Package: samhain
Version: 2.8.3a-1+deb7u1
Hi,
Current samhain version 2.8.3a-1+deb7u1 used in Wheezy has a bug that was already fixed in samhain
3.1.0; in samhain-3.1.0/docs/Changelog we can see:
Fix IgnoreAdded to anchor regex at beginning of path (reported by
R.Lindner)
and in src/sh_ignore.c there is "^" added to all regexps like this:
+ len = 2 + strlen(addpath);
+ reg_expr = SH_ALLOC(len);
+ sl_strlcpy(reg_expr, "^", len);
+ sl_strlcat(reg_expr, addpath, len);
#ifdef HAVE_REGEX_H
- status = regcomp(&(new->preg), addpath, REG_NOSUB|REG_EXTENDED);
+ status = regcomp(&(new->preg), reg_expr, REG_NOSUB|REG_EXTENDED);
What's the problem? If you specify in /etc/samhain/samhainrc for example
IgnoreAdded = /tmp/
IgnoreMissing = /tmp/
and expect samhain to apply it to /tmp/* stuff only, you'll be surprised that all adds/dels in other
subdirs like
/root/tmp/
/var/lib/mysupersecretapp/tmp/
will be ignored also. Not good.
We think it's real security issue so please consider fixing this bug in Wheezy
also.
Regards,
Pawel
IB Development Team
http://dev.ib.pl/
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
