.conf$ CONTENT_EX
/etc/hostname$ CONTENT_EX
/etc/issue$ CONTENT_EX
/etc/issue.net$ CONTENT_EX
/etc/protocols$ CONTENT_EX
/etc/services$ CONTENT_EX
/etc/localtime$ CONTENT_EX
/etc/alternatives CONTENT_EX
/etc/sysconfig CONTENT_EX
/etc/mime.types$ CONTENT_EX
/etc/terminfo CONTENT_EX
/etc/exports$ CONTENT_EX
/etc/fstab$ CONTENT_EX
/etc/passwd$ CONTENT_EX
/etc/group$ CONTENT_EX
/etc/gshadow$ CONTENT_EX
/etc/shadow$ CONTENT_EX
/etc/subgid$ CONTENT_EX
/etc/subuid$ CONTENT_EX
/etc/security/opasswd$ CONTENT_EX
/etc/skel CONTENT_EX
/etc/subuid$ CONTENT_EX
/etc/subgid$ CONTENT_EX
/etc/sssd CONTENT_EX
/etc/machine-id$ CONTENT_EX
/etc/swid CONTENT_EX
/etc/system-release-cpe$ CONTENT_EX
/etc/shells$ CONTENT_EX
/etc/tmux.conf$ CONTENT_EX
/etc/xattr.conf$ CONTENT_EX
/etc/sudoers NORMAL
/etc/skel NORMAL
/etc/logrotate.d NORMAL
# networking
/etc/hosts.allow$ CONTENT_EX
/etc/hosts.deny$ CONTENT_EX
/etc/firewalld CONTENT_EX
!/etc/NetworkManager/system-connections
/etc/NetworkManager CONTENT_EX
/etc/networks$ CONTENT_EX
/etc/dhcp CONTENT_EX
/etc/wpa_supplicant CONTENT_EX
/etc/resolv.conf$ DATAONLY
/etc/nscd.conf$ CONTENT_EX
/etc/resolv.conf DATAONLY
# logins and accounts
/etc/login.defs$ CONTENT_EX
/etc/libuser.conf$ CONTENT_EX
/var/log/faillog$ PERMS
/var/log/lastlog$ PERMS
/var/run/faillock PERMS
/etc/pam.d CONTENT_EX
/etc/security CONTENT_EX
/etc/securetty$ CONTENT_EX
/etc/polkit-1 CONTENT_EX
/etc/sudo.conf$ CONTENT_EX
/etc/sudoers$ CONTENT_EX
/etc/sudoers.d CONTENT_EX
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
# Shell/X startup files
/etc/profile$ CONTENT_EX
/etc/profile.d CONTENT_EX
/etc/bashrc$ CONTENT_EX
/etc/bash_completion.d CONTENT_EX
/etc/zprofile$ CONTENT_EX
/etc/zshrc$ CONTENT_EX
/etc/zlogin$ CONTENT_EX
/etc/zlogout$ CONTENT_EX
/etc/X11 CONTENT_EX
# Pkg manager
/etc/yum.conf NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL
/etc/yum.repos.d/ NORMAL
/var/log LOG
/var/run/utmp LOG
/etc/dnf CONTENT_EX
/etc/yum.conf$ CONTENT_EX
/etc/yum CONTENT_EX
/etc/yum.repos.d CONTENT_EX
# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log
# LSPP rules...
# auditing
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
/etc/audit/ LSPP
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP
/var/log/audit PERMS
/etc/audit CONTENT_EX
/etc/libaudit.conf$ CONTENT_EX
/etc/aide.conf$ CONTENT_EX
/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP
# System logs
/etc/rsyslog.conf$ CONTENT_EX
/etc/rsyslog.d CONTENT_EX
/etc/logrotate.conf$ CONTENT_EX
/etc/logrotate.d CONTENT_EX
/etc/systemd/journald.conf$ CONTENT_EX
/var/log LOG+ANF+ARF
/var/run/utmp LOG
/etc/hosts LSPP
/etc/sysconfig LSPP
# secrets
/etc/pkcs11 CONTENT_EX
/etc/pki CONTENT_EX
/etc/crypto-policies CONTENT_EX
/etc/certmonger CONTENT_EX
/var/lib/systemd/random-seed$ PERMS
/etc/inittab LSPP
/etc/grub/ LSPP
/etc/rc.d LSPP
# init system
/etc/systemd CONTENT_EX
/etc/rc.d CONTENT_EX
/etc/tmpfiles.d CONTENT_EX
/etc/ld.so.conf LSPP
# boot config
/etc/default CONTENT_EX
/etc/grub.d CONTENT_EX
/etc/dracut.conf$ CONTENT_EX
/etc/dracut.conf.d CONTENT_EX
/etc/localtime LSPP
# glibc linker
/etc/ld.so.cache$ CONTENT_EX
/etc/ld.so.conf$ CONTENT_EX
/etc/ld.so.conf.d CONTENT_EX
/etc/ld.so.preload$ CONTENT_EX
/etc/sysctl.conf LSPP
# kernel config
/etc/sysctl.conf$ CONTENT_EX
/etc/sysctl.d CONTENT_EX
/etc/modprobe.d CONTENT_EX
/etc/modules-load.d CONTENT_EX
/etc/depmod.d CONTENT_EX
/etc/udev CONTENT_EX
/etc/crypttab$ CONTENT_EX
/etc/modprobe.conf LSPP
#### Daemons ####
/etc/pam.d LSPP
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP
# cron jobs
/var/spool/at CONTENT
/etc/at.allow$ CONTENT
/etc/at.deny$ CONTENT
/var/spool/anacron CONTENT
/etc/anacrontab$ CONTENT_EX
/etc/cron.allow$ CONTENT_EX
/etc/cron.deny$ CONTENT_EX
/etc/cron.d CONTENT_EX
/etc/cron.daily CONTENT_EX
/etc/cron.hourly CONTENT_EX
/etc/cron.monthly CONTENT_EX
/etc/cron.weekly CONTENT_EX
/etc/crontab$ CONTENT_EX
/var/spool/cron/root CONTENT
/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP
# time keeping
/etc/chrony.conf$ CONTENT_EX
/etc/chrony.keys$ CONTENT_EX
/etc/stunnel LSPP
# mail
/etc/aliases$ CONTENT_EX
/etc/aliases.db$ CONTENT_EX
/etc/postfix CONTENT_EX
/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP
# ssh
/etc/ssh/sshd_config$ CONTENT_EX
/etc/ssh/ssh_config$ CONTENT_EX
/etc/issue LSPP
/etc/issue.net LSPP
# stunnel
/etc/stunnel CONTENT_EX
# printing
/etc/cups CONTENT_EX
/etc/cupshelpers CONTENT_EX
/etc/avahi CONTENT_EX
# web server
/etc/httpd CONTENT_EX
# dns
/etc/named CONTENT_EX
/etc/named.conf$ CONTENT_EX
/etc/named.iscdlv.key$ CONTENT_EX
/etc/named.rfc1912.zones$ CONTENT_EX
/etc/named.root.key$ CONTENT_EX
# xinetd
/etc/xinetd.conf$ CONTENT_EX
/etc/xinetd.d CONTENT_EX
# IPsec
/etc/ipsec.conf$ CONTENT_EX
/etc/ipsec.secrets$ CONTENT_EX
/etc/ipsec.d CONTENT_EX
# USB guard
/etc/usbguard CONTENT_EX
# Ignore some files
!/etc/mtab$
!/etc/.*~
# Now everything else
/etc PERMS
/etc/cups LSPP
# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
@ -221,3 +314,4 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
# Admins dot files constantly change, just check perms
/root/\..* PERMS
!/root/.xauth*

