audit 2.4.4 released

Steve Grubb sgrubb at redhat.com
Thu Aug 13 21:30:21 UTC 2015 

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Fix linked list correctness in ausearch/report
- Add more cross compile fixups (Clayton Shotwell)
- Update auparse python bindings
- Update libev to 4.20
- Fix CVE-2015-5186 Audit: log terminal emulator escape sequences handling

The main thing to discuss in this release is the CVE. The issue is that the 
audit logs handle untrusted data. We know that and hex encode anything that 
has control characters. Turns out that running ausearch or report with the -i 
argument simply decoded the control characters. To see what I mean, consider 
the following log entry:

type=PATH msg=audit(1438371086.399:1711): item=1 
name=1B5B346D756E6465726C696E6564 inode=14495887363 dev=09:7e mode=0100640 
ouid=4325 ogid=4325 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 
nametype=NORMAL
type=CWD msg=audit(1438371086.399:1711):  cwd="/home/sgrubb/test/underlined"
type=SYSCALL msg=audit(1438371086.399:1711): arch=c000003e syscall=2 
success=yes exit=3 a0=7fff24f2a6f0 a1=42 a2=1a0 a3=691 items=2 ppid=18629 
pid=19011 auid=4325 uid=4325 gid=4325 euid=4325 suid=4325 fsuid=4325 egid=4325 
sgid=4325 fsgid=4325 tty=pts4 ses=1 comm="test" 
exe="/home/sgrubb/test/underlined/test" 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="underlined"

If you ausearch -i on that file, your screen will get underlines with all the 
text. An attacker could change this to be worse than just underlining your 
text. They could try to write to the window title and then bounce that back in 
black on black text to the command prompt hoping the admin will press enter.

I did a survey recently and all emulators I could find on Fedora 22 do not 
honor the window title fetching command. There was a discussion about it on 
oss-security list as preparation for this announcement. Read the thread here:

http://www.openwall.com/lists/oss-security/2015/08/11/8

Please let me know if you run across any problems with this release.

-Steve

More information about the Linux-audit mailing list