An advisory has been issued today (January 20): https://www.openwall.com/lists/oss-security/2022/01/20/3 The issue is fixed upstream in 0.17.4. There is also a patch. Ubuntu has issued an advisory for this today (January 20): https://ubuntu.com/security/notices/USN-5243-1 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 0.17.4
No particular maintainer visible, so assigning this globally. Our version looks very out of date anyway.
Assignee: bugsquad => pkg-bugs
Debian has issued an advisory for this on January 20: https://www.debian.org/security/2022/dsa-5051
Suggested advisory: ======================== The updated package fixes a security vulnerability: AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow. (CVE-2021-45417) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45417 https://www.openwall.com/lists/oss-security/2022/01/20/3 https://ubuntu.com/security/notices/USN-5243-1 https://www.debian.org/security/2022/dsa-5051 ======================== Updated package in core/updates_testing: ======================== aide-0.16-5.1.mga8 from SRPM: aide-0.16-5.1.mga8.src.rpm
CC: (none) => nicolas.salgueroVersion: Cauldron => 8CVE: (none) => CVE-2021-45417Whiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 0.17.4 => (none)
MGA8-64 Plasma on Lenovo B50 in Dutch. No installation issues. No wiki or previous updates, so tried to run some commands at CLI. # aid<tab> aide aidecheck aideinit aideupdate [root@mach5 ~]# aide 84:Error in expression:sha1 Configuration error [root@mach5 ~]# aideinit gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: /root/.gnupg/trustdb.gpg: trustdb created Generating GPG private key for aide@mach5.hviaene.thuis This is done automatically, but you must provide a strong passphrase to protect the key. Passphrase: Re-enter passphrase: Generating GPG key... gpg: key A832ED93A6B1A12B marked as ultimately trusted gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/6503718582DE3F4F26A9F3DEA832ED93A6B1A12B.rev' success! Initializing the AIDE database... this may take a minute or two. 86:Error in expression:sha1 Configuration error gpg: can't open 'aide.db': File or folder does not exist gpg: signing failed: File or folder does not exist FATAL: Signature was not created! Aborting. Googled and found an old bug https://sourceforge.net/p/aide/bugs/90/ It says at the end: According to the output of 'aide --version' AIDE is neither linked to mhash nor to gcrypt. One of both is required for sha1 checksum support. Therefor I close this bug report. In trying to overcome this I do not find packages named as such, so I installed rhash and bcrypt to no avail. Missing dependency ????
CC: (none) => herman.viaene
Problem confirmed. # aide --version Aide 0.16 Compiled with the following options: WITH_MMAP WITH_PCRE AIDE_SYSLOG_FACILITY=LOG_LOCAL1 WITH_LSTAT64 WITH_READDIR64 WITH_ZLIB CONFIG_FILE = "/etc/aide.conf" The spec file has BuildRequires: mhash-devel and --with-mhash \ however mhash is not showing up in the --version output. Should the requires be for libmhash-devel ? Also it seems to be defaulting to using sha1 which I would expect would require having -- with_gcrypt and BuildRequires: libgcrypt-devel
Keywords: (none) => feedbackCC: (none) => davidwhodgins
http://pkgsubmit.mageia.org/uploads/done/8/core/updates_testing/20220128121305.ns80.duvel.3018090/aide-0.16-5.1.mga8/build.x86_64.0.20220128121415.log has a warning ... checking for mhash_get_block_size in -lmhash... no configure: WARNING: No mhash means no hmac.
Been overlapping with you guys. Just ran the tutorial in the man pages for aideinit and aideupdate with aide-0.16-5.mga8. # aide --version Aide 0.16 Compiled with the following options: WITH_MMAP WITH_PCRE AIDE_SYSLOG_FACILITY=LOG_LOCAL1 WITH_LSTAT64 WITH_READDIR64 WITH_ZLIB WITH_MHASH CONFIG_FILE = "/etc/aide.conf" Updated to the testing version. Ran aideupdate and aidecheck. # aide --version Aide 0.16 Compiled with the following options: WITH_MMAP WITH_PCRE AIDE_SYSLOG_FACILITY=LOG_LOCAL1 WITH_LSTAT64 WITH_READDIR64 WITH_ZLIB CONFIG_FILE = "/etc/aide.conf" And yes, no MHASH.
