diff --git a/audit.spec b/audit.spec index 0309a325b7347ceaa7625979aa1138d00138470c..4c78e318eec27ab1de19aabc8a7594d63c9ace8f 100644 --- a/audit.spec +++ b/audit.spec @@ -2,7 +2,7 @@ Summary: User space tools for kernel auditing Name: audit Epoch: 1 Version: 3.1.2 -Release: 9 +Release: 10 License: GPLv2+ and LGPLv2+ URL: https://people.redhat.com/sgrubb/audit/ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz @@ -47,6 +47,16 @@ Patch35: backport-Correct-output-when-displaying-rules-with-exe-path-d.patch Patch36: backport-ausearch-format-Fix-display-of-renamed-file-411.patch Patch37: backport-Fix-a-maybe-uninitialized-warning.patch Patch38: backport-ausearch-parse-fix-parsing-for-success-uid-in-parse_.patch +Patch39: backport-Check-return-of-audit_strsplit.patch +Patch40: backport-Fix-audisp-remote-segfault-on-connection-error-446.patch +Patch41: backport-Fix-fuzzer-induced-parsing.patch +Patch42: backport-Fixup-leaks-in-testing-with-ASAN.patch +Patch43: backport-cllist_append-append-improvement.patch +Patch44: backport-Terminate-a-couple-strncpy.patch +Patch45: backport-Release-queue-mutexes-during-teardown.patch +Patch46: backport-Modify-ausearch-checkpoint-code-to-address-audit-use.patch +Patch47: backport-Update-_get_hostname-436.patch +Patch48: backport-If-we-are-checkpointing-decide-if-we-output-this-eve.patch BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: openldap-devel krb5-devel libcap-ng-devel @@ -388,6 +398,9 @@ fi %attr(644,root,root) %{_mandir}/man8/*.8.gz %changelog +* Tue Aug 12 2025 Linux_zhang - 1:3.1.2-10 +- backport patches from upstream + * Thu May 15 2025 xuraoqing - 1:3.1.2-9 - copy audit.h do not needed, while swig compile error with flex array has been fixed diff --git a/backport-Check-return-of-audit_strsplit.patch b/backport-Check-return-of-audit_strsplit.patch new file mode 100644 index 0000000000000000000000000000000000000000..1dfe3b9e5c682f79741c2734a1c06c220730819e --- /dev/null +++ b/backport-Check-return-of-audit_strsplit.patch @@ -0,0 +1,26 @@ +From 0b27bb4d4c309bbef88945ee7b62722f9e54458f Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 17 Mar 2025 08:27:28 -0400 +Subject: [PATCH] Check return of audit_strsplit + +This fixes Issue #440 +--- + src/ausearch-lol.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c +index 9d5110e8..c8644970 100644 +--- a/src/ausearch-lol.c ++++ b/src/ausearch-lol.c +@@ -191,6 +191,8 @@ static int extract_timestamp(const char *b, event *e) + if (*ptr == 'n') { + tnode = ptr+5; + ptr = audit_strsplit(NULL); ++ if (ptr == NULL) ++ return 0; + } else + tnode = NULL; + +-- +2.43.0 + diff --git a/backport-Fix-audisp-remote-segfault-on-connection-error-446.patch b/backport-Fix-audisp-remote-segfault-on-connection-error-446.patch new file mode 100644 index 0000000000000000000000000000000000000000..121ed72e909cef237b83afe6dac6034beccd9fcf --- /dev/null +++ b/backport-Fix-audisp-remote-segfault-on-connection-error-446.patch @@ -0,0 +1,83 @@ +From 5163b6d1edc086be6845e3ed6a60d297541330ef Mon Sep 17 00:00:00 2001 +From: Tobias Deiminger +Date: Fri, 11 Apr 2025 17:46:50 +0200 +Subject: [PATCH] Fix audisp-remote segfault on connection error (#446) + +audisp-remote.c:stop_sock lacked NULL pointer checks if build +configuration is with --enable-gssapi-krb5=yes. + +If auditd is started with audisp-remote plugin active and +transport=KRB5, the audisp-remote child crashes on connection errors +with segfault in krb5_cc_close due to NULL pointer dereference. This +will happen immediately at startup if the remote server is not +available, or later if an already established connection breaks. + +It may have been exploited as follows: auditd supervises the +audisp-remote