Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-27606

aide fails with "Not enough parameters in db:15384. Trying to continue." unexpectedly

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • rhel-9.5
    • rhel-8.9.0
    • aide
    • None
    • aide-0.16-102.el9
    • None
    • Important
    • rhel-sst-security-special-projects
    • ssg_security
    • 16
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • None
    • Release Note Not Required
    • All
    • None

      What were you trying to do that didn't work?

      A customer hits an issue while checking the database, it fails with following error:

      # aide -C
Not enough parameters in db:15384. Trying to continue.
Newline expected in database. Reading until end of line
Skipped value 0
db_char2line():Error while reading database

      The issue only happens when the database is compressed.

      Digging into this and thanks to having the customer's DB, I could find out that there is a bug in RHEL's release of aide when database is compressed: depending on the boundary of the compressed database file, it may happen that gzread() returns 0 due to EOF, which is then considered as a potential bug in zlib, causing aide code to populate the buf buffer with strlen(buf) instead of 0.
      Because buf is not cleared on input through writing a "\0" as first character, strlen(buf) returns 8192 even though we reached EOF of the gzipped data (lines 318-319):

       304   if((*db_gzp!=NULL)&&(*domd)){
 305     if(gzeof(*db_gzp)){
 306       retval=0;
 307       buf[0]='\0';
 308     }else {
 309       if((retval=gzread(*db_gzp,buf,max_size))<0){
 310         error(0,_("gzread() failed: gzerr=%s!\n"),gzerror(*db_gzp,&err));
 311         retval=0;
 312         buf[0]='\0';
 313       } else {
 314         /* gzread returns 0 even if uncompressed bytes were read*/
 315         error(240,"nread=%d,strlen(buf)=%lu,errno=%s,gzerr=%s\n",
 316               retval,(unsigned long)strnlen((char*)buf, max_size),
 317               strerror(errno),gzerror(*db_gzp,&err));
 318         if(retval==0){         <<<<<<<<< HERE we had retval==0
 319           retval=strnlen((char*)buf, max_size);       <<< HERE buf wasn't modified, hence strnlen returns 8192
 320         }
 321       }
 322     }
 323   }

      Upstream release was completely reworked, this bug only affects our release of aide.

      Patch:

      diff -up aide-0.16/src/commandconf.c.rhcase03736158 aide-0.16/src/commandconf.c
--- aide-0.16/src/commandconf.c.rhcase03736158	2024-03-01 11:06:35.305712992 +0100
+++ aide-0.16/src/commandconf.c	2024-03-01 11:08:07.726499878 +0100
@@ -306,6 +306,7 @@ int db_input_wrapper(char* buf, int max_
       retval=0;
       buf[0]='\0';
     }else {
+      buf[0]='\0';
       if((retval=gzread(*db_gzp,buf,max_size))<0){
 	error(0,_("gzread() failed: gzerr=%s!\n"),gzerror(*db_gzp,&err));
 	retval=0;

      Please provide the package NVR for which bug is seen:

      aide-0.16-14.el8_5.1.x86_64

      How reproducible:

      Always with customer's DB

              rsroka@redhat.com Radovan Sroka
              rhn-support-rmetrich Renaud MĂ©trich
              Radovan Sroka Radovan Sroka
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: