Update 9.7

- ausearch: correct search for DAEMON related events
- allow hex digits when interpreting tty data
  Resolves: RHEL-82279
- Fix TTY hostname in log messages
  Resolves: RHEL-78323

afunix-memleak.patch

@@ -0,0 +1,12 @@
+diff --git a/audisp/plugins/af_unix/audisp-af_unix.c b/audisp/plugins/af_unix/audisp-af_unix.c
+index 578533f52..e2e7dc7ef 100644
+--- a/audisp/plugins/af_unix/audisp-af_unix.c
++++ b/audisp/plugins/af_unix/audisp-af_unix.c
+@@ -253,6 +253,7 @@ void read_audit_record(int ifd)
+ 					do {
+ 						rc = write(conn, str, str_len);
+ 					} while (rc < 0 && errno == EINTR);
++					free(str);
+ 				} else if (format == F_BINARY) {
+ 					struct iovec vec[2];
+ 

audit.spec

@@ -2,7 +2,7 @@
 Summary: User space tools for kernel auditing
 Name: audit
 Version: 3.1.5
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
@@ -16,6 +16,10 @@ Patch5: disable-protectkernmelmodules.patch
 Patch6: remote-logging-ordering-cycle.patch
 Patch7: permtab-filter-unsupport.patch
 Patch8: auditctl-permtab.patch
+Patch9: interpret-tty-data.patch
+Patch10: tty-hostname.patch
+Patch11: ausearch-DAEMON_END.patch
+Patch12: afunix-memleak.patch
 
 BuildRequires: make gcc swig
 BuildRequires: openldap-devel
@@ -106,6 +110,10 @@ cp %{SOURCE1} .
 %patch -P 6 -p1
 %patch -P 7 -p1
 %patch -P 8 -p1
+%patch -P 9 -p1
+%patch -P 10 -p1
+%patch -P 11 -p1
+%patch -P 12 -p1
 
 autoreconf -fv --install
 
@@ -294,6 +302,13 @@ fi
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote
 
 %changelog
+* Fri Mar 28 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-5
+- ausearch: correct search for DAEMON related events
+- allow hex digits when interpreting tty data
+  Resolves: RHEL-82279
+- Fix TTY hostname in log messages
+  Resolves: RHEL-78323
+
 * Tue Feb 11 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-4
 - auditctl: correct buffer in filter_supported_syscalls to avoid overflow
   Resolves: RHEL-59585

ausearch-DAEMON_END.patch

@@ -0,0 +1,15 @@
+diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
+index 7d9731842..e77fbf129 100644
+--- a/src/ausearch-parse.c
++++ b/src/ausearch-parse.c
+@@ -1549,7 +1549,9 @@ static int parse_daemon1(const lnode *n, search_items *s)
+ 
+ 	// uid - optional
+ 	if (event_uid != -1) {
+-		ptr = term;
++		// As the uid= field may happen in different orders, e.g. both before
++		// and after pid=, let us search for the uid from the beginning.
++		term = mptr;
+ 		str = strstr(term, " uid=");
+ 		if (str) {
+ 			ptr = str + 5;

interpret-tty-data.patch

@@ -0,0 +1,13 @@
+diff --git a/auparse/interpret.c b/auparse/interpret.c
+index ad949c90f..5c182ae69 100644
+--- a/auparse/interpret.c
++++ b/auparse/interpret.c
+@@ -331,7 +331,7 @@ static void key_escape(const char *orig, char *dest, auparse_esc_t escape_mode)
+ static int is_hex_string(const char *str)
+ {
+ 	while (*str) {
+-		if (!isdigit((unsigned char)*str))
++		if (!isxdigit((unsigned char)*str))
+ 			return 0;
+ 		str++;
+ 	}

tty-hostname.patch

@@ -0,0 +1,14 @@
+diff --git a/lib/audit_logging.c b/lib/audit_logging.c
+index f89a13bb0..70205b332 100644
+--- a/lib/audit_logging.c
++++ b/lib/audit_logging.c
+@@ -243,7 +243,8 @@ static const char *_get_hostname(const char *ttyn)
+ {
+ 	if (ttyn && ((strncmp(ttyn, "pts", 3) == 0) ||
+ 		(strncmp(ttyn, "tty", 3) == 0) ||
+-		(strncmp(ttyn, "/dev/tty", 8) == 0) )) {
++		(strncmp(ttyn, "/dev/tty", 8) == 0) ||
++		(strncmp(ttyn, "/dev/pts", 8) == 0) )) {
+ 		if (_host[0] == 0) {
+ 			gethostname(_host, HOSTLEN);
+ 			_host[HOSTLEN - 1] = 0;