Hello,
I've just released a new version of the audit daemon. It can be downloaded
from
http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix linked list correctness in ausearch/report
- Add more cross compile fixups (Clayton Shotwell)
- Update auparse python bindings
- Update libev to 4.20
- Fix CVE-2015-5186 Audit: log terminal emulator escape sequences handling
The main thing to discuss in this release is the CVE. The issue is that the
audit logs handle untrusted data. We know that and hex encode anything that
has control characters. Turns out that running ausearch or report with the -i
argument simply decoded the control characters. To see what I mean, consider
the following log entry:
type=PATH msg=audit(1438371086.399:1711): item=1
name=1B5B346D756E6465726C696E6564 inode=14495887363 dev=09:7e mode=0100640
ouid=4325 ogid=4325 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0
nametype=NORMAL
type=CWD msg=audit(1438371086.399:1711): cwd="/home/sgrubb/test/underlined"
type=SYSCALL msg=audit(1438371086.399:1711): arch=c000003e syscall=2
success=yes exit=3 a0=7fff24f2a6f0 a1=42 a2=1a0 a3=691 items=2 ppid=18629
pid=19011 auid=4325 uid=4325 gid=4325 euid=4325 suid=4325 fsuid=4325 egid=4325
sgid=4325 fsgid=4325 tty=pts4 ses=1 comm="test"
exe="/home/sgrubb/test/underlined/test"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="underlined"
If you ausearch -i on that file, your screen will get underlines with all the
text. An attacker could change this to be worse than just underlining your
text. They could try to write to the window title and then bounce that back in
black on black text to the command prompt hoping the admin will press enter.
I did a survey recently and all emulators I could find on Fedora 22 do not
honor the window title fetching command. There was a discussion about it on
oss-security list as preparation for this announcement. Read the thread here:
http://www.openwall.com/lists/oss-security/2015/08/11/8
Please let me know if you run across any problems with this release.
-Steve