Linux Forensics Tools Repository: Package Summary for Packages on August 22, 2014:

  • lime-kernel-modules-fc19-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for LiME:
    • 3.14.17-100 for FC19

  • fmem-kernel-modules-fc19-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for Fmem:
    • 3.14.17-100 for FC19

  • lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for LiME:
    • 3.15.9-200 for FC20
    • 3.15.10-200 for FC20

  • fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for Fmem:
    • 3.15.9-200 for FC20
    • 3.15.10-200 for FC20

  • dc3dd-7.2.641.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64} - dc3dd is a patched version of GNU dd that includes several features useful for computer forensics. New in this version are the following:
    • Log output may be sent to multiple job logs and hash logs. Simply specify log=LOG and/or hlog=LOG more than once.
    • Verification of an image restored to a device larger than the image is now supported. Specify hof=DEVICE to hash only the bytes dc3dd writes to the device. Specify fhod=DEVICE to hash both the bytes dc3dd writes to the device and all the bytes that follow, up to the end of the device.
    • Specifying hof=DEVICE will now default to phod=DEVICE behavior (hash only the bytes output by dc3dd, not the full device).

  • dd_rescue-1.46-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previously distributed version (1.46):

    • ddr_hash now supports calculating HMACS instead of plain hashes. The hash calculation has been cleaned up a bit. When a seed val of 0 is passed on the command line, additional randomness is created using the rdrand() command on x86/x86-64 (if available).
    • (2014-06-27) A vulnerability in most implementations of lzo decompression has been reported. The liblzo2 library (up to and including v 2.06) used by the ddr_lzo plugin (until dd_rescue-1.45) is affected. You need to feed specially crafted compressed data in blocks of 16MB or larger to the decompressor on 32-bit platforms to exploit it, see the report for more details. (This issue has ID LMS-20140616-1/ CVE-2014-4607.) The man page ddr_lzo advises to be careful when feeding data from untrusted sources to the decompressor; it seems that this advice has been wise. Fortunately, ddr_lzo does not normally feed such large blocks to the decompressor; you'd need to manually increase the soft block size to at least 8MB and ignore a warning to trigger this issue with dd_rescue. But it is possible. So here's the advice:
      • Update liblzo2 to 2.07 (or a fixed 2.06 version) which has this issue fixed (your Linux distributor should provide this very soon). This is enough to fix the issue, as the ddr_lzo plugin of dd_rescue does dynamically link against liblzo2, except for Android.

  • libsmraw{,-devel,-tools,-python}-20140817-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes. See here for the list of changes.
  • yaf{,-devel}-2.5.0-3.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm/yaf{,-devel}-2.2.1-6.el5.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. The RHEL/CentOS 5 package needed to be rebuilt with the latest verson of libfixbuf. The RHEL/CentOS 6 package for the x86_64 archiecture was rebuilt with the correct version of libfixbuf so all other versions of yaf and yaf-devel were rebuilt to keep the release number consistent.
  • super_mediator-0.3.0-5.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. The Fedora 17 package for the i386 archiecture was rebuilt with the correct version of libfixbuf so all other versions of super_mediator were rebuilt to keep the release number consistent.
  • protobuf-c{,-devel}-0.15-2.2.el6.x86_64.rpm - Protobuf-c package provides a code generator and runtime libraries to use Protocol Buffers from pure C (not C++). This package was only provided for CentOS/RHEL 6 for the x86_64 architecture. This RHEL/CentOS 6 package for the i386 architecture was rebuilt to use the latest version of protobuf-devel.
  • snarf{,-devel,-python}-0.2.2-3.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system. Applications can use snarf's C and Python APIs to construct and send network alert messages, which can then be routed to multiple destinations in a configurable manner. This version was built to use version 0.15 of protobuf and protobuf-c-devel where required.

    Note: Extra Packages for Enterprise Linux (EPEL) for RHEL/CentOS 7 includes a version of protobuf-c that is incompatible with snarf and its installation causes problems when attempting to install snarf. To solve this problem, you need to add the following exclude line to /etc/yum.repos.d/epel.repo file:
    [epel]
    name=Extra Packages for Enterprise Linux 7 - $basearch
    #baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
    mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
    failovermethod=priority
    enabled=1
    gpgcheck=0
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
    exclude=protobuf-c