From b61f614b2224daf8af17c046c3e96d48886b8d60 Mon Sep 17 00:00:00 2001
From: yixiangzhike <yixiangzhike007@163.com>
Date: Fri, 15 Aug 2025 18:04:39 +0800
Subject: [PATCH] fix CVE-2025-54409

---
 aide.spec                     |  9 +++-
 backport-CVE-2025-54409.patch | 91 +++++++++++++++++++++++++++++++++++
 2 files changed, 99 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-54409.patch

diff --git a/aide.spec b/aide.spec
index 2be5420..f031d3e 100644
--- a/aide.spec
+++ b/aide.spec
@@ -1,6 +1,6 @@
 Name:       aide
 Version:    0.16.2
-Release:    6
+Release:    7
 Summary:    Advanced Intrusion Detection Environment
 License:    GPLv2+
 URL:        http://sourceforge.net/projects/aide
@@ -21,6 +21,7 @@ Patch3:     aide-fix-display-issue.patch
 Patch4:     aide-fix-reporting-to-http-https-ftp.patch
 Patch5:     backport-Refactor-logging-and-config-parsing-code-check-memory-allocations.patch
 Patch6:     backport-Check-return-value-after-dynamic-memory-allocations.patch
+Patch7:     backport-CVE-2025-54409.patch
 
 %description
 AIDE (Advanced Intrusion Detection Environment, [eyd]) is a file and directory integrity checker.
@@ -68,6 +69,12 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
 %{_mandir}/*/*
 
 %changelog
+* Fri Aug 15 2025 yixiangzhike <yixiangzhike007@163.com> - 0.16.2-7
+- Type:CVE
+- ID:CVE-2025-54409
+- SUG:NA
+- DESC: fix CVE-2025-54409
+
 * Mon Jul 10 2023 yixiangzhike <yixiangzhike007@163.com> - 0.16.2-6
 - Type:bugfix
 - ID:NA
diff --git a/backport-CVE-2025-54409.patch b/backport-CVE-2025-54409.patch
new file mode 100644
index 0000000..10f52e3
--- /dev/null
+++ b/backport-CVE-2025-54409.patch
@@ -0,0 +1,91 @@
+From 6cfce11d2b45f228671c85f03346450006a5d36d Mon Sep 17 00:00:00 2001
+From: Hannes von Haugwitz <hannes@vonhaugwitz.com>
+Date: Thu, 7 Aug 2025 18:02:41 +0200
+Subject: [PATCH] Fix null pointer dereference after reading incorrectly
+ encoded xattr attributes from database
+
+* fix handling of empty xattr values
+* fix handling of xattr keys containing a comma
+* this addresses CVE-2025-54409
+* thanks to Rajesh Pangare for reporting this issue
+
+Reference: https://github.com/aide/aide/commit/6cfce11d2b45f228671c85f03346450006a5d36d
+Conflict: Code context adaptation and remove changes in src/db_file.c
+---
+ ChangeLog     |  7 +++++
+ src/db.c      | 26 ++++++++++++++++++--------
+ src/util.c    |  2 +-
+ 3 files changed, 26 insertions(+), 9 deletions(-)
+
+
+diff --git a/ChangeLog b/ChangeLog
+index 499e6d7..6bc4df9 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,10 @@
++2025-08-07 Hannes von Haugwitz <hannes@vonhaugwitz.com>
++	* Fix null pointer dereference after reading incorrectly encoded xattr
++	  attributes from database (CVE-2025-54409)
++	 - fix handling of empty xattr values
++	 - fix handling of xattr keys containing a comma
++	 - thanks to Rajesh Pangare for reporting this issue
++
+ 2019-05-19  Hannes von Haugwitz  <hannes@vonhaugwitz.com>
+ 	* Release version 0.16.2
+ 
+diff --git a/src/db.c b/src/db.c
+index 6675e19..375b220 100644
+--- a/src/db.c
++++ b/src/db.c
+@@ -374,17 +374,27 @@ db_line* db_char2line(char** ss,int db){
+           num = 0;
+           while (num < line->xattrs->num)
+           {
+-            byte  *val = NULL;
+-            size_t vsz = 0;
+-            
+             tval = strtok(NULL, ",");
+             line->xattrs->ents[num].key = db_readchar(checked_strdup(tval));
+             tval = strtok(NULL, ",");
+-            val = base64tobyte(tval, strlen(tval), &vsz);
+-            line->xattrs->ents[num].val = val;
+-            line->xattrs->ents[num].vsz = vsz;
+-
+-            ++num;
++            if (strcmp(tval,"0") != 0) {
++                line->xattrs->ents[num].val = decode_base64(tval, strlen(tval), &line->xattrs->ents[num].vsz);
++            } else {
++                line->xattrs->ents[num].val = checked_strdup("");
++                line->xattrs->ents[num].vsz = 0;
++            }
++            if (line->xattrs->ents[num].val == NULL) {
++                error(2, "Warning: error while reading xattrs for '%s' from database (discarding extended attributes)", line->filename);
++                for (int j = num; j >= 0 ; --j) {
++                    free(line->xattrs->ents[j].key);
++                    line->xattrs->ents[j].key = NULL;
++                    free(line->xattrs->ents[j].val);
++                    line->xattrs->ents[j].val = NULL;
++                }
++                line->xattrs->num = 0;
++            } else {
++                ++num;
++            }
+           }
+         }
+         break;
+diff --git a/src/util.c b/src/util.c
+index 51083b9..554b2a1 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -40,7 +40,7 @@
+ #include "db_config.h"
+ #include "util.h"
+ 
+-#define URL_UNSAFE " <>\"#%{}|\\^~[]`@:\033'"
++#define URL_UNSAFE " <>\"#%{}|\\^~[]`@:\033',"
+ #define ISPRINT(c) (isascii(c) && isprint(c))
+ 
+ static const char* url_name[] = { 
+-- 
+2.43.0
+
-- 
Gitee