Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20250814140127.GA2@magnesium.vonhaugwitz.com>
Date: Thu, 14 Aug 2025 16:01:27 +0200
From: Hannes von Haugwitz <hannes@...haugwitz.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-54409 - aide (>= 0.13 <= 0.19.1): null pointer dereference
 after reading incorrectly encoded xattr attributes from database (local DoS)

Summary
=======

Rajesh Pangare discovered a null pointer dereference vulnerability in AIDE, an
advanced intrusion detection system. An attacker can crash the program during
report printing or database listing after setting extended file attributes with
an empty attribute value or with a key containing a comma. A local user might
exploit this to cause a local denial of service.

Project
=======

AIDE (https://aide.github.io)

Affected versions
=================

AIDE >= 0.13, <= 0.19.1

CVE ID
======

CVE-2025-54409

Proof of concept
================

To take advantage of the flaw the user needs write access to a mounted file
system that supports extended file attributes. aide also needs to be compiled
with --with-xattr configure flag (this is the case for most distributions).

## listing aide database with empty extended attribute value
    $ touch xattrs-file ; setfattr -n user.empty_value xattrs-file
    # aide --config <(printf -- "database_out=stdout\n$(pwd)/xattrs-file xattrs\n") --init | aide --config <(printf -- "database_in=stdin\n$(pwd)/xattrs-file xattrs\n") --list

## checking aide database with extended attribute key containing a comma
    $ touch xattrs-file ; setfattr -n user.ke,y -v value xattrs-file
    # aide --config <(printf -- "database_out=stdout\n$(pwd)/xattrs-file xattrs\n") --init | aide --config <(printf -- "database_in=stdin\n$(pwd)/xattrs-file xattrs\n") --check

Please note that the segfault only occurs on the second run of aide after the
extended file attribute has been written to the database in the first run
(provided the xattr value is shown in the report due to a change or the
database is listed via --list).

Analysis
========

The vulnerability is caused by missing error handling while decoding the base64
encoded xattr attribute from the database and incorrectly handling of empty xattr
attribute values and attribute keys containing a comma.

This allows a user to craft a file with an extended file attribute causing aide
to dereference a null pointer and segfault.

Mitigation
==========

Upgrade to AIDE v0.19.2 [v0.19.2]

Alternatively apply one of the provided patches:

aide-0.19_cve-2025-54409_xattr.patch for 0.19.1
aide-0.18_cve-2025-54409_xattr.patch for 0.18.8 (backported for Debian Bookworm)
aide-0.17_cve-2025-54409_xattr.patch for 0.17.4 (backported for Debian Bullseye)

If you cannot upgrade, consider removing `xattrs` group from rules matching
files on affected file systems.

[v0.19.2] https://github.com/aide/aide/releases/tag/v0.19.2

Credit
======

The issue was reported by Rajesh Pangare.

View attachment "aide-0.17_cve-2025-54409_xattr.patch" of type "text/x-diff" (1969 bytes)

View attachment "aide-0.18_cve-2025-54409_xattr.patch" of type "text/x-diff" (1962 bytes)

View attachment "aide-0.19_cve-2025-54409_xattr.patch" of type "text/x-diff" (2643 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (660 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.