Accepting request 1328538 from security

- generate the /var/lib/aide directory via tmpfiles (jsc#PED-14791) (forwarded request 1328537 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/1328538
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/aide?expand=0&rev=46

aide-0.18-as-needed.patch

@@ -1,7 +1,8 @@
-diff -Ppru aide-0.18.8.orig/Makefile.am aide-0.18.8/Makefile.am
---- aide-0.18.8.orig/Makefile.am	2024-05-04 11:51:05.000000000 +0200
-+++ aide-0.18.8/Makefile.am	2024-08-11 16:07:45.957348909 +0200
-@@ -79,6 +79,7 @@ aide_CFLAGS = @AIDE_DEFS@ -W -Wall -g \
+Index: aide-0.19/Makefile.am
+===================================================================
+--- aide-0.19.orig/Makefile.am
++++ aide-0.19/Makefile.am
+@@ -81,6 +81,7 @@ aide_CFLAGS = @AIDE_DEFS@ -I$(top_srcdir
  			${XATTR_CFLAGS} \
  			${ZLIB_CFLAGS}
  aide_LDADD = -lm \

aide-0.18.8.tar.gz.asc

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQGzBAABCgAdFiEEVJXNoXyawXqyOEGnGO6GOGAi71cFAmY8qT4ACgkQGO6GOGAi
-71dnCAwAtWYqzAvLVt9nipeECShdXxXuFRR6Wi1A7bcioSHR28oKR4TxJQn4a/OT
-9wo8VeDa5Sy1Y3n328XZfqlpGM8wkoMYefNhJMH+af1Y2pGBjHaGQnisdv556EOe
-C3Bi2Zczn4hXDYt1o8ZK9QImPRLNTuCMot96aDIkMPSxHpSfu/tBpa1ovps23BX1
-/YLSkyyUrApa9YAiVrmb90MuiGUIk5MTnUoJ7b2svzAvPr4nw9VJBtV44aupZe2l
-YISzvbz+EQby4D4qShenVodCZyqhXalT5ubGFh9fKQQcQBvqKT3Wmx1Lt0WMUxV6
-/tf6dDcbz3UU+D8uNlCOdMKuncxTKWN1F3C4pksOpHTGTgktSnBgmDtUDWMgvPWu
-ijbYe8LBoYsrZzPu0/eI4g1idlv5ajjiJv+kKIY7r+GQ+84fXSgTzbbvfRZZ8mOL
-cqEi9qQf/HhCc3QIVRw4MiIsxYl9YxdAszzzb3zuEvjLG5QkHNwrPx3N4Vh7V16K
-M5aixKG1
-=VV+4
------END PGP SIGNATURE-----

aide-0.19.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:23762b05f46111edeb3c8a05016c8731c01bdb8c1f91be48c156c31ab85e74c4
+size 393120

aide-0.19.2.tar.gz.asc

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEEVJXNoXyawXqyOEGnGO6GOGAi71cFAmict6oACgkQGO6GOGAi
+71e/Awv/cP4/UJSVJlaUjRLoeRIayqFxAxZeku1OK1cNuGo5aRp47WsxZFpGkkMc
+eNhrtOpukD0CohFdsBFabd2KweaaY67pbCSTXxQBjhEMtYLb+Z5b441cJChJQgeL
+q2P09mCGmOoJ4li7VxF2Kjy4uTj4C64SoXFnkYgMzfgBQBC0wD3HBisN8tRG9M4w
+4kQa8ZvsO5hFEiFuVhBfLwDKLaUXf5MDcst1Q9MeAGxwvQN5xaSivOwSoCqhVgSv
+cDBo1RmhYSf43vUuXTAgclC3WD1y6qm0Si/naVnwVvvN2ij4cGfnb89ixd6qGlKY
+HV4klaVQWRQwSyDlhbTcHVxvwnopW+5YZ5SeF3Yl7XohaL89hLEEDxFcLQkrslzV
+wR0B0lCtmbZfVhWsnZScNZvT9Cnco7p4FMkkYIHOEVad6kFH3RRXHH320kUD3aWl
+hAKXLvuEnYmE//prriUlnh7Q4rsyh9N6ZLgdZxrdPcVbNSAzRiMd8A4kh/H5oMY9
+rFqw9YnF
+=JV2j
+-----END PGP SIGNATURE-----

aide-systemd.patch

@@ -1,8 +1,8 @@
-Index: aide-0.18.3/doc/aide.1
+Index: aide-0.19/doc/aide.1
 ===================================================================
---- aide-0.18.3.orig/doc/aide.1
-+++ aide-0.18.3/doc/aide.1
-@@ -143,7 +143,7 @@ See \fB--version\fR output for the defau
+--- aide-0.19.orig/doc/aide.1
++++ aide-0.19/doc/aide.1
+@@ -171,7 +171,7 @@ See \fB--version\fR output for the defau
  default \fBdatabase_in\fR and \fBdatabase_out\fR config values.
  
  .SH SEE ALSO
@@ -11,11 +11,11 @@ Index: aide-0.18.3/doc/aide.1
  .SH BUGS
  There are probably bugs in this release. Please report them
  at https://github.com/aide/aide/issues .
-Index: aide-0.18.3/doc/aide.conf.5
+Index: aide-0.19/doc/aide.conf.5
 ===================================================================
---- aide-0.18.3.orig/doc/aide.conf.5
-+++ aide-0.18.3/doc/aide.conf.5
-@@ -1090,7 +1090,7 @@ In the following, the first is not allow
+--- aide-0.19.orig/doc/aide.conf.5
++++ aide-0.19/doc/aide.conf.5
+@@ -1275,7 +1275,7 @@ In the following, the first is not allow
  .B "/foo e+p+u+g"
  .PP
  .SH "SEE ALSO"

aide-xattr-in-libc.patch

@@ -1,7 +1,7 @@
-Index: aide-0.18.6/configure.ac
+Index: aide-0.19/configure.ac
 ===================================================================
---- aide-0.18.6.orig/configure.ac
-+++ aide-0.18.6/configure.ac
+--- aide-0.19.orig/configure.ac
++++ aide-0.19/configure.ac
 @@ -59,7 +59,7 @@ dnl Do the right thing for glibc...
  AIDE_DEFS="-D_GNU_SOURCE"
  
@@ -75,19 +75,19 @@ Index: aide-0.18.6/configure.ac
      uts4*)
  	## pic_flag='-pic'
  	LD_STATIC_FLAG='-Bstatic'
-@@ -338,8 +338,6 @@ fi
+@@ -312,8 +312,6 @@ fi
  
- AIDE_PKG_CHECK(selinux, SELinux, no, SELINUX, libselinux, selinux)
+ AIDE_PKG_CHECK(selinux, SELinux, no, SELINUX, libselinux, selinux, >= 3.4)
  
 -AIDE_PKG_CHECK(xattr, xattr, no, XATTR, libattr, xattrs)
 -
  AIDE_PKG_CHECK(capabilities, POSIX 1003.1e capabilities, no, CAPABILITIES, libcap, caps)
  
  AIDE_PKG_CHECK(e2fsattrs, e2fsattrs, no, E2FSATTRS, e2p, e2fsattrs)
-Index: aide-0.18.6/include/db_config.h
+Index: aide-0.19/include/db_config.h
 ===================================================================
---- aide-0.18.6.orig/include/db_config.h
-+++ aide-0.18.6/include/db_config.h
+--- aide-0.19.orig/include/db_config.h
++++ aide-0.19/include/db_config.h
 @@ -19,7 +19,7 @@
   * with this program; if not, write to the Free Software Foundation, Inc.,
   * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
@@ -97,15 +97,15 @@ Index: aide-0.18.6/include/db_config.h
  #ifndef _DB_CONFIG_H_INCLUDED
  #define _DB_CONFIG_H_INCLUDED
  
-@@ -32,7 +32,6 @@
+@@ -31,7 +31,6 @@
  #ifdef WITH_ZLIB
  #include <zlib.h>
  #endif
 -#include "attributes.h"
- #include "hashsum.h"
  #include "db_line.h"
  #include "list.h"
-@@ -75,7 +74,7 @@
+ #include "report.h"
+@@ -74,7 +73,7 @@
  /*    int (*close)(_db_config*); */
  /*    int db_size; */
  /*    DB_FIELD* db_order; */
@@ -113,25 +113,8 @@ Index: aide-0.18.6/include/db_config.h
 +/*    void* local; */
  /*  }_db_config ; */
  
- typedef struct database {
-@@ -111,14 +110,14 @@ typedef struct db_config {
- #ifdef WITH_ZLIB
-   /* Is dbout gzipped or not */
-   int gzip_dbout;
--  
-+
- #endif
- 
-   DB_ATTR_TYPE db_out_attrs;
- 
-   char *check_path;
-   RESTRICTION_TYPE check_file_type;
--  
-+
-   char* config_file;
-   char* config_version;
-   bool config_check_warn_unrestricted_rules;
-@@ -160,7 +159,7 @@ typedef struct db_config {
+ typedef enum {
+@@ -167,7 +166,7 @@ typedef struct db_config {
    int symlinks_found;
    DB_ATTR_TYPE attr;
  
@@ -140,28 +123,28 @@ Index: aide-0.18.6/include/db_config.h
    int no_acl_on_symlinks;
  #endif
    int warn_dead_symlinks;
-Index: aide-0.18.6/src/do_md.c
+Index: aide-0.19/src/do_md.c
 ===================================================================
---- aide-0.18.6.orig/src/do_md.c
-+++ aide-0.18.6/src/do_md.c
-@@ -45,7 +45,6 @@
+--- aide-0.19.orig/src/do_md.c
++++ aide-0.19/src/do_md.c
+@@ -41,7 +41,6 @@
  
  #ifdef WITH_XATTR
  #include <sys/xattr.h>
 -#include <attr/attributes.h>
- #ifndef ENOATTR
- # define ENOATTR ENODATA
  #endif
-@@ -327,7 +326,7 @@ md_hashsums calc_hashsums(char* fullpath
+ #ifdef WITH_SELINUX
+ #include <selinux/selinux.h>
+@@ -314,7 +313,7 @@ md_hashsums calc_hashsums(disk_entry *en
  }
  
  void fs2db_line(struct stat* fs,db_line* line) {
 -  
 +
+   /* inode is always needed for ignoring changed filename */
    line->inode=fs->st_ino;
  
-   if(ATTR(attr_uid)&line->attr) {
-@@ -349,7 +348,7 @@ void fs2db_line(struct stat* fs,db_line*
+@@ -341,7 +340,7 @@ void fs2db_line(struct stat* fs,db_line*
    }else{
      line->size=0;
    }
@@ -170,7 +153,7 @@ Index: aide-0.18.6/src/do_md.c
    if(ATTR(attr_linkcount)&line->attr){
      line->nlink=fs->st_nlink;
    }else {
-@@ -367,7 +366,7 @@ void fs2db_line(struct stat* fs,db_line*
+@@ -359,7 +358,7 @@ void fs2db_line(struct stat* fs,db_line*
    }else{
      line->ctime=0;
    }
@@ -179,23 +162,7 @@ Index: aide-0.18.6/src/do_md.c
    if(ATTR(attr_atime)&line->attr){
      line->atime=fs->st_atime;
    }else{
-@@ -379,13 +378,13 @@ void fs2db_line(struct stat* fs,db_line*
-   } else {
-     line->bcount=0;
-   }
--  
-+
- }
- 
- #ifdef WITH_ACL
- void acl2line(db_line* line) {
-   acl_type *ret = NULL;
--  
-+
- #ifdef WITH_POSIX_ACL
-   if(ATTR(attr_acl)&line->attr) {
-     acl_t acl_a = NULL;
-@@ -438,7 +437,7 @@ void acl2line(db_line* line) {
+@@ -447,7 +446,7 @@ void acl2line(db_line* line, int fd, con
      acl_free(acl_d);
    }
    line->acl = ret;
@@ -204,8 +171,11 @@ Index: aide-0.18.6/src/do_md.c
  }
  #endif
  
-@@ -600,4 +599,3 @@ void capabilities2line(db_line* line) {
- void no_hash(db_line* line) {
-   line->attr&=~get_hashes(true);
+@@ -599,7 +598,6 @@ void selinux2line(db_line *line, int fd,
+     }
  }
+ #endif
 -
+ #ifdef WITH_E2FSATTRS
+ void e2fsattrs2line(db_line* line, int fd, const char *whoami) {
+     unsigned long flags;

aide.changes

@@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Wed Jan 21 13:56:05 UTC 2026 - Marcus Meissner <meissner@suse.com>
+
+- generate the /var/lib/aide directory via tmpfiles (jsc#PED-14791)
+
+-------------------------------------------------------------------
+Tue Aug 19 14:16:44 UTC 2025 - Alexander Bergmann <abergmann@suse.com>
+
+- Update to 0.19.2 (2025-08-13):
+  * Security bug fixes
+    - CVE-2025-54389: Escape control characters in report and log
+      output (bsc#1247884)
+    - CVE-2025-54409: Fix null pointer dereference after reading
+      incorrectly encoded xattr attributes from database (bsc#1247885)
+
+-------------------------------------------------------------------
+Thu May  8 18:03:43 UTC 2025 - Eyad Issa <eyadlorenzo@gmail.com>
+
+- Update to 0.19.0:
+  * Fix build with additional libraries on non-Linux systems
+  * Update NEWS file and aide.conf.5 man page
+  * Move log message to limit log level
+
+- Rebased aide-0.18-as-needed.patch, aide-systemd.patch,
+  aide-xattr-in-libc.patch
+
+- Moved signature to Source100, use pkgconf in BuildRequirements
+  when available
+
 -------------------------------------------------------------------
 Sun Aug 11 12:55:40 UTC 2024 - Aeneas Jaißle <aj@ajaissle.de>
 
@@ -46,7 +75,7 @@ Fri Jun 30 10:05:30 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
 -------------------------------------------------------------------
 Mon Jun  5 12:16:24 UTC 2023 - Andrea Manzini <andrea.manzini@suse.com>
 
-- switched service macros from %systemd_* to %service_* 
+- switched service macros from %systemd_* to %service_*
   according to documentation at https://en.opensuse.org/openSUSE:Systemd_packaging_guidelines#Registering_unit_files_in_install_scripts
 
 -------------------------------------------------------------------

aide.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package aide
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,13 +17,12 @@
 
 
 Name:           aide
-Version:        0.18.8
+Version:        0.19.2
 Release:        0
 Summary:        Advanced Intrusion Detection Environment
 License:        GPL-2.0-or-later
 URL:            https://aide.github.io/
 Source0:        https://github.com/aide/aide/releases/download/v%{version}/aide-%{version}.tar.gz
-Source100:      https://github.com/aide/aide/releases/download/v%{version}/aide-%{version}.tar.gz.asc
 Source1:        aide.conf
 Source2:        aide-cron_daily.sh
 Source3:        aide-test.sh
@@ -33,6 +32,7 @@ Source6:        aide.timer
 Source7:        aide.timer.8
 Source8:        aide_service.conf
 Source43:       aide.keyring
+Source100:      https://github.com/aide/aide/releases/download/v%{version}/aide-%{version}.tar.gz.asc
 Patch1:         aide-0.18-as-needed.patch
 Patch2:         aide-xattr-in-libc.patch
 Patch3:         aide-systemd.patch
@@ -43,13 +43,16 @@ BuildRequires:  bison
 BuildRequires:  curl-devel
 BuildRequires:  flex
 BuildRequires:  gzip
-BuildRequires:  libacl-devel
 BuildRequires:  libgcrypt-devel
-BuildRequires:  libselinux-devel
-BuildRequires:  pcre2-devel
 BuildRequires:  pkgconfig
 BuildRequires:  systemd-rpm-macros
-BuildRequires:  zlib-devel
+BuildRequires:  pkgconfig(libacl)
+BuildRequires:  pkgconfig(libpcre2-16)
+BuildRequires:  pkgconfig(libpcre2-32)
+BuildRequires:  pkgconfig(libpcre2-8)
+BuildRequires:  pkgconfig(libpcre2-posix)
+BuildRequires:  pkgconfig(libselinux)
+BuildRequires:  pkgconfig(zlib)
 
 %description
 AIDE is an intrusion detection system that checks file integrity.
@@ -66,15 +69,15 @@ Simple AIDE test script for externalized testing.
 
 %build
 autoreconf -fiv
-%configure 					\
+%configure \
 	--with-config_file=%{_sysconfdir}/aide.conf	\
-	--with-dbhmactype=md5			\
-	--disable-static			\
-	--enable-lfs				\
-	--with-posix-acl			\
-	--with-xattr				\
-	--with-selinux				\
-	--with-curl				\
+	--with-dbhmactype=md5 \
+	--disable-static \
+	--enable-lfs \
+	--with-posix-acl \
+	--with-xattr \
+	--with-selinux \
+	--with-curl \
 	--with-zlib \
     --with-gcrypt \
     --without-mhash
@@ -83,7 +86,7 @@ autoreconf -fiv
 
 %install
 %make_install
-install -m 700 -d     %{buildroot}%{_localstatedir}/lib/aide
+#install -m 700 -d     %{buildroot}%{_localstatedir}/lib/aide
 install -m 700 -d     %{buildroot}%{_sysconfdir}
 install -m 700 -d     %{buildroot}%{_unitdir}/
 install -m 700 -d     %{buildroot}%{_mandir}/man8
@@ -99,6 +102,9 @@ gzip -9 %{buildroot}%{_mandir}/man8/aide.timer.8
 mkdir -p doc/examples%{_sysconfdir}/cron.daily/
 cp -a %{SOURCE2} doc/examples%{_sysconfdir}/cron.daily/aide.sh
 
+mkdir %{buildroot}%{_tmpfilesdir}
+echo "d %{_localstatedir}/lib/aide 0700 - - -" > %{buildroot}%{_tmpfilesdir}/aide-tmpfiles.conf
+
 %pre
 %service_add_pre %{name}.service %{name}.timer
 
@@ -110,6 +116,7 @@ if ! grep -q "database_in" %{_sysconfdir}/aide.conf ; then
   sed -i 's/\t/ /g' %{_sysconfdir}/aide.conf
 fi
 %service_add_post %{name}.service %{name}.timer
+%tmpfiles_create %{_tmpfilesdir}/aide-tmpfiles.conf
 
 %preun
 %service_del_preun %{name}.service %{name}.timer
@@ -149,13 +156,14 @@ rm -rf $TESTDIR
 %{_bindir}/aide
 /%{_mandir}/man1/aide.1.gz
 /%{_mandir}/man5/aide.conf.5.gz
-%{_localstatedir}/lib/aide
 %config(noreplace) %{_sysconfdir}/aide.conf
 %config(noreplace) %{_sysconfdir}/aide_service.conf
+%{_tmpfilesdir}/aide-tmpfiles.conf
+#{_localstatedir}/lib/aide
 %{_unitdir}/aide.service
 %{_unitdir}/aide.timer
-%{_mandir}/man8/aide.timer.8*
-%{_mandir}/man8/aide.service.8*
+%{_mandir}/man8/aide.timer.8%{?ext_man}
+%{_mandir}/man8/aide.service.8%{?ext_man}
 
 %files test
 %{_bindir}/aide-test.sh