A minor security issue in the audit package has been fixed and assigned a CVE: http://openwall.com/lists/oss-security/2015/08/13/9 It will be fixed in the next version (2.4.4) and the upstream commit that fixes it is linked in the message above. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
(In reply to David Walser from comment #0) > A minor security issue in the audit package has been fixed and assigned a > CVE: > http://openwall.com/lists/oss-security/2015/08/13/9 > > It will be fixed in the next version (2.4.4) and the upstream commit that > fixes it is linked in the message above. > > Reproducible: > > Steps to Reproduce: Hi, can I just provide an upgraded package for the stable distros (to 2.4.4 which has already been released? This will ease maintenance into the future. Regards, -- Shlomi Fish
(In reply to Shlomi Fish from comment #1) > can I just provide an upgraded package for the stable distros (to 2.4.4 > which has already been released? This will ease maintenance into the future. For Mageia 5, you certainly can, as it's just a bugfix release over what we already have there, plus we need to update it for Mageia 5 anyway since tmb is getting ready to update the kernel. For Mageia 4, it'd be preferable to patch if it's not to difficult to backport.
(In reply to David Walser from comment #2) > (In reply to Shlomi Fish from comment #1) > > can I just provide an upgraded package for the stable distros (to 2.4.4 > > which has already been released? This will ease maintenance into the future. > > For Mageia 5, you certainly can, as it's just a bugfix release over what we > already have there, plus we need to update it for Mageia 5 anyway since tmb > is getting ready to update the kernel. > > For Mageia 4, it'd be preferable to patch if it's not to difficult to > backport. I see - I will try doing that.
Thanks Shlomi! I guess this is ready for QA. Advisory: ======================== Updated audit packages fix security vulnerability: When auditing the filesystem the names of files are logged. These filenames can contain escape sequences, when viewed using the ausearch programs "-i" option for example this can result in the escape sequences being processed unsafely by the terminal program being used to view the data (CVE-2015-5186). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5186 http://openwall.com/lists/oss-security/2015/08/13/9 ======================== Updated packages in core/updates_testing: ======================== audit-2.3.2-2.5.mga4 libaudit1-2.3.2-2.5.mga4 libaudit-devel-2.3.2-2.5.mga4 libauparse0-2.3.2-2.5.mga4 libauparse-devel-2.3.2-2.5.mga4 python-audit-2.3.2-2.5.mga4 audispd-plugins-2.3.2-2.5.mga4 audit-2.4.4-1.mga5 libaudit1-2.4.4-1.mga5 libaudit-devel-2.4.4-1.mga5 libauparse0-2.4.4-1.mga5 libauparse-devel-2.4.4-1.mga5 python-audit-2.4.4-1.mga5 audispd-plugins-2.4.4-1.mga5 from SRPMS: audit-2.3.2-2.5.mga4.src.rpm audit-2.4.4-1.mga5.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
Fedora has issued an advisory for this on August 14: https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164243.html
URL: (none) => http://lwn.net/Vulnerabilities/655000/
MGA5-64 on HP Probook 6555b KDE. No installation issues. auditd service is running. I tried to test it by adding the line: -w /home/tester5/test -k TEST to both audit.rules files (in /etc/audit and /etc/audit/rules.d, not knowing which of the two applies), but I get no logging when creating/editing a file in the target map.
CC: (none) => herman.viaene
In VirtualBox, M4, KDE, 32-bit Package(s) under test: audit libaudit1 default install of audit & libaudit1 [root@localhost wilcal]# urpmi audit Package audit-2.3.2-2.4.mga4.i586 is already installed [root@localhost wilcal]# urpmi libaudit1 Package libaudit1-2.3.2-2.4.mga4.i586 is already installed auditd is running in MCC -> Systems -> Manage systems services Packages installed cleanly. (In reply to Herman Viaene from comment #6) > I tried to test it by adding the line: > -w /home/tester5/test -k TEST > to both audit.rules files (in /etc/audit and /etc/audit/rules.d, not knowing > which of the two applies), but I get no logging when creating/editing a > file in the target map. Share more info here. Do I have to create something here: -w /home/tester5/test -k TEST > to both audit.rules files (in /etc/audit and /etc/audit/rules.d I could not fine either of these files in the test system > which of the two applies), but I get no logging when creating/editing a > file in the target map. How do you demonstrate that it is logging and what is a "target map".
CC: (none) => wilcal.int
(In reply to Herman Viaene from comment #6) > MGA5-64 on HP Probook 6555b KDE. > No installation issues. > auditd service is running. > I tried to test it by adding the line: > -w /home/tester5/test -k TEST > to both audit.rules files (in /etc/audit and /etc/audit/rules.d, not knowing > which of the two applies), but I get no logging when creating/editing a > file in the target map. Did you try either running "auditctl -R /etc/audit/audit.rules" or "systemctl restart auditd.service" after adding that line?
(In reply to David Walser from comment #8) > Did you try either running "auditctl -R /etc/audit/audit.rules" or > "systemctl restart auditd.service" after adding that line? Did the restart in MMC. Will fire up the test computer again later today. Just trying to find something simple to prove this is installed and working. Thanks David.
