Red Hat Bugzilla – Bug 236923
CVE-2007-3849 Rebase aide to 0.13.1
Last modified: 2008-07-25 05:07:41 EDT
Description of problem:
Several bugs have been fixed in recent version of aide (0.13.1) that we should
pull in to RHEL5. The upstream version of aide has all but 1 of our aide
patches, so rebasing would allow us to simplify things. 0.13.1 is overwhelmingly
the work that we did for xattr support. But there are a few bug fixes.
Version-Release number of selected component (if applicable):
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
More information from further investigation:
Renaming the database columns in the @@db_spec line of the db does allow 0.13.1
to correctly read the db file - BUT -
In 0.12, configure defined WITH_GCRYPT, but the code incorrectly tests
WITH_LIBGCRYPT. This prevents gcrypt from being used and defines a list of tests
to perform to be null. The result is that the following integrity tests are
silently ignored and not performed, even if they are present in the aide.conf file:
sha1 (inferred from code examination)
In 0.12, these tests appear as database columns, but the values are always 0,
and the attributes field for each file (which stores the tests performed for the
file) has the bits cleared for these tests, even though they were defined in
aide.conf. 0.13.1 correctly sets these bits when reading aide.conf, and tests
against the db created by 0.12 fail because the attributes do not match.
A simple patch can replicate this broken behavior even when aide correctly
includes libgcrypt, by setting #define HASH_USE_GCRYPT (0) in md.h.
By making this patch and renaming the db columns, 0.13.1 can continue to operate
with db files created by 0.12, but it pretty seriously broken that we silently
don't perform tests configured in aide.conf.
I think if the md5 sum or sha256 sum is not working at all, we have a security
problem. We should add a patch that detects this and tells the admin to
re-generate the database.
Note to security team, this is not an upstream bug, its a problem with RHEL5. We
should be able to releasea a fix whenever an async errata can be filed.
CVE-2007-3849 should be used to describe the issue of missing integrity tests.
removing embargo, pushing
This issue was addressed in:
Red Hat Enterprise Linux: