-
Bug
-
Resolution: Done-Errata
-
Undefined
-
rhel-8.9.0
-
None
-
aide-0.16-102.el9
-
None
-
Important
-
rhel-sst-security-special-projects
-
ssg_security
-
16
-
None
-
False
-
-
Yes
-
Red Hat Enterprise Linux
-
None
-
- test results PASS
- regression test PASS
-
Pass
-
Automated
-
Release Note Not Required
-
-
All
-
None
What were you trying to do that didn't work?
A customer hits an issue while checking the database, it fails with following error:
# aide -C Not enough parameters in db:15384. Trying to continue. Newline expected in database. Reading until end of line Skipped value 0 db_char2line():Error while reading database
The issue only happens when the database is compressed.
Digging into this and thanks to having the customer's DB, I could find out that there is a bug in RHEL's release of aide when database is compressed: depending on the boundary of the compressed database file, it may happen that gzread() returns 0 due to EOF, which is then considered as a potential bug in zlib, causing aide code to populate the buf buffer with strlen(buf) instead of 0.
Because buf is not cleared on input through writing a "\0" as first character, strlen(buf) returns 8192 even though we reached EOF of the gzipped data (lines 318-319):
304 if((*db_gzp!=NULL)&&(*domd)){ 305 if(gzeof(*db_gzp)){ 306 retval=0; 307 buf[0]='\0'; 308 }else { 309 if((retval=gzread(*db_gzp,buf,max_size))<0){ 310 error(0,_("gzread() failed: gzerr=%s!\n"),gzerror(*db_gzp,&err)); 311 retval=0; 312 buf[0]='\0'; 313 } else { 314 /* gzread returns 0 even if uncompressed bytes were read*/ 315 error(240,"nread=%d,strlen(buf)=%lu,errno=%s,gzerr=%s\n", 316 retval,(unsigned long)strnlen((char*)buf, max_size), 317 strerror(errno),gzerror(*db_gzp,&err)); 318 if(retval==0){ <<<<<<<<< HERE we had retval==0 319 retval=strnlen((char*)buf, max_size); <<< HERE buf wasn't modified, hence strnlen returns 8192 320 } 321 } 322 } 323 }
Upstream release was completely reworked, this bug only affects our release of aide.
Patch:
diff -up aide-0.16/src/commandconf.c.rhcase03736158 aide-0.16/src/commandconf.c --- aide-0.16/src/commandconf.c.rhcase03736158 2024-03-01 11:06:35.305712992 +0100 +++ aide-0.16/src/commandconf.c 2024-03-01 11:08:07.726499878 +0100 @@ -306,6 +306,7 @@ int db_input_wrapper(char* buf, int max_ retval=0; buf[0]='\0'; }else { + buf[0]='\0'; if((retval=gzread(*db_gzp,buf,max_size))<0){ error(0,_("gzread() failed: gzerr=%s!\n"),gzerror(*db_gzp,&err)); retval=0;
Please provide the package NVR for which bug is seen:
aide-0.16-14.el8_5.1.x86_64
How reproducible:
Always with customer's DB
- links to
-
RHBA-2024:132251
aide update
- mentioned on
[RHEL-27606] aide fails with "Not enough parameters in db:15384. Trying to continue." unexpectedly
GitLab CEE Bot
added a comment - Patrik Koncity mentioned this issue in merge request !3 of RHEL Security Special Projects / tests / aide on branch pk_database_loading:
RHEL-27606- regression test for database loading
GitLab CEE Bot
added a comment - Patrik Koncity mentioned this issue in merge request !3 of RHEL Security Special Projects / tests / aide on branch pk_database_loading : RHEL-27606 - regression test for database loading Thank you for the detailed analysis. Patch is valid. We may need customer's DB for the testing later dapospis@redhat.com nbubakov.
Since the problem described in this issue should be resolved in a recent advisory, it has been closed.
For information on the advisory (aide bug fix and enhancement update), and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2024:9168