Bug 236923 (CVE-2007-3849)

Summary: CVE-2007-3849 Rebase aide to 0.13.1
Product: [Other] Security Response Reporter: Steve Grubb <sgrubb>
Component: vulnerabilityAssignee: Karl Wirth <kwirth>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: high    
Version: unspecifiedCC: kreilly, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-25 09:07:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 252331, 252332    
Bug Blocks:    

Description Steve Grubb 2007-04-18 13:54:27 UTC 
Description of problem:
Several bugs have been fixed in recent version of aide (0.13.1) that we should
pull in to RHEL5. The upstream version of aide has all but 1 of our aide
patches, so rebasing would allow us to simplify things. 0.13.1 is overwhelmingly
the work that we did for xattr support. But there are a few bug fixes.

Version-Release number of selected component (if applicable):
aide-0.12-8.el5
Comment 1 RHEL Program Management 2007-04-25 20:09:36 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 8 Steve Conklin 2007-06-30 16:13:16 UTC 
More information from further investigation:

Renaming the database columns in the @@db_spec line of the db does allow 0.13.1
to correctly read the db file - BUT -

In 0.12, configure defined WITH_GCRYPT, but the code incorrectly tests
WITH_LIBGCRYPT. This prevents gcrypt from being used and defines a list of tests
to perform to be null. The result is that the following integrity tests are
silently ignored and not performed, even if they are present in the aide.conf file:

md5 (tested)
sha1 (inferred from code examination)
rmd160 (tested)
tiger (inferred)
sha256 (tested)
sha512 (inferred)

In 0.12, these tests appear as database columns, but the values are always 0,
and the attributes field for each file (which stores the tests performed for the
file) has the bits cleared for these tests, even though they were defined in
aide.conf. 0.13.1 correctly sets these bits when reading aide.conf, and tests
against the db created by 0.12 fail because the attributes do not match.

A simple patch can replicate this broken behavior even when aide correctly
includes libgcrypt, by setting #define HASH_USE_GCRYPT (0) in md.h.

By making this patch and renaming the db columns, 0.13.1 can continue to operate
with db files created by 0.12, but it pretty seriously broken that we silently
don't perform tests configured in aide.conf.
Comment 9 Steve Grubb 2007-07-31 17:40:34 UTC 
I think if the md5 sum or sha256 sum is not working at all, we have a security
problem. We should add a patch that detects this and tells the admin to
re-generate the database.

Note to security team, this is not an upstream bug, its a problem with RHEL5. We
should be able to releasea a fix whenever an async errata can be filed.
Comment 10 Josh Bressers 2007-08-02 18:54:04 UTC 
CVE-2007-3849 should be used to describe the issue of missing integrity tests.
Comment 18 Mark J. Cox 2007-09-04 14:01:38 UTC 
removing embargo, pushing
Comment 20 Red Hat Product Security 2008-07-25 09:07:41 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0539.html