No particular maintainer visible, so assigning this globally.
Our version looks very out of date anyway.

Assignee: bugsquad => pkg-bugs

Debian has issued an advisory for this on January 20:
https://www.debian.org/security/2022/dsa-5051

Suggested advisory:
========================

The updated package fixes a security vulnerability:

AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow. (CVE-2021-45417)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45417
https://www.openwall.com/lists/oss-security/2022/01/20/3
https://ubuntu.com/security/notices/USN-5243-1
https://www.debian.org/security/2022/dsa-5051
========================

Updated package in core/updates_testing:
========================
aide-0.16-5.1.mga8

from SRPM:
aide-0.16-5.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Version: Cauldron => 8
CVE: (none) => CVE-2021-45417
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 0.17.4 => (none)

MGA8-64 Plasma on Lenovo B50 in Dutch.
No installation issues.
No wiki or previous updates, so tried to run some commands at CLI.
# aid<tab>
aide        aidecheck   aideinit    aideupdate  
[root@mach5 ~]# aide
84:Error in expression:sha1
Configuration error
[root@mach5 ~]# aideinit 
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
Generating GPG private key for aide@mach5.hviaene.thuis

This is done automatically, but you must provide a strong passphrase
to protect the key.

Passphrase: 
Re-enter passphrase: 
Generating GPG key... gpg: key A832ED93A6B1A12B marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/6503718582DE3F4F26A9F3DEA832ED93A6B1A12B.rev'
 success!

Initializing the AIDE database... this may take a minute or two.
86:Error in expression:sha1
Configuration error
gpg: can't open 'aide.db': File or folder does not exist
gpg: signing failed: File or folder does not exist
FATAL: Signature was not created!  Aborting.

Googled and found an old bug https://sourceforge.net/p/aide/bugs/90/

It says at the end:
According to the output of 'aide --version' AIDE is neither linked to mhash nor to gcrypt. One of both is required for sha1 checksum support. Therefor I close this bug report.
In trying to overcome this I do not find packages named as such, so I installed rhash and bcrypt to no avail. Missing dependency ????

CC: (none) => herman.viaene

Problem confirmed.
# aide --version
Aide 0.16
Compiled with the following options:
WITH_MMAP
WITH_PCRE
AIDE_SYSLOG_FACILITY=LOG_LOCAL1
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
CONFIG_FILE = "/etc/aide.conf"

The spec file has
BuildRequires:  mhash-devel
and
	    --with-mhash \
however mhash is not showing up in the --version output.
Should the requires be for libmhash-devel ?

Also it seems to be defaulting to using sha1 which I would expect would require
having
 -- with_gcrypt
and
BuildRequires: libgcrypt-devel

Keywords: (none) => feedback
CC: (none) => davidwhodgins

http://pkgsubmit.mageia.org/uploads/done/8/core/updates_testing/20220128121305.ns80.duvel.3018090/aide-0.16-5.1.mga8/build.x86_64.0.20220128121415.log
has a warning ...

checking for mhash_get_block_size in -lmhash... no
configure: WARNING: No mhash means no hmac.

Been overlapping with you guys.
Just ran the tutorial in the man pages for aideinit and aideupdate with
aide-0.16-5.mga8.

# aide --version
Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
AIDE_SYSLOG_FACILITY=LOG_LOCAL1
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_MHASH
CONFIG_FILE = "/etc/aide.conf"

Updated to the testing version.
Ran aideupdate and aidecheck.
# aide --version
Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
AIDE_SYSLOG_FACILITY=LOG_LOCAL1
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
CONFIG_FILE = "/etc/aide.conf"

And yes, no MHASH.

CC: (none) => tarazed25

RedHat has issued an advisory for this today (February 7):
https://access.redhat.com/errata/RHSA-2022:0441

can we update to version 0.17.4 ?

CC: (none) => mageia

It looks like the mhash version may be more of a problem than the aide version.  Cauldron should if course be updated if it hasn't been yet.

I'm on it. I will be back ASAP

Found it. 
We have to build mhash with the option enable-static=yes.
I (re)check all the process and the tool. If someone know a potential problem, don't hesitate.

We don't include static libraries in Mageia. Isn't there a way to link it dynamically, like normal?

Ok for the static libraries. I will find a way.
Thanks

So, aide use static libraries for security reasons.
https://github.com/aide/aide/blob/master/README 

They know some distro want to avoid static libraries so they will change with the next release (0.18). The present version is 0.16 and the last version is 17.4.

I checked a way to patch source code but it seems to much (for me at least). FIY, there is other static librairies inactivated by the last packager. I think he offer a basic but usefull version of aide for this reason.

3 options for me : 
- affect to a better packager (I'm an initiate).
- accept static option for mhash.
- remove aide until the next release.

Maybe we should build it with gcrypt and update to 0.18 when available.

It's the same thing. gcrypt need to be built in static and gcrypt is required by lots of paquets (mhash just 1). Seems better to rebuild mhash than gcrypt.

So is aide usable at all in its current state, or is it completely broken?

In the configure launch from the spec file, we can activate differents functionalities.

With mhash (or gcrypt) rebuilt in static, we have, in my opinion, the basics tests for file modifications (integrity, timestamps, permissions). Without hash tests aide is useless for me.

If it can check other things, and nobody has complained about this until QA caught it, we should push this update and file a new bug for the hash issue.  Hopefully 0.18 will be available soon.

Keywords: feedback => (none)

My preference would be to go ahead and use a static lib, as an exception to
the rule against using them.

A comment should be included in the spec file reminding future packagers that
it should be switched back to dynamic, when aide supports it.

Dropping the package in a stable release is not an option. Pushing the update
as is, is pretty much useless as it's main purpose is broken.

The options as I see it are to close this bug report as won't fix, or to go
with static libs.

Without mhash in static, aide is useless. No integrity for security tool is nonsense.
So I prefer to fix 0.16 in static and wait for 0.18.

So, what do we do ? Won't fix and wait for the 0.18 or go to static libs ?

Reassigning back to Nicolas until there's a working version.

Assignee: qa-bugs => nicolas.salguero

ok. If i understand correctly we can't fix  this bug for now as it would require using a static lib which is against our policy.

We ( Nicolas / Jean-Pierre ) will update to version 0.18 as soon as released + update to mageia 8.


i would be in favor of keeping this bug report open the time being.

I'm ok with making an exception to the policy, as long as it will not
be permanent. As per comment 21, a clear note should be added to the spec
file.

The purpose of the policy is to avoid causing problems, such as missing 
a security update to the lib.

When the policy prevents fixing a problem, it makes sense to make an exception.
All of the policies are meant to make things easier and work better, not
hamper fixing things. For example, we have exceptions for when version updates
are allowed.

hello; I think they're talking about the Mageia 8 version, if so I'll tell you that in Mageia 9 beta2 package aide-0.16-7.mga9.x86_64.rpm gives the same error


[root@localhost root]# aidecheck
AIDE integrity check for localhost beginning (Sun Jun 25 2023 19:01:49 CEST)

**** Error: AIDE database for localhost not found.
**** Run 'aideinit' to create the database file.
[root@localhost root]#
[root@localhost root]#
[root@localhost root]# aideinit
gpg: checking trust database
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: level: 0 validity: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trusted database check on: 2025-06-21
Initializing the AIDE database... this may take a minute or two.
86:Error in expression:sha1
Configuration error
gpg: cannot open 'aide.db': No such file or directory
gpg: signing failed: No such file or directory
FATAL: Signature was not created! aborting.


[root@localhost raiz]# aideupdate
The AIDE database does not exist, can't update!


[root@localhost raiz]# aidecheck
AIDE integrity check for localhost beginning (dom 25 jun 2023 19:05:24 CEST)

**** Error: AIDE database for localhost not found.
**** Run 'aideinit' to create the database file.



[root@localhost root]# aide
84:Error in expression:sha1
Configuration error

CC: (none) => ricardalfe

Version 0.18.6 (the latest one) dates from 2023-08-01.

Whiteboard: (none) => MGA9TOO
Version: 8 => Cauldron

Suggested advisory:
========================

The updated packages allow aide to run correctly, using mhash library, and fixes a security vulnerability:

AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow. (CVE-2021-45417)

References:
https://www.openwall.com/lists/oss-security/2022/01/20/3
https://ubuntu.com/security/notices/USN-5243-1
https://www.debian.org/security/2022/dsa-5051
https://access.redhat.com/errata/RHSA-2022:0441
========================

Updated packages in core/updates_testing:
========================
aide-0.18.6-1.mga9
lib(64)mhash2-0.9.9.9-16.1.mga9
lib(64)mhash-devel-0.9.9.9-16.1.mga9

from SRPMS:
aide-0.18.6-1.mga9.src.rpm
mhash-0.9.9.9-16.1.mga9.src.rpm

Source RPM: aide-0.16-5.mga8.src.rpm => aide-0.16-7.mga9.src.rpm, mhash-0.9.9.9-16.mga9.src.rpm
Assignee: jean-pierre => qa-bugs
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

MGA9-64 Plasma Wayland on HP-Pavillion.
No installation issues.
Tried commands from Comment 4 again.
# aide
  ERROR: /etc/aide.conf:19: open (read-only) failed for file '/var/lib/aide/aide.db': No such file or directory (line: 'database_in=file:@@{DBDIR}/aide.db')
That's OK since aide hasn't been initialized yet.

# aideinit
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
Generating GPG private key for aide@mach4.hviaene.thuis

This is done automatically, but you must provide a strong passphrase
to protect the key.

Passphrase: 

Re-enter passphrase: 

Generating GPG key... gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/77F82D041815FD1D7E969D4160F775342C38537C.rev'
 success!

Initializing the AIDE database... this may take a minute or two.
Start timestamp: 2024-03-29 14:40:43 +0100 (AIDE 0.18.6)
AIDE successfully initialized database.
New AIDE database written to /var/lib/aide/aide.db

Number of entries:      67575

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db
 MD5       : 550J1hz4laQEiEuO9Rt0qg==
 SHA1      : 3WwtB6hSkJ9P0ZtEfFIUtia3eZ0=
 SHA256    : gl47tSS1yGsPsovXWeuDf9VZFz2OoT89
             i+84d2bWGSs=
 SHA512    : rzwyjDEgFrbfw7j/n0o1DU9GOSS4OFMQ
             aEhed3ScoHAD426n2PPXx+7Z5Jw9vkPL
             Pb3I1VaYG2MDM2Fhi1P2yA==
 RMD160    : A/GSrDCzh1/LjBEPrny8tD6qRzA=
 TIGER     : j1D/zPmM2750DA2q8uOi0KGf5uqjcSO4
 CRC32     : b3gFtA==
 CRC32B    : EW1x+w==
 HAVAL     : J8BXlnyI+ZikwsudHGMuDKM3UujxUw9V
             vyXJE90jquo=
 WHIRLPOOL : t5k7SuLwAIh4UyEvMZoeN/sS7NO4vdHT
             eo4FB6zEYJVPF//DuV+LmMT4EVjI2XOU
             81MHruhxsoK2AirGwNW1mw==
 GOST      : QWj31AnKZ2lP7YoOlwvN813UbxkhtI+v
             WT5C5GJp4+k=


End timestamp: 2024-03-29 14:46:30 +0100 (run time: 5m 47s)
Database successfully signed.

# aide --version
AIDE 0.18.6

Compile-time options:
use pcre2: mandatory
use pthread: yes
use zlib compression: yes
use POSIX ACLs: no
use SELinux: no
use xattr: no
use POSIX 1003.1e capabilities: no
use e2fsattrs: no
use cURL: no
use Mhash: yes
use GNU crypto library: no
use Linux Auditing Framework: no
use locale: no
syslog ident: aide
syslog logopt: LOG_CONS
syslog priority: LOG_NOTICE
default syslog facility: LOG_LOCAL1

Default config values:
config file: /etc/aide.conf
database_in: file:/etc/aide.db
database_out: file:/etc/aide.db.new

Available compiled-in attributes:
acl: no
xattrs: no
selinux: no
e2fsattrs: no
caps: no

Available hashsum attributes:
md5: yes
sha1: yes
sha256: yes
sha512: yes
rmd160: yes
tiger: yes
crc32: yes
crc32b: yes
haval: yes
whirlpool: yes
gost: yes
stribog256: no
stribog512: no

Default compound groups:
R: l+p+u+g+s+c+m+i+n+md5+ftype
L: l+p+u+g+i+n+ftype
>: l+p+u+g+s+i+n+ftype+growing
H: md5+sha1+rmd160+tiger+crc32+haval+gost+crc32b+sha256+sha512+whirlpool
X: 

# aidecheck 
AIDE integrity check for mach4.hviaene.thuis beginning (Fri 29 Mar 2024 14:53:07 CET)

Verifying the GPG signature on the database...

gpg: assuming signed data in 'aide.db'
gpg: Signature made Fri 29 Mar 2024 14:46:30 CET
gpg:                using DSA key 77F82D041815FD1D7E969D4160F775342C38537C
gpg:                issuer "aide@mach4.hviaene.thuis"
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Good signature from "AIDE (AIDE verification key) <aide@mach4.hviaene.thuis>" [ultimate]

Start timestamp: 2024-03-29 14:53:08 +0100 (AIDE 0.18.6)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:      67576
  Added entries:                1
  Removed entries:              0
  Changed entries:              2

---------------------------------------------------
Added entries:
---------------------------------------------------

s++++++++++++: /root/.gnupg/S.scdaemon

---------------------------------------------------
Changed entries:
---------------------------------------------------

d   ...   .n : /proc
f > ...   ..H: /root/.gnupg/trustdb.gpg

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /proc
 Linkcount : 305                              | 300

File: /root/.gnupg/trustdb.gpg
 Size      : 1240                             | 1280
 SHA1      : 2e90q2AvFDoO4OW9KW04rr6i3Pk=     | A61x06GlVXLsLrgMYKe9+9O55gA=
 SHA256    : crzwm3ktp6xRCauVk1HusSzn+n3qjSYY | Ojx3zVAaAQLYj5wQOFDZSgjyJYcUOWaI
             zp8ryyoMW7M=                     | ym6zwjWny8Q=
 SHA512    : PrWUfn8JPftAhkMnXl1mJAW0gW0nworj | 8T5wwEbM3bqJz+e8r8HidTt7vX5Z35px
             f0WnKtMFHMTqhzQSS3lhnP+r/dRid966 | w2LoWAU5sHUjLJe5LbaDSAtoBI0IdHV1
             uuCyC3ASJc9F1H05Qxlucw==         | sbamYG7N4rqeuc195misWQ==
 RMD160    : BOomxb5tJmZE7q5vJxiX/jQFHJY=     | kbbfRcX+FjSKvpg+5PQEHArc0Ws=


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db
 MD5       : 550J1hz4laQEiEuO9Rt0qg==
 SHA1      : 3WwtB6hSkJ9P0ZtEfFIUtia3eZ0=
 SHA256    : gl47tSS1yGsPsovXWeuDf9VZFz2OoT89
             i+84d2bWGSs=
 SHA512    : rzwyjDEgFrbfw7j/n0o1DU9GOSS4OFMQ
             aEhed3ScoHAD426n2PPXx+7Z5Jw9vkPL
             Pb3I1VaYG2MDM2Fhi1P2yA==
 RMD160    : A/GSrDCzh1/LjBEPrny8tD6qRzA=
 TIGER     : j1D/zPmM2750DA2q8uOi0KGf5uqjcSO4
 CRC32     : b3gFtA==
 CRC32B    : EW1x+w==
 HAVAL     : J8BXlnyI+ZikwsudHGMuDKM3UujxUw9V
             vyXJE90jquo=
 WHIRLPOOL : t5k7SuLwAIh4UyEvMZoeN/sS7NO4vdHT
             eo4FB6zEYJVPF//DuV+LmMT4EVjI2XOU
             81MHruhxsoK2AirGwNW1mw==
 GOST      : QWj31AnKZ2lP7YoOlwvN813UbxkhtI+v
             WT5C5GJp4+k=


End timestamp: 2024-03-29 14:59:40 +0100 (run time: 6m 32s)

Demonstrates commands work OK.

Whiteboard: (none) => MGA9-64-OK

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0100.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED