Hello community, here is the log from the commit of package aide for openSUSE:Factory checked in at 2020-07-31 15:57:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/aide (Old) and /work/SRC/openSUSE:Factory/.aide.new.3592 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "aide" Fri Jul 31 15:57:13 2020 rev:31 rq:823667 version:0.16.2 Changes: -------- --- /work/SRC/openSUSE:Factory/aide/aide.changes 2019-07-12 12:00:01.136172276 +0200 +++ /work/SRC/openSUSE:Factory/.aide.new.3592/aide.changes 2020-07-31 16:07:28.408818026 +0200 @@ -1,0 +2,19 @@ +Thu Jul 30 20:13:39 UTC 2020 - Matthias Eliasson <[email protected]> + +- Update to 0.16.2 + Bug fixes: + * Fix handling of directory-restricted negative rules + * Don't lock '/dev/null' when used as output database + * Fix parsing of rules containing '?' quantifier + * Fix extended attributes support (xattrs) + * Fix processing of go files + Please note: + * The addition of the "trusted.*", "user.*" and the "security.*" + namespaces to the xattrs attribute might lead to a vast amount of + reported changed entries during your next AIDE run. You can use the + `report_ignore_changed_attrs` option (see aide.conf(5)) to ignore + changes of the xattrs attribute; but be aware that this will exclude + the expected but also the unexpected (potentially malicious) changes. +- Run spec-cleaner + +------------------------------------------------------------------- Old: ---- aide-0.16.1.tar.gz aide-0.16.1.tar.gz.asc New: ---- aide-0.16.2.tar.gz aide-0.16.2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ aide.spec ++++++ --- /var/tmp/diff_new_pack.hdWH2H/_old 2020-07-31 16:07:30.016819401 +0200 +++ /var/tmp/diff_new_pack.hdWH2H/_new 2020-07-31 16:07:30.020819405 +0200 @@ -1,7 +1,7 @@ # # spec file for package aide # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,11 +17,10 @@ Name: aide -Version: 0.16.1 +Version: 0.16.2 Release: 0 Summary: Advanced Intrusion Detection Environment License: GPL-2.0-or-later -Group: Productivity/Security URL: https://aide.github.io/ Source0: https://github.com/aide/aide/releases/download/v%{version}/aide-%{version}.tar.gz Source1: aide.conf @@ -48,7 +47,6 @@ %package test Summary: Simple AIDE testing -Group: Productivity/Security %description test Simple AIDE test script for externalized testing. @@ -75,7 +73,7 @@ --with-gcrypt \ --without-mhash # --enable-forced_configmd -make %{?_smp_mflags} +%make_build %install %make_install @@ -89,7 +87,7 @@ %check mkdir %{_localstatedir}/tmp/aide-test export TESTDIR=%{_localstatedir}/tmp/aide-test -make %{?_smp_mflags} DESTDIR=$TESTDIR install +%make_build DESTDIR=$TESTDIR install install -m 700 -d $TESTDIR%{_localstatedir}/lib/aide install -m 700 -d $TESTDIR%{_sysconfdir} install -m 600 %{SOURCE1} $TESTDIR%{_sysconfdir}/aide.conf.new ++++++ aide-0.16.1.tar.gz -> aide-0.16.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/ChangeLog new/aide-0.16.2/ChangeLog --- old/aide-0.16.1/ChangeLog 2019-02-24 21:05:43.000000000 +0100 +++ new/aide-0.16.2/ChangeLog 2019-05-19 21:16:49.000000000 +0200 @@ -1,3 +1,25 @@ +2019-05-19 Hannes von Haugwitz <[email protected]> + * Release version 0.16.2 + +2019-05-18 Hannes von Haugwitz <[email protected]> + + * Fix handling of directory-restricted negative rules (closes #24) + * Don't lock '/dev/null' when used as output database (closes #26) + * Fix parsing of rules containing '?' quantifier + +2019-04-29 Julien DUBOIS <[email protected]> + + * Fix extended attributes support (xattrs) + * README: fix typo + +2019-03-20 Hannes von Haugwitz <[email protected]> + + * Add 'autoreconf-clean' Makefile target + +2019-03-16 Lukáš Jirkovský <[email protected]> + + * Fix processing of go files + 2019-02-25 Hannes von Haugwitz <[email protected]> * Release version 0.16.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/Makefile.am new/aide-0.16.2/Makefile.am --- old/aide-0.16.1/Makefile.am 2018-05-31 07:22:59.000000000 +0200 +++ new/aide-0.16.2/Makefile.am 2019-05-19 21:16:43.000000000 +0200 @@ -79,3 +79,8 @@ src/db_lex.c: src/db_lex.l src/conf_yacc.h $(LEX) $(AM_LFLAGS) -o$@ -Pdb $< + +autoreconf-clean: maintainer-clean + -rm -f INSTALL Makefile.in aclocal.m4 compile config.guess \ + config.h.in config.h.in~ config.sub configure depcomp \ + install-sh missing version.m4 ylwrap diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/Makefile.in new/aide-0.16.2/Makefile.in --- old/aide-0.16.1/Makefile.in 2019-02-26 21:20:13.000000000 +0100 +++ new/aide-0.16.2/Makefile.in 2019-05-19 21:20:18.000000000 +0200 @@ -1164,6 +1164,11 @@ src/db_lex.c: src/db_lex.l src/conf_yacc.h $(LEX) $(AM_LFLAGS) -o$@ -Pdb $< +autoreconf-clean: maintainer-clean + -rm -f INSTALL Makefile.in aclocal.m4 compile config.guess \ + config.h.in config.h.in~ config.sub configure depcomp \ + install-sh missing version.m4 ylwrap + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/NEWS new/aide-0.16.2/NEWS --- old/aide-0.16.1/NEWS 2019-02-24 21:10:03.000000000 +0100 +++ new/aide-0.16.2/NEWS 2019-05-19 21:16:49.000000000 +0200 @@ -1,3 +1,18 @@ +Version 0.16.2 (2019-05-19) + * Bug fixes + - Fix handling of directory-restricted negative rules + - Don't lock '/dev/null' when used as output database + - Fix parsing of rules containing '?' quantifier + - Fix extended attributes support (xattrs) + - Fix processing of go files + * Please note: + - The addition of the "trusted.*", "user.*" and the "security.*" + namespaces to the xattrs attribute might lead to a vast amount of + reported changed entries during your next AIDE run. You can use the + `report_ignore_changed_attrs` option (see aide.conf(5)) to ignore + changes of the xattrs attribute; but be aware that this will exclude + the expected but also the unexpected (potentially malicious) changes. + Version 0.16.1 (2019-02-25) * Move to GitHub * Update documentation diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/README new/aide-0.16.2/README --- old/aide-0.16.1/README 2019-02-24 21:05:51.000000000 +0100 +++ new/aide-0.16.2/README 2019-05-19 21:16:49.000000000 +0200 @@ -1,7 +1,7 @@ AIDE - Advanced Intrusion Detection Environment ------------------------------------------------- - Version 0.16.1 + Version 0.16.2 This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without @@ -20,7 +20,7 @@ written to be a simple and free alternative to Tripwire. Features currently included in AIDE are as follows: - o File attributes monitored: perissions, inode, user, group + o File attributes monitored: permissions, inode, user, group file size, mtime, atime, ctime, links and growing size. o Checksums and hashes supported: SHA1, MD5, RMD160, and TIGER. CRC32, HAVAL and GOST if Mhash support is compiled in. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/configure new/aide-0.16.2/configure --- old/aide-0.16.1/configure 2019-02-26 21:20:12.000000000 +0100 +++ new/aide-0.16.2/configure 2019-05-19 21:20:16.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for aide 0.16.1. +# Generated by GNU Autoconf 2.69 for aide 0.16.2. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -577,8 +577,8 @@ # Identity of this package. PACKAGE_NAME='aide' PACKAGE_TARNAME='aide' -PACKAGE_VERSION='0.16.1' -PACKAGE_STRING='aide 0.16.1' +PACKAGE_VERSION='0.16.2' +PACKAGE_STRING='aide 0.16.2' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1340,7 +1340,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures aide 0.16.1 to adapt to many kinds of systems. +\`configure' configures aide 0.16.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1412,7 +1412,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of aide 0.16.1:";; + short | recursive ) echo "Configuration of aide 0.16.2:";; esac cat <<\_ACEOF @@ -1559,7 +1559,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -aide configure 0.16.1 +aide configure 0.16.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2161,7 +2161,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by aide $as_me 0.16.1, which was +It was created by aide $as_me 0.16.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3134,7 +3134,7 @@ # Define the identity of the package. PACKAGE='aide' - VERSION='0.16.1' + VERSION='0.16.2' cat >>confdefs.h <<_ACEOF @@ -3229,7 +3229,7 @@ cat >>confdefs.h <<_ACEOF -#define AIDEVERSION "0.16.1" +#define AIDEVERSION "0.16.2" _ACEOF @@ -8833,7 +8833,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by aide $as_me 0.16.1, which was +This file was extended by aide $as_me 0.16.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -8903,7 +8903,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -aide config.status 0.16.1 +aide config.status 0.16.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/doc/aide.1 new/aide-0.16.2/doc/aide.1 --- old/aide-0.16.1/doc/aide.1 2019-02-26 21:20:19.000000000 +0100 +++ new/aide-0.16.2/doc/aide.1 2019-05-19 21:20:24.000000000 +0200 @@ -1,4 +1,4 @@ -.TH AIDE 1 "Feb 25, 2019" "aide v0.16.1" "User Commands" +.TH AIDE 1 "May 19, 2019" "aide v0.16.2" "User Commands" .SH NAME \fBaide\fP \- Advanced Intrusion Detection Environment .SH SYNOPSIS diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/doc/aide.1.in new/aide-0.16.2/doc/aide.1.in --- old/aide-0.16.1/doc/aide.1.in 2019-02-24 21:09:20.000000000 +0100 +++ new/aide-0.16.2/doc/aide.1.in 2019-05-19 21:16:49.000000000 +0200 @@ -1,4 +1,4 @@ -.TH AIDE 1 "Feb 25, 2019" "aide v0.16.1" "User Commands" +.TH AIDE 1 "May 19, 2019" "aide v0.16.2" "User Commands" .SH NAME \fBaide\fP \- Advanced Intrusion Detection Environment .SH SYNOPSIS diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/doc/aide.conf.5 new/aide-0.16.2/doc/aide.conf.5 --- old/aide-0.16.1/doc/aide.conf.5 2019-02-26 21:20:19.000000000 +0100 +++ new/aide-0.16.2/doc/aide.conf.5 2019-05-19 21:20:24.000000000 +0200 @@ -1,4 +1,4 @@ -.TH AIDE.CONF 5 "Feb 25, 2019" "aide v0.16.1" "AIDE" +.TH AIDE.CONF 5 "May 19, 2019" "aide v0.16.2" "AIDE" .SH NAME aide.conf - The configuration file for Advanced Intrusion Detection Environment diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/doc/aide.conf.5.in new/aide-0.16.2/doc/aide.conf.5.in --- old/aide-0.16.1/doc/aide.conf.5.in 2019-02-25 23:38:44.000000000 +0100 +++ new/aide-0.16.2/doc/aide.conf.5.in 2019-05-19 21:16:49.000000000 +0200 @@ -1,4 +1,4 @@ -.TH AIDE.CONF 5 "Feb 25, 2019" "aide v0.16.1" "AIDE" +.TH AIDE.CONF 5 "May 