child. If it sees repeated crashes, it'll report +"audisp-remote has exceeded max_restarts" (depends on config). When this +state is reached, auditd stops retrying and remote forwarding remains +broken even if the remote server becomes available again. In other +words, temporarily disturbing the network connection sufficed to +permanently break auditd forwarding. + +To fix it, check pointers in stop_sock before passing them on. + +Co-authored-by: Tobias Deiminger +--- + audisp/plugins/remote/audisp-remote.c | 40 ++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 13 deletions(-) + +diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c +index c7a947ef..9b2e15b0 100644 +--- a/audisp/plugins/remote/audisp-remote.c ++++ b/audisp/plugins/remote/audisp-remote.c +@@ -1060,19 +1060,33 @@ static int stop_sock(void) + if (sock >= 0) { + #ifdef USE_GSSAPI + if (USE_GSS) { +- OM_uint32 minor_status; +- gss_delete_sec_context(&minor_status, &my_context, +- GSS_C_NO_BUFFER); +- my_context = GSS_C_NO_CONTEXT; +- krb5_cc_close(kcontext, ccache); +- ccache = NULL; +- krb5_kt_close(kcontext, keytab); +- keytab = NULL; +- krb5_free_principal(kcontext, audit_princ); +- krb5_free_default_realm(kcontext, realm_name); +- realm_name = NULL; +- krb5_free_context(kcontext); +- kcontext = NULL; ++ if (my_context != GSS_C_NO_CONTEXT) { ++ OM_uint32 minor_status; ++ gss_delete_sec_context(&minor_status, &my_context, ++ GSS_C_NO_BUFFER); ++ my_context = GSS_C_NO_CONTEXT; ++ } ++ ++ if (kcontext != NULL) { ++ if (ccache != NULL) { ++ krb5_cc_close(kcontext, ccache); ++ ccache = NULL; ++ } ++ if (keytab != NULL) { ++ krb5_kt_close(kcontext, keytab); ++ keytab = NULL; ++ } ++ if (audit_princ != NULL) { ++ krb5_free_principal(kcontext, audit_princ); ++ audit_princ = NULL; ++ } ++ if (realm_name != NULL) { ++ krb5_free_default_realm(kcontext, realm_name); ++ realm_name = NULL; ++ } ++ krb5_free_context(kcontext); ++ kcontext = NULL; ++ } + } + #endif + shutdown(sock, SHUT_RDWR); +-- +2.43.0 + diff --git a/backport-Fix-fuzzer-induced-parsing.patch b/backport-Fix-fuzzer-induced-parsing.patch new file mode 100644 index 0000000000000000000000000000000000000000..2da50c1401345f0826274015429c32c51ee2b9b1 --- /dev/null +++ b/backport-Fix-fuzzer-induced-parsing.patch @@ -0,0 +1,42 @@ +From f5d0a16f1d18a4df6d44aaa7cbd962f3c8f8b13d Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Sun, 13 Apr 2025 17:44:00 -0400 +Subject: [PATCH] Fix fuzzer induced parsing + +There are 2 places where severely corrupted logs could make +ausearch/report access out of bounds string memeory. Check the +length before using them. See issue #448. +--- + src/ausearch-parse.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c +index 68e2b29e..e4724bf9 100644 +--- a/src/ausearch-parse.c ++++ b/src/ausearch-parse.c +@@ -676,7 +676,9 @@ static int parse_dir(const lnode *n, search_items *s) + char *str, *term; + + if (event_filename) { +- // dont do this search unless needed ++ // dont do this search unless needed ++ if (strlen(n->message) < 34) ++ return 0; + str = strstr(n->message+NAME_OFFSET, " cwd="); + if (str) { + str += 5; +@@ -808,8 +810,10 @@ static int parse_path(const lnode *n, search_items *s) + // anything before that. Its only time and type. + char *str, *term = n->message+NAME_OFFSET; + ++ // dont do this search unless needed ++ if (strlen(n->message) < 35) ++ return 0; + if (event_filename) { +- // dont do this search unless needed + str = strstr(term, " name="); + if (str) { + int rc; +-- +2.43.0 + diff --git a/backport-Fixup-leaks-in-testing-with-ASAN.patch b/backport-Fixup-leaks-in-testing-with-ASAN.patch new file mode 100644 index 0000000000000000000000000000000000000000..37d9eb8590c61e03df53ee2514f7ab266cf66c4e --- /dev/null +++ b/backport-Fixup-leaks-in-testing-with-ASAN.patch @@ -0,0 +1,26 @@ +From 44679d4507829825fa9f0fcf146f44c01107fa1e Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Sun, 15 Jun 2025 13:41:12 -0400 +Subject: [PATCH] Fixup leaks in testing with ASAN + +--- + src/auditd-event.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/auditd-event.c b/src/auditd-event.c +index 74c4fbd..b2a4726 100644 +--- a/src/auditd-event.c ++++ b/src/auditd-event.c +@@ -243,6 +243,9 @@ static void replace_event_msg(struct auditd_event *e, const char *buf) + if (buf) { + size_t len = strlen(buf); + ++ if (e->reply.message != e->reply.msg.data) ++ free((void *)e->reply.message); ++ + if (len < MAX_AUDIT_MESSAGE_LENGTH - 1) + e->reply.message = strdup(buf); + else { +-- +2.43.0 + diff --git a/backport-If-we-are-checkpointing-decide-if-we-output-this-eve.patch b/backport-If-we-are-checkpointing-decide-if-we-output-this-eve.patch new file mode 100644 index 0000000000000000000000000000000000000000..d25291530e18fd8cbaa88a804b954d1a26e4b4af --- /dev/null +++ b/backport-If-we-are-checkpointing-decide-if-we-output-this-eve.patch @@ -0,0 +1,52 @@ +From cf637c93b6586a43e6b8f3ca5bad9b3e99f9ca4b Mon Sep 17 00:00:00 2001 +From: Attila Lakatos +Date: Fri, 11 Apr 2025 17:50:47 +0200 +Subject: [PATCH] If we are checkpointing, decide if we output this event. We + need to do it as (#447) + +early as here. The chkpt_input_levent event might not match the entries, so we +need to ensure that we don't skip the event that is the checkpoint event. That +is the marking point from which we start outputting events. Leaving that event +out will produce empty results. +--- + src/ausearch.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/src/ausearch.c b/src/ausearch.c +index 3bf95b5a..cf77ba14 100644 +--- a/src/ausearch.c ++++ b/src/ausearch.c +@@ -464,6 +464,17 @@ static int process_log_fd(void) + if ((ret != 0)||(entries->cnt == 0)) + break; + ++ /* ++ * If we are checkpointing, decide if we output this event. ++ * We need to do it as early as here. The chkpt_input_levent event ++ * might not match the entries, so we need to ensure that we don't ++ * skip the event that is the checkpoint event. That is the marking point ++ * from which we start outputting events. Leaving that event out will produce ++ * empty results. ++ */ ++ if (checkpt_filename) ++ do_output = chkpt_output_decision(&entries->e); ++ + /* + * We flush all events on the last log file being processed. + * Thus incomplete events are 'carried forward' to be +@@ -471,12 +482,6 @@ static int process_log_fd(void) + * in the next file we are about to process. + */ + if (match(entries)) { +- /* +- * If we are checkpointing, decide if we output +- * this event +- */ +- if (checkpt_filename) +- do_output = chkpt_output_decision(&entries->e); + + if (do_output == 1) { + found = 1; +-- +2.43.0 + diff --git a/backport-Modify-ausearch-checkpoint-code-to-address-audit-use.patch b/backport-Modify-ausearch-checkpoint-code-to-address-audit-use.patch new file mode 100644 index 0000000000000000000000000000000000000000..d1ccd8d4eec7d21ec5130d63dd4b9f791a7264cc --- /dev/null +++ b/backport-Modify-ausearch-checkpoint-code-to-address-audit-use.patch @@ -0,0 +1,54 @@ +From 9167f7d23018c0d43f22e4891d337200dbabf6a9 Mon Sep 17 00:00:00 2001 +From: burnalting +Date: Sun, 13 Oct 2024 05:32:11 +1100 +Subject: [PATCH] Modify ausearch checkpoint code to address audit-userspace + issue 404 (#405) + +--- + src/ausearch-checkpt.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/ausearch-checkpt.c b/src/ausearch-checkpt.c +index 85c66221..5e4dbff1 100644 +--- a/src/ausearch-checkpt.c ++++ b/src/ausearch-checkpt.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include "ausearch-checkpt.h" + + #define DBG 0 /* set to non-zero for debug */ +@@ -134,8 +135,8 @@ void save_ChkPt(const char *fn) + return; + } + // Write the inode in decimal to make ls -i easier to use. +- fprintf(fd, "dev=0x%X\ninode=%u\n", +- (unsigned int)checkpt_dev, (unsigned int)checkpt_ino); ++ fprintf(fd, "dev=0x%" PRIX64 "\ninode=%" PRIu64 "\n", ++ (uint64_t)checkpt_dev, (uint64_t)checkpt_ino); + fprintf(fd, "output=%s %lu.%03u:%lu 0x%X\n", + last_event.node ? last_event.node : "-", + (long unsigned int)last_event.sec, last_event.milli, +@@ -218,7 +219,7 @@ int load_ChkPt(const char *fn) + + if (strncmp(lbuf, "dev=", 4) == 0) { + errno = 0; +- chkpt_input_dev = strtoul(&lbuf[4], NULL, 16); ++ chkpt_input_dev = (dev_t)strtoull(&lbuf[4], NULL, 16); + if (errno) { + fprintf(stderr, "Malformed dev checkpoint " + "line - [%s]\n", lbuf); +@@ -227,7 +228,7 @@ int load_ChkPt(const char *fn) + } + } else if (strncmp(lbuf, "inode=", 6) == 0) { + errno = 0; +- chkpt_input_ino = strtoul(&lbuf[6], NULL, 0); ++ chkpt_input_ino = (ino_t)strtoull(&lbuf[6], NULL, 0); + if (errno) { + fprintf(stderr, "Malformed inode checkpoint " + "line - [%s]\n", lbuf); +-- +2.43.0 + diff --git a/backport-Release-queue-mutexes-during-teardown.patch b/backport-Release-queue-mutexes-during-teardown.patch new file mode 100644 index 0000000000000000000000000000000000000000..77e82fcc30b2ad1c01331cacc3f2ce0880d1b090 --- /dev/null +++ b/backport-Release-queue-mutexes-during-teardown.patch @@ -0,0 +1,44 @@ +From bbac8f8bb4dd2fe43388c08c593edac1de712e74 Mon Sep 17 00:00:00 2001 +From: Cropi +Date: Mon, 23 Jun 2025 12:38:15 +0200 +Subject: [PATCH] Release queue mutexes during teardown +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Destroy the queue mutex and condition variable in the zos‑remote cleanup +and destroy the queue mutex in the main audisp queue destructor after +freeing entries. + +--- + audisp/plugins/zos-remote/zos-remote-queue.c | 2 ++ + audisp/queue.c | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/audisp/plugins/zos-remote/zos-remote-queue.c b/audisp/plugins/zos-remote/zos-remote-queue.c +index 67397f3..eb2c0da 100644 +--- a/audisp/plugins/zos-remote/zos-remote-queue.c ++++ b/audisp/plugins/zos-remote/zos-remote-queue.c +@@ -152,5 +152,7 @@ void destroy_queue(void) + } + + free(q); ++ pthread_mutex_destroy(&queue_lock); ++ pthread_cond_destroy(&queue_nonempty); + } + +diff --git a/audisp/queue.c b/audisp/queue.c +index 183a5af..6bb31c3 100644 +--- a/audisp/queue.c ++++ b/audisp/queue.c +@@ -270,6 +270,7 @@ void destroy_queue(void) + free((void *)q[i]); + + free(q); ++ pthread_mutex_destroy(&queue_lock); + q_last = 0; + q_depth = 0; + processing_suspended = 1; +-- +2.43.0 + diff --git a/backport-Terminate-a-couple-strncpy.patch b/backport-Terminate-a-couple-strncpy.patch new file mode 100644 index 0000000000000000000000000000000000000000..239c6f3f7fb91fced1f76e66aa627c2adfe6f3f1 --- /dev/null +++ b/backport-Terminate-a-couple-strncpy.patch @@ -0,0 +1,37 @@ +From 361f506ab0c626e3b14763372a35005dbb154731 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Thu, 19 Jun 2025 22:21:43 -0400 +Subject: [PATCH] Terminate a couple strncpy + +--- + src/aureport.c | 1 + + src/ausearch.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/aureport.c b/src/aureport.c +index 22618f02..e4560b50 100644 +--- a/src/aureport.c ++++ b/src/aureport.c +@@ -172,6 +172,7 @@ static int process_logs(void) + clear_config (&config); + + strncpy(dirname, user_file, MAXPATHLEN-32); ++ dirname[MAXPATHLEN-32] = '\0'; + if (dirname[strlen(dirname)-1] != '/') + strcat(dirname, "/"); + strcat (dirname, "audit.log"); +diff --git a/src/ausearch.c b/src/ausearch.c +index cf77ba14..51e2dffa 100644 +--- a/src/ausearch.c ++++ b/src/ausearch.c +@@ -244,6 +244,7 @@ static int process_logs(void) + clear_config (&config); + + strncpy(dirname, user_file, MAXPATHLEN-32); ++ dirname[MAXPATHLEN-32] = '\0'; + if (dirname[strlen(dirname)-1] != '/') + strcat(dirname, "/"); + strcat (dirname, "audit.log"); +-- +2.43.0 + diff --git a/backport-Update-_get_hostname-436.patch b/backport-Update-_get_hostname-436.patch new file mode 100644 index 0000000000000000000000000000000000000000..b3b7c9e16fae2caf34556ddc5bf9f66886d2549c --- /dev/null +++ b/backport-Update-_get_hostname-436.patch @@ -0,0 +1,28 @@ +From 63a274a1710fcc44af4139c0b17575cedc020fbe Mon Sep 17 00:00:00 2001 +From: Attila Lakatos +Date: Wed, 26 Feb 2025 00:31:06 +0100 +Subject: [PATCH] Update _get_hostname (#436) + +Programs such as su may include "/dev/pts/X" instead of "pts/X," +causing a regression compared to previous versions. +--- + lib/audit_logging.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/audit_logging.c b/lib/audit_logging.c +index 4da95b5e..f63c37d2 100644 +--- a/lib/audit_logging.c ++++ b/lib/audit_logging.c +@@ -243,7 +243,8 @@ static const char *_get_hostname(const char *ttyn) + { + if (ttyn && ((strncmp(ttyn, "pts", 3) == 0) || + (strncmp(ttyn, "tty", 3) == 0) || +- (strncmp(ttyn, "/dev/tty", 8) == 0) )) { ++ (strncmp(ttyn, "/dev/tty", 8) == 0) || ++ (strncmp(ttyn, "/dev/pts", 8) == 0) )) { + if (_host[0] == 0) { + gethostname(_host, HOSTLEN); + _host[HOSTLEN - 1] = 0; +-- +2.43.0 + diff --git a/backport-cllist_append-append-improvement.patch b/backport-cllist_append-append-improvement.patch new file mode 100644 index 0000000000000000000000000000000000000000..d90a3769ed57f8c8c799ca704f1f253eee7fb609 --- /dev/null +++ b/backport-cllist_append-append-improvement.patch @@ -0,0 +1,62 @@ +From 1a483c71b09dc885ddfaa9518117e62b09bb0b04 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Thu, 19 Jun 2025 12:31:38 -0400 +Subject: [PATCH] cllist_append append improvement + +cllist_append() depends on cur always pointing to the tail; appending +after list traversal may corrupt the list. A dedicated tail pointer +would avoid misuse. + +--- + auparse/normalize-llist.c | 7 +++++-- + auparse/normalize-llist.h | 1 + + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/auparse/normalize-llist.c b/auparse/normalize-llist.c +index 433c457..253c5e5 100644 +--- a/auparse/normalize-llist.c ++++ b/auparse/normalize-llist.c +@@ -28,6 +28,7 @@ void cllist_create(cllist *l, void (*cleanup)(void *)) + { + l->head = NULL; + l->cur = NULL; ++ l->tail = NULL; + l->cleanup = cleanup; + l->cnt = 0; + } +@@ -50,6 +51,7 @@ void cllist_clear(cllist *l) + } + l->head = NULL; + l->cur = NULL; ++ l->tail = NULL; + l->cnt = 0; + } + +@@ -79,9 +81,10 @@ void cllist_append(cllist *l, uint32_t num, void *data) + if (l->head == NULL) + l->head = newnode; + else // Otherwise add pointer to newnode +- l->cur->next = newnode; ++ l->tail->next = newnode; + +- // make newnode current ++ // update tail and make newnode current ++ l->tail = newnode; + l->cur = newnode; + l->cnt++; + } +diff --git a/auparse/normalize-llist.h b/auparse/normalize-llist.h +index 3f2e3fb..6e3a8d5 100644 +--- a/auparse/normalize-llist.h ++++ b/auparse/normalize-llist.h +@@ -41,6 +41,7 @@ typedef struct _data_node { + typedef struct { + data_node *head; // List head + data_node *cur; // Pointer to current node ++ data_node *tail; // Pointer to last node + void (*cleanup)(void *); // Function to call when releasing memory + unsigned int cnt; // How many items in this list + } cllist; +-- +2.43.0 +