Bug 236923 (CVE-2007-3849) - CVE-2007-3849 Rebase aide to 0.13.1
Summary: CVE-2007-3849 Rebase aide to 0.13.1
Alias: CVE-2007-3849
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Karl Wirth
QA Contact: Ben Levenson
Depends On: 252331 252332
TreeView+ depends on / blocked
Reported: 2007-04-18 13:54 UTC by Steve Grubb
Modified: 2019-09-29 12:20 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-07-25 09:07:41 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0539 0 normal SHIPPED_LIVE Moderate: aide security update 2007-09-04 14:02:57 UTC

Description Steve Grubb 2007-04-18 13:54:27 UTC
Description of problem:
Several bugs have been fixed in recent version of aide (0.13.1) that we should
pull in to RHEL5. The upstream version of aide has all but 1 of our aide
patches, so rebasing would allow us to simplify things. 0.13.1 is overwhelmingly
the work that we did for xattr support. But there are a few bug fixes.

Version-Release number of selected component (if applicable):

Comment 1 RHEL Program Management 2007-04-25 20:09:36 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 8 Steve Conklin 2007-06-30 16:13:16 UTC
More information from further investigation:

Renaming the database columns in the @@db_spec line of the db does allow 0.13.1
to correctly read the db file - BUT -

In 0.12, configure defined WITH_GCRYPT, but the code incorrectly tests
WITH_LIBGCRYPT. This prevents gcrypt from being used and defines a list of tests
to perform to be null. The result is that the following integrity tests are
silently ignored and not performed, even if they are present in the aide.conf file:

md5 (tested)
sha1 (inferred from code examination)
rmd160 (tested)
tiger (inferred)
sha256 (tested)
sha512 (inferred)

In 0.12, these tests appear as database columns, but the values are always 0,
and the attributes field for each file (which stores the tests performed for the
file) has the bits cleared for these tests, even though they were defined in
aide.conf. 0.13.1 correctly sets these bits when reading aide.conf, and tests
against the db created by 0.12 fail because the attributes do not match.

A simple patch can replicate this broken behavior even when aide correctly
includes libgcrypt, by setting #define HASH_USE_GCRYPT (0) in md.h.

By making this patch and renaming the db columns, 0.13.1 can continue to operate
with db files created by 0.12, but it pretty seriously broken that we silently
don't perform tests configured in aide.conf.

Comment 9 Steve Grubb 2007-07-31 17:40:34 UTC
I think if the md5 sum or sha256 sum is not working at all, we have a security
problem. We should add a patch that detects this and tells the admin to
re-generate the database.

Note to security team, this is not an upstream bug, its a problem with RHEL5. We
should be able to releasea a fix whenever an async errata can be filed.

Comment 10 Josh Bressers 2007-08-02 18:54:04 UTC
CVE-2007-3849 should be used to describe the issue of missing integrity tests.

Comment 18 Mark J. Cox 2007-09-04 14:01:38 UTC
removing embargo, pushing

Comment 20 Red Hat Product Security 2008-07-25 09:07:41 UTC
This issue was addressed in:

Red Hat Enterprise Linux:

Note You need to log in before you can comment on or make changes to this bug.