CC: (none) => tarazed25
RedHat has issued an advisory for this today (February 7): https://access.redhat.com/errata/RHSA-2022:0441
CC: (none) => jean-pierre
can we update to version 0.17.4 ?
CC: (none) => mageia
It looks like the mhash version may be more of a problem than the aide version. Cauldron should if course be updated if it hasn't been yet.
I'm on it. I will be back ASAP
Found it. We have to build mhash with the option enable-static=yes. I (re)check all the process and the tool. If someone know a potential problem, don't hesitate.
We don't include static libraries in Mageia. Isn't there a way to link it dynamically, like normal?
Ok for the static libraries. I will find a way. Thanks
So, aide use static libraries for security reasons. https://github.com/aide/aide/blob/master/README They know some distro want to avoid static libraries so they will change with the next release (0.18). The present version is 0.16 and the last version is 17.4. I checked a way to patch source code but it seems to much (for me at least). FIY, there is other static librairies inactivated by the last packager. I think he offer a basic but usefull version of aide for this reason. 3 options for me : - affect to a better packager (I'm an initiate). - accept static option for mhash. - remove aide until the next release.
Maybe we should build it with gcrypt and update to 0.18 when available.
It's the same thing. gcrypt need to be built in static and gcrypt is required by lots of paquets (mhash just 1). Seems better to rebuild mhash than gcrypt.
So is aide usable at all in its current state, or is it completely broken?
In the configure launch from the spec file, we can activate differents functionalities. With mhash (or gcrypt) rebuilt in static, we have, in my opinion, the basics tests for file modifications (integrity, timestamps, permissions). Without hash tests aide is useless for me.
If it can check other things, and nobody has complained about this until QA caught it, we should push this update and file a new bug for the hash issue. Hopefully 0.18 will be available soon.
Keywords: feedback => (none)
My preference would be to go ahead and use a static lib, as an exception to the rule against using them. A comment should be included in the spec file reminding future packagers that it should be switched back to dynamic, when aide supports it. Dropping the package in a stable release is not an option. Pushing the update as is, is pretty much useless as it's main purpose is broken. The options as I see it are to close this bug report as won't fix, or to go with static libs.
Without mhash in static, aide is useless. No integrity for security tool is nonsense. So I prefer to fix 0.16 in static and wait for 0.18.
So, what do we do ? Won't fix and wait for the 0.18 or go to static libs ?
Reassigning back to Nicolas until there's a working version.
Assignee: qa-bugs => nicolas.salguero
ok. If i understand correctly we can't fix this bug for now as it would require using a static lib which is against our policy. We ( Nicolas / Jean-Pierre ) will update to version 0.18 as soon as released + update to mageia 8. i would be in favor of keeping this bug report open the time being.
I'm ok with making an exception to the policy, as long as it will not be permanent. As per comment 21, a clear note should be added to the spec file. The purpose of the policy is to avoid causing problems, such as missing a security update to the lib. When the policy prevents fixing a problem, it makes sense to make an exception. All of the policies are meant to make things easier and work better, not hamper fixing things. For example, we have exceptions for when version updates are allowed.
Assignee: nicolas.salguero => pkg-bugs
Assignee: pkg-bugs => jean-pierre
hello; I think they're talking about the Mageia 8 version, if so I'll tell you that in Mageia 9 beta2 package aide-0.16-7.mga9.x86_64.rpm gives the same error [root@localhost root]# aidecheck AIDE integrity check for localhost beginning (Sun Jun 25 2023 19:01:49 CEST) **** Error: AIDE database for localhost not found. **** Run 'aideinit' to create the database file. [root@localhost root]# [root@localhost root]# [root@localhost root]# aideinit gpg: checking trust database gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: level: 0 validity: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u gpg: next trusted database check on: 2025-06-21 Initializing the AIDE database... this may take a minute or two. 86:Error in expression:sha1 Configuration error gpg: cannot open 'aide.db': No such file or directory gpg: signing failed: No such file or directory FATAL: Signature was not created! aborting. [root@localhost raiz]# aideupdate The AIDE database does not exist, can't update! [root@localhost raiz]# aidecheck AIDE integrity check for localhost beginning (dom 25 jun 2023 19:05:24 CEST) **** Error: AIDE database for localhost not found. **** Run 'aideinit' to create the database file. [root@localhost root]# aide 84:Error in expression:sha1 Configuration error
CC: (none) => ricardalfe
Version 0.18.6 (the latest one) dates from 2023-08-01.
Whiteboard: (none) => MGA9TOOVersion: 8 => Cauldron
Suggested advisory: ======================== The updated packages allow aide to run correctly, using mhash library, and fixes a security vulnerability: AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow. (CVE-2021-45417) References: https://www.openwall.com/lists/oss-security/2022/01/20/3 https://ubuntu.com/security/notices/USN-5243-1 https://www.debian.org/security/2022/dsa-5051 https://access.redhat.com/errata/RHSA-2022:0441 ======================== Updated packages in core/updates_testing: ======================== aide-0.18.6-1.mga9 lib(64)mhash2-0.9.9.9-16.1.mga9 lib(64)mhash-devel-0.9.9.9-16.1.mga9 from SRPMS: aide-0.18.6-1.mga9.src.rpm mhash-0.9.9.9-16.1.mga9.src.rpm
Source RPM: aide-0.16-5.mga8.src.rpm => aide-0.16-7.mga9.src.rpm, mhash-0.9.9.9-16.mga9.src.rpmAssignee: jean-pierre => qa-bugsVersion: Cauldron => 9Whiteboard: MGA9TOO => (none)
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on HP-Pavillion. No installation issues. Tried commands from Comment 4 again. # aide ERROR: /etc/aide.conf:19: open (read-only) failed for file '/var/lib/aide/aide.db': No such file or directory (line: 'database_in=file:@@{DBDIR}/aide.db') That's OK since aide hasn't been initialized yet. # aideinit gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: /root/.gnupg/trustdb.gpg: trustdb created Generating GPG private key for aide@mach4.hviaene.thuis This is done automatically, but you must provide a strong passphrase to protect the key. Passphrase: Re-enter passphrase: Generating GPG key... gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/77F82D041815FD1D7E969D4160F775342C38537C.rev' success! Initializing the AIDE database... this may take a minute or two. Start timestamp: 2024-03-29 14:40:43 +0100 (AIDE 0.18.6) AIDE successfully initialized database. New AIDE database written to /var/lib/aide/aide.db Number of entries: 67575 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db MD5 : 550J1hz4laQEiEuO9Rt0qg== SHA1 : 3WwtB6hSkJ9P0ZtEfFIUtia3eZ0= SHA256 : gl47tSS1yGsPsovXWeuDf9VZFz2OoT89 i+84d2bWGSs= SHA512 : rzwyjDEgFrbfw7j/n0o1DU9GOSS4OFMQ aEhed3ScoHAD426n2PPXx+7Z5Jw9vkPL Pb3I1VaYG2MDM2Fhi1P2yA== RMD160 : A/GSrDCzh1/LjBEPrny8tD6qRzA= TIGER : j1D/zPmM2750DA2q8uOi0KGf5uqjcSO4 CRC32 : b3gFtA== CRC32B : EW1x+w== HAVAL : J8BXlnyI+ZikwsudHGMuDKM3UujxUw9V vyXJE90jquo= WHIRLPOOL : t5k7SuLwAIh4UyEvMZoeN/sS7NO4vdHT eo4FB6zEYJVPF//DuV+LmMT4EVjI2XOU 81MHruhxsoK2AirGwNW1mw== GOST : QWj31AnKZ2lP7YoOlwvN813UbxkhtI+v WT5C5GJp4+k= End timestamp: 2024-03-29 14:46:30 +0100 (run time: 5m 47s) Database successfully signed. # aide --version AIDE 0.18.6 Compile-time options: use pcre2: mandatory use pthread: yes use zlib compression: yes use POSIX ACLs: no use SELinux: no use xattr: no use POSIX 1003.1e capabilities: no use e2fsattrs: no use cURL: no use Mhash: yes use GNU crypto library: no use Linux Auditing Framework: no use locale: no syslog ident: aide syslog logopt: LOG_CONS syslog priority: LOG_NOTICE default syslog facility: LOG_LOCAL1 Default config values: config file: /etc/aide.conf database_in: file:/etc/aide.db database_out: file:/etc/aide.db.new Available compiled-in attributes: acl: no xattrs: no selinux: no e2fsattrs: no caps: no Available hashsum attributes: md5: yes sha1: yes sha256: yes sha512: yes rmd160: yes tiger: yes crc32: yes crc32b: yes haval: yes whirlpool: yes gost: yes stribog256: no stribog512: no Default compound groups: R: l+p+u+g+s+c+m+i+n+md5+ftype L: l+p+u+g+i+n+ftype >: l+p+u+g+s+i+n+ftype+growing H: md5+sha1+rmd160+tiger+crc32+haval+gost+crc32b+sha256+sha512+whirlpool X: # aidecheck AIDE integrity check for mach4.hviaene.thuis beginning (Fri 29 Mar 2024 14:53:07 CET) Verifying the GPG signature on the database... gpg: assuming signed data in 'aide.db' gpg: Signature made Fri 29 Mar 2024 14:46:30 CET gpg: using DSA key 77F82D041815FD1D7E969D4160F775342C38537C gpg: issuer "aide@mach4.hviaene.thuis" gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: Good signature from "AIDE (AIDE verification key) <aide@mach4.hviaene.thuis>" [ultimate] Start timestamp: 2024-03-29 14:53:08 +0100 (AIDE 0.18.6) AIDE found differences between database and filesystem!! Summary: Total number of entries: 67576 Added entries: 1 Removed entries: 0 Changed entries: 2 --------------------------------------------------- Added entries: --------------------------------------------------- s++++++++++++: /root/.gnupg/S.scdaemon --------------------------------------------------- Changed entries: --------------------------------------------------- d ... .n : /proc f > ... ..H: /root/.gnupg/trustdb.gpg --------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /proc Linkcount : 305 | 300 File: /root/.gnupg/trustdb.gpg Size : 1240 | 1280 SHA1 : 2e90q2AvFDoO4OW9KW04rr6i3Pk= | A61x06GlVXLsLrgMYKe9+9O55gA= SHA256 : crzwm3ktp6xRCauVk1HusSzn+n3qjSYY | Ojx3zVAaAQLYj5wQOFDZSgjyJYcUOWaI zp8ryyoMW7M= | ym6zwjWny8Q= SHA512 : PrWUfn8JPftAhkMnXl1mJAW0gW0nworj | 8T5wwEbM3bqJz+e8r8HidTt7vX5Z35px f0WnKtMFHMTqhzQSS3lhnP+r/dRid966 | w2LoWAU5sHUjLJe5LbaDSAtoBI0IdHV1 uuCyC3ASJc9F1H05Qxlucw== | sbamYG7N4rqeuc195misWQ== RMD160 : BOomxb5tJmZE7q5vJxiX/jQFHJY= | kbbfRcX+FjSKvpg+5PQEHArc0Ws= --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db MD5 : 550J1hz4laQEiEuO9Rt0qg== SHA1 : 3WwtB6hSkJ9P0ZtEfFIUtia3eZ0= SHA256 : gl47tSS1yGsPsovXWeuDf9VZFz2OoT89 i+84d2bWGSs= SHA512 : rzwyjDEgFrbfw7j/n0o1DU9GOSS4OFMQ aEhed3ScoHAD426n2PPXx+7Z5Jw9vkPL Pb3I1VaYG2MDM2Fhi1P2yA== RMD160 : A/GSrDCzh1/LjBEPrny8tD6qRzA= TIGER : j1D/zPmM2750DA2q8uOi0KGf5uqjcSO4 CRC32 : b3gFtA== CRC32B : EW1x+w== HAVAL : J8BXlnyI+ZikwsudHGMuDKM3UujxUw9V vyXJE90jquo= WHIRLPOOL : t5k7SuLwAIh4UyEvMZoeN/sS7NO4vdHT eo4FB6zEYJVPF//DuV+LmMT4EVjI2XOU 81MHruhxsoK2AirGwNW1mw== GOST : QWj31AnKZ2lP7YoOlwvN813UbxkhtI+v WT5C5GJp4+k= End timestamp: 2024-03-29 14:59:40 +0100 (run time: 6m 32s) Demonstrates commands work OK.
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0100.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED