Import from CS git

SOURCES/aide-0.16-CVE-2021-45417.patch

@@ -0,0 +1,123 @@
+diff --git a/include/base64.h b/include/base64.h
+index 0ff7116..381ef5d 100644
+--- a/include/base64.h
++++ b/include/base64.h
+@@ -36,7 +36,6 @@
+ #include <assert.h>
+ #include "types.h"
+ 
+-#define B64_BUF 16384
+ #define FAIL -1
+ #define SKIP -2
+ 
+diff --git a/src/base64.c b/src/base64.c
+index fd01bac..1b0f301 100644
+--- a/src/base64.c
++++ b/src/base64.c
+@@ -85,11 +85,9 @@ FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL
+ };
+ 
+ /* Returns NULL on error */
+-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */
+ char* encode_base64(byte* src,size_t ssize)
+ {
+   char* outbuf;
+-  char* retbuf;
+   int pos;
+   int i, l, left;
+   unsigned long triple;
+@@ -101,7 +99,10 @@ char* encode_base64(byte* src,size_t ssize)
+     error(240,"\n");
+     return NULL;
+   }
+-  outbuf = (char *)malloc(sizeof(char)*B64_BUF);
++
++  /* length of encoded base64 string (padded) */
++  size_t length = sizeof(char)* ((ssize + 2) / 3) * 4;
++  outbuf = (char *)malloc(length + 1);
+   
+   /* Initialize working pointers */
+   inb = src;
+@@ -162,20 +163,14 @@ char* encode_base64(byte* src,size_t ssize)
+       inb++;
+   }
+   
+-  /* outbuf is not completely used so we use retbuf */
+-  retbuf=(char*)malloc(sizeof(char)*(pos+1));
+-  memcpy(retbuf,outbuf,pos);
+-  retbuf[pos]='\0';
+-  free(outbuf);
++  outbuf[pos]='\0';
+ 
+-  return retbuf;
++  return outbuf;
+ }
+ 
+-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */
+ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
+ {
+   byte* outbuf;
+-  byte* retbuf;
+   char* inb;
+   int i;
+   int l;
+@@ -188,10 +183,18 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
+   if (!ssize||src==NULL)
+     return NULL;
+ 
++  /* exit on unpadded input */
++  if (ssize % 4) {
++    error(3, "decode_base64: '%s' has invalid length (missing padding characters?)", src);
++    return NULL;
++  }
++
++  /* calculate length of decoded string, substract padding chars if any (ssize is >= 4) */
++  size_t length = sizeof(byte) * ((ssize / 4) * 3)- (src[ssize-1] == '=') - (src[ssize-2] == '=');
+ 
+   /* Initialize working pointers */
+   inb = src;
+-  outbuf = (byte *)malloc(sizeof(byte)*B64_BUF);
++  outbuf = (byte *)malloc(length + 1);
+ 
+   l = 0;
+   triple = 0;
+@@ -243,15 +246,11 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
+       inb++;
+     }
+   
+-  retbuf=(byte*)malloc(sizeof(byte)*(pos+1));
+-  memcpy(retbuf,outbuf,pos);
+-  retbuf[pos]='\0';
+-  
+-  free(outbuf);
++  outbuf[pos]='\0';
+ 
+   if (ret_len) *ret_len = pos;
+   
+-  return retbuf;
++  return outbuf;
+ }
+ 
+ size_t length_base64(char* src,size_t ssize)
+diff --git a/src/db.c b/src/db.c
+index 858240d..62c4faa 100644
+--- a/src/db.c
++++ b/src/db.c
+@@ -664,13 +664,15 @@ db_line* db_char2line(char** ss,int db){
+ 
+ time_t base64totime_t(char* s){
+   
++  if(strcmp(s,"0")==0){
++      return 0;
++  }
+   byte* b=decode_base64(s,strlen(s),NULL);
+   char* endp;
+   
+-  if (b==NULL||strcmp(s,"0")==0) {
++  if (b==NULL) {
+     
+     /* Should we print error here? */
+-    free(b);
+     
+     return 0;
+   } else {

SOURCES/aide-0.16-CVE-2025-54389-part2.patch

@@ -0,0 +1,220 @@
+diff -up aide-0.16/src/db_disk.c.orig aide-0.16/src/db_disk.c
+--- aide-0.16/src/db_disk.c.orig	2025-08-21 09:58:21.271581589 +0200
++++ aide-0.16/src/db_disk.c	2025-08-21 10:01:26.310573141 +0200
+@@ -139,7 +139,11 @@ void add_child (db_line * fil)
+ 	int i;
+ 	struct seltree *new_r;
+ 
+-	error (255, "Adding child %s\n", fil->filename);
++	{
++	char *fname_safe = stresc(fil->filename);
++	error (255, "Adding child %s\n", fname_safe);
++	free(fname_safe);
++	}
+ 
+ 	new_r = get_seltree_node (r, fil->filename);
+ 	if (new_r != NULL) {
+@@ -182,9 +186,13 @@ static int get_file_status(char *filenam
+     if(sres == -1){
+         char* er = strerror(errno);
+         if (er == NULL) {
+-            error(0,"get_file_status: lstat() failed for %s. strerror() failed for %i\n", filename, errno);
++            char *filename_safe = stresc(filename);
++            error(0,"get_file_status: lstat() failed for %s. strerror() failed for %i\n", filename_safe, errno);
++            free(filename_safe);
+         } else {
+-            error(0,"get_file_status: lstat() failed for %s: %s\n", filename, er);
++            char *filename_safe = stresc(filename);
++            error(0,"get_file_status: lstat() failed for %s: %s\n", filename_safe, er);
++            free(filename_safe);
+         }
+     }
+     return sres;
+@@ -220,7 +228,11 @@ db_line *db_readline_disk ()
+ 			error (240, "%s attr=%llu\n", &fullname[conf->root_prefix_length], attr);
+ 
+ 			if (fil != NULL) {
+-				error (240, "%s attr=%llu\n", fil->filename, fil->attr);
++				{
++				char *fname_safe = stresc(fil->filename);
++				error (240, "%s attr=%llu\n", fname_safe, fil->attr);
++				free(fname_safe);
++				}
+ 				return fil;
+ 			}
+         }
+@@ -269,7 +281,11 @@ recursion:
+ 			error (240, "%s attr=%llu\n", &fullname[conf->root_prefix_length], attr);
+ 
+ 			if (fil != NULL) {
+-				error (240, "%s attr=%llu\n", fil->filename, fil->attr);
++				{
++				char *fname_safe = stresc(fil->filename);
++				error (240, "%s attr=%llu\n", fname_safe, fil->attr);
++				free(fname_safe);
++				}
+ 			} else {
+ 				/*
+ 				   Something went wrong during read process -> 
+diff -up aide-0.16/src/gen_list.c.orig aide-0.16/src/gen_list.c
+--- aide-0.16/src/gen_list.c.orig	2025-08-21 09:58:21.273581610 +0200
++++ aide-0.16/src/gen_list.c	2025-08-21 10:04:29.190502666 +0200
+@@ -37,6 +37,7 @@
+ #include "list.h"
+ #include "gen_list.h"
+ #include "seltree.h"
++#include "util.h"
+ #include "db.h"
+ #include "db_config.h"
+ #include "commandconf.h"
+@@ -993,16 +994,28 @@ int check_rxtree(char* filename,seltree*
+   if(conf->limit!=NULL) {
+       retval=pcre_exec(conf->limit_crx, NULL, filename, strlen(filename), 0, PCRE_PARTIAL_SOFT, NULL, 0);
+       if (retval >= 0) {
+-          error(220, "check_rxtree: %s does match limit: %s\n", filename, conf->limit);
++          char *fname_safe = stresc(filename);
++          char *limit_safe = conf->limit?stresc(conf->limit):NULL;
++          error(220, "check_rxtree: %s does match limit: %s\n", fname_safe, limit_safe?limit_safe:"");
++          free(fname_safe);
++          free(limit_safe);
+       } else if (retval == PCRE_ERROR_PARTIAL) {
+-          error(220, "check_rxtree: %s does PARTIAL match limit: %s\n", filename, conf->limit);
++          char *fname_safe = stresc(filename);
++          char *limit_safe = conf->limit?stresc(conf->limit):NULL;
++          error(220, "check_rxtree: %s does PARTIAL match limit: %s\n", fname_safe, limit_safe?limit_safe:"");
+           if(S_ISDIR(perm) && get_seltree_node(tree,filename)==NULL){
+-              error(220, "check_rxtree: creating new seltree node for '%s'\n", filename);
++              error(220, "check_rxtree: creating new seltree node for '%s'\n", fname_safe);
+               new_seltree_node(tree,filename,0,NULL);
+           }
++          free(fname_safe);
++          free(limit_safe);
+           return -1;
+       } else {
+-          error(220, "check_rxtree: %s does NOT match limit: %s\n", filename, conf->limit);
++          char *fname_safe = stresc(filename);
++          char *limit_safe = conf->limit?stresc(conf->limit):NULL;
++          error(220, "check_rxtree: %s does NOT match limit: %s\n", fname_safe, limit_safe?limit_safe:"");
++          free(fname_safe);
++          free(limit_safe);
+           return -2;
+       }
+   }
+@@ -1039,13 +1052,25 @@ db_line* get_file_attrs(char* filename,D
+   } else {
+     
+     if(fs->st_atime>cur_time){
+-      error(CLOCK_SKEW,_("%s atime in future\n"),filename);
++      {
++      char *fname_safe = stresc(filename);
++      error(CLOCK_SKEW,_("%s atime in future\n"),fname_safe);
++      free(fname_safe);
++      }
+     }
+     if(fs->st_mtime>cur_time){
+-      error(CLOCK_SKEW,_("%s mtime in future\n"),filename);
++      {
++      char *fname_safe = stresc(filename);
++      error(CLOCK_SKEW,_("%s mtime in future\n"),fname_safe);
++      free(fname_safe);
++      }
+     }
+     if(fs->st_ctime>cur_time){
+-      error(CLOCK_SKEW,_("%s ctime in future\n"),filename);
++      {
++      char *fname_safe = stresc(filename);
++      error(CLOCK_SKEW,_("%s ctime in future\n"),fname_safe);
++      free(fname_safe);
++      }
+     }
+   }
+   
+@@ -1220,7 +1245,11 @@ void hsymlnk(db_line* line) {
+       int sres;
+       sres=AIDE_STAT_FUNC(line->fullpath,&fs);
+       if (sres!=0 && sres!=EACCES) {
+-	error(4,"Dead symlink detected at %s\n",line->fullpath);
++        {
++        char *fp_safe = stresc(line->fullpath);
++        error(4,"Dead symlink detected at %s\n",fp_safe);
++        free(fp_safe);
++        }
+       }
+       if(!(line->attr&DB_RDEV))
+ 	fs.st_rdev=0;
+diff -up aide-0.16/src/util.c.orig aide-0.16/src/util.c
+--- aide-0.16/src/util.c.orig	2025-08-21 09:58:21.272581600 +0200
++++ aide-0.16/src/util.c	2025-08-21 10:07:50.157894133 +0200
+@@ -104,9 +104,11 @@ url_t* parse_url(char* val)
+       r+=2;
+       for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++);
+       if(r[0]=='\0'){
+-	error(0,"Invalid file-URL,no path after hostname: file:%s\n",t);
++        char *t_safe = stresc(t);
++        error(0,"Invalid file-URL,no path after hostname: file:%s\n",t_safe);
++        free(t_safe);
+         free(hostname);
+-	return NULL;
++        return NULL;
+       }
+       u->value=strdup(r);
+       r[0]='\0';
+@@ -118,9 +120,11 @@ url_t* parse_url(char* val)
+ 	free(hostname);
+ 	break;
+       } else {
+-	error(0,"Invalid file-URL, cannot use hostname other than localhost or %s: file:%s\n",hostname,u->value);
+-	free(hostname);
+-	return NULL;
++        char *value_safe = stresc(u->value);
++        error(0,"Invalid file-URL, cannot use hostname other than localhost or %s: file:%s\n",hostname,value_safe);
++        free(value_safe);
++        free(hostname);
++        return NULL;
+       }
+ 
+       break;
+@@ -150,6 +154,43 @@ url_t* parse_url(char* val)
+   return u;
+ }
+ 
++static size_t escape_str(const char *unescaped_str, char *str, size_t s) {
++    size_t n = 0;
++    size_t i = 0;
++    char c;
++    while (i < s && (c = unescaped_str[i])) {
++        if ((c >= 0 && (c < 0x1f || c == 0x7f)) ||
++            (c == '\\' && isdigit(unescaped_str[i+1])
++                       && isdigit(unescaped_str[i+2])
++                       && isdigit(unescaped_str[i+3]))) {
++            if (str) { snprintf(&str[n], 5, "\\%03o", c); }
++            n += 4;
++        } else {
++            if (str) { str[n] = c; }
++            n++;
++        }
++        i++;
++    }
++    if (str) { str[n] = '\0'; }
++    n++;
++    return n;
++}
++
++char *strnesc(const char *unescaped_str, size_t s) {
++    int n = escape_str(unescaped_str, NULL, s);
++    char *str = malloc(n);
++    if (str == NULL) {
++        error(0, "malloc: failed to allocate %d bytes of memory\n", n);
++        exit(1);
++    }
++    escape_str(unescaped_str, str, s);
++    return str;
++}
++
++char *stresc(const char *unescaped_str) {
++    return strnesc(unescaped_str, strlen(unescaped_str));
++}
++
+ /* Returns 1 if the string contains unsafe characters, 0 otherwise.  */
+ int contains_unsafe (const char *s)
+ {

SOURCES/aide.conf

@@ -51,8 +51,6 @@ report_url=stdout
 #crc32:  crc32 checksum (MHASH only)
 #whirlpool:     whirlpool checksum (MHASH only)
 
-FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
-
 #R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
 #L:             p+i+n+u+g+acl+selinux+xattrs
 #E:             Empty group
@@ -65,150 +63,245 @@ ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
 # Everything but access time (Ie. all changes)
 EVERYTHING = R+ALLXTRAHASHES
 
-# Sane, with multiple hashes
-# NORMAL = R+rmd160+sha256+whirlpool
-NORMAL = FIPSR+sha512
+# Sane
+# NORMAL = R+sha512
+NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
 
 # For directories, don't bother doing hashes
 DIR = p+i+n+u+g+acl+selinux+xattrs
 
 # Access control only
-PERMS = p+i+u+g+acl+selinux
+PERMS = p+u+g+acl+selinux+xattrs
 
 # Logfile are special, in that they often change
-LOG = >
+LOG = p+u+g+n+S+acl+selinux+xattrs
 
-# Just do sha256 and sha512 hashes
-LSPP = FIPSR+sha512
+# Content + file type.
+CONTENT = sha512+ftype
+
+# Extended content + file type + access.
+CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
 
 # Some files get updated automatically, so the inode/ctime/mtime change
 # but we want to know when the data inside them changes
-DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
+DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha512
 
 # Next decide what directories/files you want in the database.
 
-/boot   NORMAL
-/bin    NORMAL
-/sbin   NORMAL
-/lib    NORMAL
-/lib64  NORMAL
-/opt    NORMAL
-/usr    NORMAL
-/root   NORMAL
+/boot       CONTENT_EX
+/opt        CONTENT
+
+# Admins dot files constantly change, just check perms
+/root/\..* PERMS
+# Otherwise get all of /root.
+/root   CONTENT_EX
+
 # These are too volatile
 !/usr/src
 !/usr/tmp
 
-# Check only permissions, inode, user and group for /etc, but
-# cover some important files closely.
-/etc    PERMS
-!/etc/mtab
-# Ignore backup files
-!/etc/.*~
-/etc/exports  NORMAL
-/etc/fstab    NORMAL
-/etc/passwd   NORMAL
-/etc/group    NORMAL
-/etc/gshadow  NORMAL
-/etc/shadow   NORMAL
-/etc/security/opasswd   NORMAL
+# Otherwise get all of /usr.
+/usr    CONTENT_EX
 
-/etc/hosts.allow   NORMAL
-/etc/hosts.deny    NORMAL
+# trusted databases
+/etc/hosts$      CONTENT_EX
+/etc/host.conf$  CONTENT_EX
+/etc/hostname$   CONTENT_EX
+/etc/issue$      CONTENT_EX
+/etc/issue.net$  CONTENT_EX
+/etc/protocols$  CONTENT_EX
+/etc/services$   CONTENT_EX
+/etc/localtime$  CONTENT_EX
+/etc/alternatives CONTENT_EX
+/etc/sysconfig   CONTENT_EX
+/etc/mime.types$ CONTENT_EX
+/etc/terminfo    CONTENT_EX
+/etc/exports$    CONTENT_EX
+/etc/fstab$      CONTENT_EX
+/etc/passwd$     CONTENT_EX
+/etc/group$      CONTENT_EX
+/etc/gshadow$    CONTENT_EX
+/etc/shadow$     CONTENT_EX
+/etc/subgid$     CONTENT_EX
+/etc/subuid$     CONTENT_EX
+/etc/security/opasswd$ CONTENT_EX
+/etc/skel        CONTENT_EX
+/etc/subuid$     CONTENT_EX
+/etc/subgid$     CONTENT_EX
+/etc/sssd        CONTENT_EX
+/etc/machine-id$ CONTENT_EX
+/etc/swid        CONTENT_EX
+/etc/system-release-cpe$ CONTENT_EX
+/etc/shells$     CONTENT_EX
+/etc/tmux.conf$  CONTENT_EX
+/etc/xattr.conf$ CONTENT_EX
 
-/etc/sudoers NORMAL
-/etc/skel NORMAL
 
-/etc/logrotate.d NORMAL
+# networking
+/etc/hosts.allow$   CONTENT_EX
+/etc/hosts.deny$    CONTENT_EX
+/etc/firewalld      CONTENT_EX
+!/etc/NetworkManager/system-connections
+/etc/NetworkManager CONTENT_EX
+/etc/networks$ CONTENT_EX
+/etc/dhcp CONTENT_EX
+/etc/wpa_supplicant CONTENT_EX
+/etc/resolv.conf$ DATAONLY
+/etc/nscd.conf$ CONTENT_EX
 
-/etc/resolv.conf DATAONLY
+# logins and accounts
+/etc/login.defs$ CONTENT_EX
+/etc/libuser.conf$ CONTENT_EX
+/var/log/faillog$ PERMS
+/var/log/lastlog$ PERMS
+/var/run/faillock PERMS
+/etc/pam.d CONTENT_EX
+/etc/security CONTENT_EX
+/etc/securetty$ CONTENT_EX
+/etc/polkit-1 CONTENT_EX
+/etc/sudo.conf$ CONTENT_EX
+/etc/sudoers$ CONTENT_EX
+/etc/sudoers.d CONTENT_EX
 
-/etc/nscd.conf NORMAL
-/etc/securetty NORMAL
-
-# Shell/X starting files
-/etc/profile NORMAL
-/etc/bashrc NORMAL
-/etc/bash_completion.d/ NORMAL
-/etc/login.defs NORMAL
-/etc/zprofile NORMAL
-/etc/zshrc NORMAL
-/etc/zlogin NORMAL
-/etc/zlogout NORMAL
-/etc/profile.d/ NORMAL
-/etc/X11/ NORMAL
+# Shell/X startup files
+/etc/profile$ CONTENT_EX
+/etc/profile.d CONTENT_EX
+/etc/bashrc$ CONTENT_EX
+/etc/bash_completion.d CONTENT_EX
+/etc/zprofile$ CONTENT_EX
+/etc/zshrc$ CONTENT_EX
+/etc/zlogin$ CONTENT_EX
+/etc/zlogout$ CONTENT_EX
+/etc/X11 CONTENT_EX
 
 # Pkg manager
-/etc/yum.conf NORMAL
-/etc/yumex.conf NORMAL
-/etc/yumex.profiles.conf NORMAL
-/etc/yum/ NORMAL
-/etc/yum.repos.d/ NORMAL
-
-/var/log   LOG
-/var/run/utmp LOG
+/etc/dnf CONTENT_EX
+/etc/yum.conf$ CONTENT_EX
+/etc/yum CONTENT_EX
+/etc/yum.repos.d CONTENT_EX
 
 # This gets new/removes-old filenames daily
 !/var/log/sa
 # As we are checking it, we've truncated yesterdays size to zero.
 !/var/log/aide.log
 
-# LSPP rules...
+# auditing
 # AIDE produces an audit record, so this becomes perpetual motion.
-# /var/log/audit/ LSPP
-/etc/audit/ LSPP
-/etc/libaudit.conf LSPP
-/usr/sbin/stunnel LSPP
-/var/spool/at LSPP
-/etc/at.allow LSPP
-/etc/at.deny LSPP
-/etc/cron.allow LSPP
-/etc/cron.deny LSPP
-/etc/cron.d/ LSPP
-/etc/cron.daily/ LSPP
-/etc/cron.hourly/ LSPP
-/etc/cron.monthly/ LSPP
-/etc/cron.weekly/ LSPP
-/etc/crontab LSPP
-/var/spool/cron/root LSPP
+/var/log/audit PERMS
+/etc/audit CONTENT_EX
+/etc/libaudit.conf$ CONTENT_EX
+/etc/aide.conf$  CONTENT_EX
 
-/etc/login.defs LSPP
-/etc/securetty LSPP
-/var/log/faillog LSPP
-/var/log/lastlog LSPP
+# System logs
+/etc/rsyslog.conf$ CONTENT_EX
+/etc/rsyslog.d CONTENT_EX
+/etc/logrotate.conf$ CONTENT_EX
+/etc/logrotate.d CONTENT_EX
+/etc/systemd/journald.conf$ CONTENT_EX
+/var/log LOG+ANF+ARF
+/var/run/utmp LOG
 
-/etc/hosts LSPP
-/etc/sysconfig LSPP
+# secrets
+/etc/pkcs11 CONTENT_EX
+/etc/pki CONTENT_EX
+/etc/crypto-policies CONTENT_EX
+/etc/certmonger CONTENT_EX
+/var/lib/systemd/random-seed$ PERMS
 
-/etc/inittab LSPP
-/etc/grub/ LSPP
-/etc/rc.d LSPP
+# init system
+/etc/systemd CONTENT_EX
+/etc/rc.d CONTENT_EX
+/etc/tmpfiles.d CONTENT_EX
 
-/etc/ld.so.conf LSPP
+# boot config
+/etc/default CONTENT_EX
+/etc/grub.d CONTENT_EX
+/etc/dracut.conf$ CONTENT_EX
+/etc/dracut.conf.d CONTENT_EX
 
-/etc/localtime LSPP
+# glibc linker
+/etc/ld.so.cache$ CONTENT_EX
+/etc/ld.so.conf$ CONTENT_EX
+/etc/ld.so.conf.d CONTENT_EX
+/etc/ld.so.preload$ CONTENT_EX
 
-/etc/sysctl.conf LSPP
+# kernel config
+/etc/sysctl.conf$ CONTENT_EX
+/etc/sysctl.d CONTENT_EX
+/etc/modprobe.d CONTENT_EX
+/etc/modules-load.d CONTENT_EX
+/etc/depmod.d CONTENT_EX
+/etc/udev CONTENT_EX
+/etc/crypttab$ CONTENT_EX
 
-/etc/modprobe.conf LSPP
+#### Daemons ####
 
-/etc/pam.d LSPP
-/etc/security LSPP
-/etc/aliases LSPP
-/etc/postfix LSPP
+# cron jobs
+/var/spool/at CONTENT
+/etc/at.allow$ CONTENT
+/etc/at.deny$ CONTENT
+/var/spool/anacron CONTENT
+/etc/anacrontab$ CONTENT_EX
+/etc/cron.allow$ CONTENT_EX
+/etc/cron.deny$ CONTENT_EX
+/etc/cron.d CONTENT_EX
+/etc/cron.daily CONTENT_EX
+/etc/cron.hourly CONTENT_EX
+/etc/cron.monthly CONTENT_EX
+/etc/cron.weekly CONTENT_EX
+/etc/crontab$ CONTENT_EX
+/var/spool/cron/root CONTENT
 
-/etc/ssh/sshd_config LSPP
-/etc/ssh/ssh_config LSPP
+# time keeping
+/etc/chrony.conf$ CONTENT_EX
+/etc/chrony.keys$ CONTENT_EX
 
-/etc/stunnel LSPP
+# mail
+/etc/aliases$ CONTENT_EX
+/etc/aliases.db$ CONTENT_EX
+/etc/postfix CONTENT_EX
 
-/etc/vsftpd.ftpusers LSPP
-/etc/vsftpd LSPP
+# ssh
+/etc/ssh/sshd_config$ CONTENT_EX
+/etc/ssh/ssh_config$ CONTENT_EX
 
-/etc/issue LSPP
-/etc/issue.net LSPP
+# stunnel
+/etc/stunnel CONTENT_EX
+
+# printing
+/etc/cups CONTENT_EX
+/etc/cupshelpers CONTENT_EX
+/etc/avahi CONTENT_EX
+
+# web server
+/etc/httpd CONTENT_EX
+
+# dns
+/etc/named CONTENT_EX
+/etc/named.conf$ CONTENT_EX
+/etc/named.iscdlv.key$ CONTENT_EX
+/etc/named.rfc1912.zones$ CONTENT_EX
+/etc/named.root.key$ CONTENT_EX
+
+# xinetd
+/etc/xinetd.conf$ CONTENT_EX
+/etc/xinetd.d CONTENT_EX
+
+# IPsec
+/etc/ipsec.conf$ CONTENT_EX
+/etc/ipsec.secrets$ CONTENT_EX
+/etc/ipsec.d CONTENT_EX
+
+# USB guard
+/etc/usbguard CONTENT_EX
+
+# Ignore some files
+!/etc/mtab$
+!/etc/.*~
+
+# Now everything else
+/etc    PERMS
 
-/etc/cups LSPP
 
 # With AIDE's default verbosity level of 5, these would give lots of
 # warnings upon tree traversal. It might change with future version.
@@ -221,3 +314,4 @@ DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
 
 # Admins dot files constantly change, just check perms
 /root/\..* PERMS
+!/root/.xauth*

SOURCES/coverity.patch

@@ -241,7 +241,7 @@ diff -up ./src/commandconf.c.coverity ./src/commandconf.c
              }
          }
 -        *val++;
-+        (*val)++;
++        val++;
      }
  }
  #endif

SOURCES/coverity2.patch

@@ -0,0 +1,31 @@
+diff --up ./src/compare_db.c ./src/compare_db.c
+--- ./src/compare_db.c
++++ ./src/compare_db.c
+@@ -438,7 +438,11 @@ snprintf(*values[0], l, "%s",s);
+     } else {
+         *values = malloc(1 * sizeof (char*));
+         if (DB_FTYPE&attr) {
+-            easy_string(get_file_type_string(line->perm))
++            char *file_type = get_file_type_string(line->perm);
++            if (!file_type) {
++                error(2,"%s: ", file_type);
++            }
++            easy_string(file_type)
+         } else if (DB_LINKNAME&attr) {
+             easy_string(line->linkname)
+         easy_number((DB_SIZE|DB_SIZEG),size,"%li")
+diff -up ./src/db_file.c ./src/db_file.c
+--- ./src/db_file.c
++++ ./src/db_file.c
+@@ -194,6 +194,10 @@ int db_file_read_spec(int db){
+ 
+   *db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD));
+   
++  if (*db_order == NULL){
++    error(1,"malloc for *db_order failed in %s", __func__);
++  }
++
+   while ((i=db_scan())!=TNEWLINE){
+     switch (i) {
+       
+

SPECS/aide.spec

@@ -1,11 +1,9 @@
 Summary:        Intrusion detection environment
 Name:           aide
 Version:        0.16
-Release:        8%{?dist}
+Release:        15%{?dist}.2
 URL:            http://sourceforge.net/projects/aide
 License:        GPLv2+
-
-
 Source0:        %{url}/files/aide/%{version}/%{name}-%{version}.tar.gz
 Source1:        aide.conf
 Source2:        README.quickstart
@@ -24,6 +22,8 @@ BuildRequires:  libattr-devel
 BuildRequires:  e2fsprogs-devel
 Buildrequires:  audit-libs-devel
 
+Requires: libgcrypt >= 1.8.5
+
 # Customize the database file location in the man page.
 Patch1: aide-0.16rc1-man.patch
 # fix aide in FIPS mode
@@ -34,6 +34,16 @@ Patch4: aide-0.16-crypto-disable-haval-and-others.patch
 Patch5: coverity.patch
 Patch6: aide-0.16-crash-elf.patch
 
+# 1676487 - Null pointer dereference fix spotted by coverity
+Patch7: coverity2.patch
+
+# 2041957 - CVE-2021-45417 aide: heap-based buffer overflow on outputs larger than B64_BUF
+Patch8: aide-0.16-CVE-2021-45417.patch
+
+# CVE-2025-54389 aide: improper output neutralization enables bypassing
+Patch9: aide-0.16-CVE-2025-54389.patch
+Patch10: aide-0.16-CVE-2025-54389-part2.patch
+
 %description
 AIDE (Advanced Intrusion Detection Environment) is a file integrity
 checker and intrusion detection program.
@@ -78,6 +88,44 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
 %dir %attr(0700,root,root) %{_localstatedir}/log/aide
 
 %changelog
+* Thu Aug 21 2025 Attila Lakatos <alakatos@redhat.com> - 0.16.15.2
+- CVE-2025-54389 aide: improper output neutralization enables bypassing
+  resolves: RHEL-109907
+
+* Tue Jan 25 2022 Radovan Sroka <rsroka@redhat.com> - 0.16.15
+- backported fix for CVE-2021-45417
+  resolves: rhbz#2041957
+
+* Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> = 0.16.14
+- strict require for libgcrypt
+  resolves: rhbz#1852407
+
+* Tue May 19 2020 Attila Lakatos <alakatos@redhat.com> - 0.16-13
+- RHEL 8.3
+- minor edit of aide.conf to make it consistent
+  resolves: rhbz#1740754
+
+* Mon Apr 06 2020 Attila Lakatos <alakatos@redhat.com> - 0.16-12
+- RHEL 8.3
+- minor edit of aide.conf
+  resolves: rhbz#1740754
+- do not generate false warnings when report_ignore_e2fsattrs is specified in aide.conf
+  resolves: rhbz#1806323
+
+* Wed Jul 24 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-11
+- rebuild
+- minor edit of aide.conf
+
+* Tue Jul 23 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-10
+- respin
+- minor edit of aide.conf
+
+* Tue Jul 23 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-9
+- Null pointer dereference fix spotted by coverity
+  resolves: rhbz#1676487
+- aide.conf needs updates for RHEL 8
+  resolves: rhbz#1708015
+
 * Tue Oct 09 2018 Radovan Sroka <rsroka@redhat.com> - 0.16-8
 - fixed wrong line wrapping of messages in the syslog format
   resolves: rhbz#1628153
@@ -300,4 +348,3 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
 
 * Sun Sep 07 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.9-0.fdr.0.1.20030902
 - Initial package version.
-