To answer all questions above: No, I did not run "systemctl restart auditd.service", well I tried it but this does not work. Instead I rebooted the PC completely. I found info to test on http://www.golinuxhub.com/2013/05/using-audit-in-linux-to-track-system.html Running "auditctl -R /etc/audit/audit.rules" now gives at the end: Error sending add rule data request (Invalid argument) There was an error in line 14 of /etc/audit/audit.rules That is the line I added. I checked the man page, but I don't see the problem.
(In reply to Herman Viaene from comment #10) > To answer all questions above: > No, I did not run "systemctl restart auditd.service", well I tried it but > this does not work. Instead I rebooted the PC completely. > I found info to test on > http://www.golinuxhub.com/2013/05/using-audit-in-linux-to-track-system.html > Running "auditctl -R /etc/audit/audit.rules" now gives at the end: > Error sending add rule data request (Invalid argument) > There was an error in line 14 of /etc/audit/audit.rules > That is the line I added. I checked the man page, but I don't see the > problem. It looks like the "permission" part is missing. Try: -w /home/tester5/test -p w -k TEST or: -w /home/tester5/test -p a -k TEST
In VirtualBox, M4, KDE, 32-bit Package(s) under test: audit libaudit1 libauparse0 python-audit default install of audit libaudit1 libauparse0 & python-audit [root@localhost wilcal]# urpmi audit Package audit-2.3.2-2.4.mga4.i586 is already installed [root@localhost wilcal]# urpmi libaudit1 Package libaudit1-2.3.2-2.4.mga4.i586 is already installed [root@localhost wilcal]# urpmi libauparse0 Package libauparse0-2.3.2-2.4.mga4.i586 is already installed [root@localhost wilcal]# urpmi python-audit Package python-audit-2.3.2-2.4.mga4.i586 is already installed packages install without error install audit libaudit1 libauparse0 & python-audit from updates_testing [root@localhost wilcal]# urpmi audit Package audit-2.3.2-2.5.mga4.i586 is already installed [root@localhost wilcal]# urpmi libaudit1 Package libaudit1-2.3.2-2.5.mga4.i586 is already installed [root@localhost wilcal]# urpmi libauparse0 Package libauparse0-2.3.2-2.5.mga4.i586 is already installed [root@localhost wilcal]# urpmi python-audit Package python-audit-2.3.2-2.5.mga4.i586 is already installed packages update without error
Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: audit lib64audit1 lib64auparse0 python-audit default install of audit lib64audit1 lib64auparse0 & python-audit [root@localhost wilcal]# urpmi audit Package audit-2.3.2-2.4.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64audit1 Package lib64audit1-2.3.2-2.4.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64auparse0 Package lib64auparse0-2.3.2-2.4.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi python-audit Package python-audit-2.3.2-2.4.mga4.x86_64 is already installed packages install without error install audit lib64audit1 lib64auparse0 & python-audit from updates_testing [root@localhost wilcal]# urpmi audit Package audit-2.3.2-2.5.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64audit1 Package lib64audit1-2.3.2-2.5.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64auparse0 Package lib64auparse0-2.3.2-2.5.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi python-audit Package python-audit-2.3.2-2.5.mga4.x86_64 is already installed packages update without error
Whiteboard: MGA4TOO MGA4-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: audit libaudit1 libauparse0 python-audit default install of audit libaudit1 libauparse0 & python-audit [root@localhost wilcal]# urpmi audit Package audit-2.4.1-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libaudit1 Package libaudit1-2.4.1-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libauparse0 Package libauparse0-2.4.1-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi python-audit Package python-audit-2.4.1-1.mga5.i586 is already installed packages install without error install audit libaudit1 libauparse0 & python-audit from updates_testing [root@localhost wilcal]# urpmi audit Package audit-2.4.4-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libaudit1 Package libaudit1-2.4.4-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libauparse0 Package libauparse0-2.4.4-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi python-audit Package python-audit-2.4.4-1.mga5.i586 is already installed packages update without error
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: audit lib64audit1 lib64auparse0 python-audit default install of audit lib64audit1 lib64auparse0 & python-audit [root@localhost wilcal]# urpmi audit Package audit-2.4.1-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64audit1 Package lib64audit1-2.4.1-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64auparse0 Package lib64auparse0-2.4.1-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi python-audit Package python-audit-2.4.1-1.mga5.x86_64 is already installed packages install without error install audit lib64audit1 lib64auparse0 & python-audit from updates_testing [root@localhost wilcal]# urpmi audit Package audit-2.4.4-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64audit1 Package lib64audit1-2.4.4-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64auparse0 Package lib64auparse0-2.4.4-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi python-audit Package python-audit-2.4.4-1.mga5.x86_64 is already installed packages update without error
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
This update updates cleanly works fine. Testing complete for MGA4 & MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0333.html
Status: NEW => RESOLVEDResolution: (none) => FIXED