19, 2019" "aide v0.16.2" "AIDE" .SH NAME aide.conf - The configuration file for Advanced Intrusion Detection Environment diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/doc/manual.html new/aide-0.16.2/doc/manual.html --- old/aide-0.16.1/doc/manual.html 2019-02-25 23:38:44.000000000 +0100 +++ new/aide-0.16.2/doc/manual.html 2019-05-19 21:16:49.000000000 +0200 @@ -2,7 +2,7 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> <html xmlns="http://www.w3.org/1999/xhtml";> -<head><title>AIDE Manual Version 0.16.1</title> +<head><title>AIDE Manual Version 0.16.2</title> </head> <body> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/src/be.c new/aide-0.16.2/src/be.c --- old/aide-0.16.1/src/be.c 2018-05-31 07:22:59.000000000 +0200 +++ new/aide-0.16.2/src/be.c 2019-05-19 21:16:49.000000000 +0200 @@ -1,6 +1,6 @@ /* aide, Advanced Intrusion Detection Environment * - * Copyright (C) 1999-2003,2005,2006,2010,2011,2013 Rami Lehti, Pablo + * Copyright (C) 1999-2003,2005,2006,2010,2011,2013,2019 Rami Lehti, Pablo * Virolainen, Richard van den Berg, Hannes von Haugwitz * $Header$ * @@ -148,6 +148,7 @@ } #if HAVE_FCNTL && HAVE_FTRUNCATE if(!inout) { + if (strncmp(u->value, "/dev/null", strlen("/dev/null"))) { fl.l_type = F_WRLCK; fl.l_whence = SEEK_SET; fl.l_start = 0; @@ -162,6 +163,7 @@ if(ftruncate(fd,0)==-1) error(0,_("Error truncating file %s"),u->value); + } } #endif #ifdef WITH_ZLIB diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/src/do_md.c new/aide-0.16.2/src/do_md.c --- old/aide-0.16.1/src/do_md.c 2019-01-16 19:58:28.000000000 +0100 +++ new/aide-0.16.2/src/do_md.c 2019-05-19 21:16:49.000000000 +0200 @@ -99,7 +99,7 @@ while (!bingo && (scn = elf_nextscn(elf, scn)) != NULL) { (void) gelf_getshdr(scn, &shdr); - if (shdr.sh_type != SHT_DYNAMIC) + if (shdr.sh_type != SHT_DYNAMIC || shdr.sh_entsize == 0) continue; while (!bingo && (data = elf_getdata (scn, data)) != NULL) { @@ -607,7 +607,8 @@ ssize_t aret = 0; if (strncmp(attr, "user.", strlen("user.")) && - strncmp(attr, "root.", strlen("root."))) + strncmp(attr, "security.", strlen("security.")) && + strncmp(attr, "trusted.", strlen("trusted."))) goto next_attr; /* only store normal xattrs, and SELinux */ while (((aret = getxattr(line->fullpath, attr, val, asz)) == diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/src/gen_list.c new/aide-0.16.2/src/gen_list.c --- old/aide-0.16.1/src/gen_list.c 2018-05-31 07:22:59.000000000 +0200 +++ new/aide-0.16.2/src/gen_list.c 2019-05-19 21:16:49.000000000 +0200 @@ -1,7 +1,7 @@ /* aide, Advanced Intrusion Detection Environment * - * Copyright (C) 1999-2006,2009-2012,2015,2016 Rami Lehti,Pablo Virolainen, - * Mike Markley, Richard van den Berg, Hannes von Haugwitz + * Copyright (C) 1999-2006,2009-2012,2015,2016,2019 Rami Lehti, + * Pablo Virolainen, Mike Markley, Richard van den Berg, Hannes von Haugwitz * $Header$ * * This program is free software; you can redistribute it and/or @@ -47,6 +47,11 @@ #define CLOCK_SKEW 5 +#define PARTIAL_RULE_MATCH (-1) +#define NO_RULE_MATCH (0) +#define RESTRICTED_RULE_MATCH (1) +#define RULE_MATCH (2) + #ifdef WITH_MHASH #include <mhash.h> #endif @@ -285,6 +290,7 @@ case '(': case '^': case '$': + case '?': case '*': case '[': i=strlen(p); @@ -573,7 +579,7 @@ static int check_list_for_match(list* rxrlist,char* text,DB_ATTR_TYPE* attr, RESTRICTION_TYPE file_type) { list* r=NULL; - int retval=1; + int retval=NO_RULE_MATCH; int pcre_retval; pcre_extra *pcre_extra = NULL; for(r=rxrlist;r;r=r->next){ @@ -582,15 +588,16 @@ error(231,"\"%s\" matches (pcre_exec return value: %i) rule from line #%ld: %s\n",text, pcre_retval, ((rx_rule*)r->data)->conf_lineno,((rx_rule*)r->data)->rx); if (!((rx_rule*)r->data)->restriction || file_type&((rx_rule*)r->data)->restriction) { *attr=((rx_rule*)r->data)->attr; + retval = ((rx_rule*)r->data)->restriction?RESTRICTED_RULE_MATCH:RULE_MATCH; error(231,"\"%s\" matches restriction (%u) for rule from line #%ld: %s\n",text, ((rx_rule*)r->data)->restriction, ((rx_rule*)r->data)->conf_lineno,((rx_rule*)r->data)->rx); - return 0; + break; } else { error(232,"\"%s\" doesn't match restriction (%u) for rule from line #%ld: %s\n",text, ((rx_rule*)r->data)->restriction, ((rx_rule*)r->data)->conf_lineno,((rx_rule*)r->data)->rx); - retval=-1; + retval=PARTIAL_RULE_MATCH; } } else if (pcre_retval == PCRE_ERROR_PARTIAL) { error(232,"\"%s\" PARTIAL matches (pcre_exec return value: %i) rule from line #%ld: %s\n",text, pcre_retval, ((rx_rule*)r->data)->conf_lineno,((rx_rule*)r->data)->rx); - retval=-1; + retval=PARTIAL_RULE_MATCH; } else { error(232,"\"%s\" doesn't match (pcre_exec return value: %i) rule from line #%ld: %s\n",text, pcre_retval,((rx_rule*)r->data)->conf_lineno,((rx_rule*)r->data)->rx); } @@ -632,12 +639,13 @@ retval|=16; switch (check_list_for_match(node->equ_rx_lst, text, attr, file_type)) { - case 0: { + case RESTRICTED_RULE_MATCH: + case RULE_MATCH: { error(220, "check_node_for_match: equal match for '%s'\n", text); retval|=2|4; break; } - case -1: { + case PARTIAL_RULE_MATCH: { if(S_ISDIR(perm) && get_seltree_node(node,text)==NULL) { error(220, "check_node_for_match: creating new seltree node for '%s'\n", text); new_seltree_node(node,text,0,NULL); @@ -653,12 +661,13 @@ /* If 4 and 8 are not set, we will check for matches */ if(!(retval&(4|8))){ switch (check_list_for_match(node->sel_rx_lst, text, attr, file_type)) { - case 0: { + case RESTRICTED_RULE_MATCH: + case RULE_MATCH: { error(220, "check_node_for_match: selective match for '%s'\n", text); retval|=1|8; break; } - case -1: { + case PARTIAL_RULE_MATCH: { if(S_ISDIR(perm) && get_seltree_node(node,text)==NULL) { error(220, "check_node_for_match: creating new seltree node for '%s'\n", text); new_seltree_node(node,text,0,NULL); @@ -675,10 +684,19 @@ /* Negative regexps are the strongest so they are checked last */ /* If this file is to be added */ if(retval){ - if(!check_list_for_match(node->neg_rx_lst, text, attr, file_type)){ - error(220, "check_node_for_match: negative match for '%s'\n", text); - retval=0; - } + switch (check_list_for_match(node->neg_rx_lst, text, attr, file_type)) { + case RESTRICTED_RULE_MATCH: { + if(S_ISDIR(perm) && get_seltree_node(node,text)==NULL) { + error(220, "check_node_for_match: creating new seltree node for '%s'\n", text); + new_seltree_node(node,text,0,NULL); + } + } + case RULE_MATCH: { + error(220, "check_node_for_match: negative match for '%s'\n", text); + retval=0; + break; + } + } } /* Now we discard the info whether a match was made or not * * and just return 0,1 or 2 */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aide-0.16.1/version.m4 new/aide-0.16.2/version.m4 --- old/aide-0.16.1/version.m4 2019-02-26 21:20:09.000000000 +0100 +++ new/aide-0.16.2/version.m4 2019-05-19 21:20:14.000000000 +0200 @@ -1 +1 @@ -m4_define([AIDE_VERSION], [0.16.1]) +m4_define([AIDE_VERSION], [0.16.2])