2
SOURCES/coverity.patch
View File

@ -241,7 +241,7 @@ diff -up ./src/commandconf.c.coverity ./src/commandconf.c
}
}
- *val++;
+ (*val)++;
+ val++;
}
}
#endif

31
SOURCES/coverity2.patch Normal file
View File

@ -0,0 +1,31 @@
diff --up ./src/compare_db.c ./src/compare_db.c
--- ./src/compare_db.c
+++ ./src/compare_db.c
@@ -438,7 +438,11 @@ snprintf(*values[0], l, "%s",s);
} else {
*values = malloc(1 * sizeof (char*));
if (DB_FTYPE&attr) {
- easy_string(get_file_type_string(line->perm))
+ char *file_type = get_file_type_string(line->perm);
+ if (!file_type) {
+ error(2,"%s: ", file_type);
+ }
+ easy_string(file_type)
} else if (DB_LINKNAME&attr) {
easy_string(line->linkname)
easy_number((DB_SIZE|DB_SIZEG),size,"%li")
diff -up ./src/db_file.c ./src/db_file.c
--- ./src/db_file.c
+++ ./src/db_file.c
@@ -194,6 +194,10 @@ int db_file_read_spec(int db){
*db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD));
+ if (*db_order == NULL){
+ error(1,"malloc for *db_order failed in %s", __func__);
+ }
+
while ((i=db_scan())!=TNEWLINE){
switch (i) {

49
SPECS/aide.spec
View File

@ -1,11 +1,9 @@
Summary: Intrusion detection environment
Name: aide
Version: 0.16
Release: 8%{?dist}
Release: 14%{?dist}.1
URL: http://sourceforge.net/projects/aide
License: GPLv2+
Source0: %{url}/files/aide/%{version}/%{name}-%{version}.tar.gz
Source1: aide.conf
Source2: README.quickstart
@ -24,6 +22,8 @@ BuildRequires: libattr-devel
BuildRequires: e2fsprogs-devel
Buildrequires: audit-libs-devel
Requires: libgcrypt >= 1.8.5
# Customize the database file location in the man page.
Patch1: aide-0.16rc1-man.patch
# fix aide in FIPS mode
@ -34,6 +34,12 @@ Patch4: aide-0.16-crypto-disable-haval-and-others.patch
Patch5: coverity.patch
Patch6: aide-0.16-crash-elf.patch
# 1676487 - Null pointer dereference fix spotted by coverity
Patch7: coverity2.patch
# 2041956 - CVE-2021-45417 aide: heap-based buffer overflow on outputs larger than B64_BUF
Patch8: aide-0.16-CVE-2021-45417.patch
%description
AIDE (Advanced Intrusion Detection Environment) is a file integrity
checker and intrusion detection program.
@ -78,6 +84,40 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
%dir %attr(0700,root,root) %{_localstatedir}/log/aide
%changelog
* Tue Jan 25 2022 Radovan Sroka <rsroka@redhat.com> - 0.16.14.1
- backported fix for CVE-2021-45417
resolves: rhbz#2041956
* Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> = 0.16.14
- strict require for libgcrypt
resolves: rhbz#1852407
* Tue May 19 2020 Attila Lakatos <alakatos@redhat.com> - 0.16-13
- RHEL 8.3
- minor edit of aide.conf to make it consistent
resolves: rhbz#1740754
* Mon Apr 06 2020 Attila Lakatos <alakatos@redhat.com> - 0.16-12
- RHEL 8.3
- minor edit of aide.conf
resolves: rhbz#1740754
- do not generate false warnings when report_ignore_e2fsattrs is specified in aide.conf
resolves: rhbz#1806323
* Wed Jul 24 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-11
- rebuild
- minor edit of aide.conf
* Tue Jul 23 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-10
- respin
- minor edit of aide.conf
* Tue Jul 23 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-9
- Null pointer dereference fix spotted by coverity
resolves: rhbz#1676487
- aide.conf needs updates for RHEL 8
resolves: rhbz#1708015
* Tue Oct 09 2018 Radovan Sroka <rsroka@redhat.com> - 0.16-8
- fixed wrong line wrapping of messages in the syslog format
resolves: rhbz#1628153
@ -111,7 +151,7 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
* Tue Apr 04 2017 Radovan Sroka <rsroka@redhat.com> - 0.16-1
- rebase to stable v0.16
- specfile cleanup
- make doc readable
- make doc readable
resolves: #1421355
- make aide binary runable for any user
resolves: #1421351
@ -300,4 +340,3 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
* Sun Sep 07 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.9-0.fdr.0.1.20030902
- Initial package version.