Bug 236923 - (CVE-2007-3849) CVE-2007-3849 Rebase aide to 0.13.1
CVE-2007-3849 Rebase aide to 0.13.1
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Karl Wirth
Ben Levenson
: Security
Depends On: 252331 252332
  Show dependency treegraph
Reported: 2007-04-18 09:54 EDT by Steve Grubb
Modified: 2008-07-25 05:07 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-25 05:07:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2007-04-18 09:54:27 EDT
Description of problem:
Several bugs have been fixed in recent version of aide (0.13.1) that we should
pull in to RHEL5. The upstream version of aide has all but 1 of our aide
patches, so rebasing would allow us to simplify things. 0.13.1 is overwhelmingly
the work that we did for xattr support. But there are a few bug fixes.

Version-Release number of selected component (if applicable):
Comment 1 RHEL Product and Program Management 2007-04-25 16:09:36 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 8 Steve Conklin 2007-06-30 12:13:16 EDT
More information from further investigation:

Renaming the database columns in the @@db_spec line of the db does allow 0.13.1
to correctly read the db file - BUT -

In 0.12, configure defined WITH_GCRYPT, but the code incorrectly tests
WITH_LIBGCRYPT. This prevents gcrypt from being used and defines a list of tests
to perform to be null. The result is that the following integrity tests are
silently ignored and not performed, even if they are present in the aide.conf file:

md5 (tested)
sha1 (inferred from code examination)
rmd160 (tested)
tiger (inferred)
sha256 (tested)
sha512 (inferred)

In 0.12, these tests appear as database columns, but the values are always 0,
and the attributes field for each file (which stores the tests performed for the
file) has the bits cleared for these tests, even though they were defined in
aide.conf. 0.13.1 correctly sets these bits when reading aide.conf, and tests
against the db created by 0.12 fail because the attributes do not match.

A simple patch can replicate this broken behavior even when aide correctly
includes libgcrypt, by setting #define HASH_USE_GCRYPT (0) in md.h.

By making this patch and renaming the db columns, 0.13.1 can continue to operate
with db files created by 0.12, but it pretty seriously broken that we silently
don't perform tests configured in aide.conf.

Comment 9 Steve Grubb 2007-07-31 13:40:34 EDT
I think if the md5 sum or sha256 sum is not working at all, we have a security
problem. We should add a patch that detects this and tells the admin to
re-generate the database.

Note to security team, this is not an upstream bug, its a problem with RHEL5. We
should be able to releasea a fix whenever an async errata can be filed.
Comment 10 Josh Bressers 2007-08-02 14:54:04 EDT
CVE-2007-3849 should be used to describe the issue of missing integrity tests.
Comment 18 Mark J. Cox (Product Security) 2007-09-04 10:01:38 EDT
removing embargo, pushing
Comment 20 Red Hat Product Security 2008-07-25 05:07:41 EDT
This issue was addressed in:

Red Hat Enterprise Linux:

Note You need to log in before you can comment on or make changes to this bug.