fail2ban: CVE-2012-5642: input variable quoting flaw on <matches> content

Debian Bug report logs - #696184
fail2ban: CVE-2012-5642: input variable quoting flaw on <matches> content

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: fail2ban: CVE-2012-5642: input variable quoting flaw on <matches> content

Date: Mon, 17 Dec 2012 19:36:31 +0200

Package: fail2ban
Version: 0.8.6-3
Severity: important

Information from CVE request: http://www.openwall.com/lists/oss-security/2012/12/17/1

The release notes for fail2ban 0.8.8 indicate:

    * [83109bc] IMPORTANT: escape the content of <matches> (if used in
      custom action files) since its value could contain arbitrary
      symbols.  Thanks for discovery go to the NBS System security
      team

This could cause issues on the system running fail2ban as it scans log
files, depending on what content is matched.  There isn't much more
detail about this issue than what is described above, so I think it may
largely depend on the type of regexp used (what it matches) and the
contents of the log file being scanned (whether or not an attacher could
insert something that could be used in a malicious way).

References:
https://raw.github.com/fail2ban/fail2ban/master/ChangeLog
http://sourceforge.net/mailarchive/message.php?msg_id=30193056
https://github.com/fail2ban/fail2ban/commit/83109bc
https://bugzilla.redhat.com/show_bug.cgi?id=887914
https://bugs.gentoo.org/show_bug.cgi?id=447572

- Henri Salo

Message #12 received at 696184@bugs.debian.org (full text, mbox, reply):

From: Yaroslav Halchenko <debian@onerussian.com>

To: Henri Salo <henri@nerv.fi>, 696184@bugs.debian.org

Subject: Re: Bug#696184: fail2ban: CVE-2012-5642: input variable quoting flaw on <matches> content

Date: Mon, 17 Dec 2012 13:16:27 -0500

Thank you my consciousness ;)

Just a note: this issue is very unlikely to hit anyone since

<matches> is not used by default in any shipped action file
and it was only recently introduced so I doubt it was adopted by more
than a handful deployments.

But indeed -- wheezy should get a patched version.

Meanwhile -- anyone in need to run fail2ban on their boxes -- use 0.8.8
from sid or backports from neuro.debian.net repository

Cheers,

On Mon, 17 Dec 2012, Henri Salo wrote:

> Package: fail2ban
> Version: 0.8.6-3
> Severity: important

> Information from CVE request: http://www.openwall.com/lists/oss-security/2012/12/17/1

> The release notes for fail2ban 0.8.8 indicate:

>     * [83109bc] IMPORTANT: escape the content of <matches> (if used in
>       custom action files) since its value could contain arbitrary
>       symbols.  Thanks for discovery go to the NBS System security
>       team

> This could cause issues on the system running fail2ban as it scans log
> files, depending on what content is matched.  There isn't much more
> detail about this issue than what is described above, so I think it may
> largely depend on the type of regexp used (what it matches) and the
> contents of the log file being scanned (whether or not an attacher could
> insert something that could be used in a malicious way).

> References:
> https://raw.github.com/fail2ban/fail2ban/master/ChangeLog
> http://sourceforge.net/mailarchive/message.php?msg_id=30193056
> https://github.com/fail2ban/fail2ban/commit/83109bc
> https://bugzilla.redhat.com/show_bug.cgi?id=887914
> https://bugs.gentoo.org/show_bug.cgi?id=447572

> - Henri Salo


-- 
Yaroslav O. Halchenko
Postdoctoral Fellow,   Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834                       Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik        

Message #17 received at 696184@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Yaroslav Halchenko <debian@onerussian.com>

Cc: Henri Salo <henri@nerv.fi>, 696184@bugs.debian.org

Subject: Re: Bug#696184: fail2ban: CVE-2012-5642: input variable quoting flaw on <matches> content

Date: Mon, 24 Dec 2012 12:26:32 +0100

On Mon, Dec 17, 2012 at 01:16:27PM -0500, Yaroslav Halchenko wrote:
> Thank you my consciousness ;)
> 
> Just a note: this issue is very unlikely to hit anyone since
> 
> <matches> is not used by default in any shipped action file
> and it was only recently introduced so I doubt it was adopted by more
> than a handful deployments.
> 
> But indeed -- wheezy should get a patched version.
> 
> Meanwhile -- anyone in need to run fail2ban on their boxes -- use 0.8.8
> from sid or backports from neuro.debian.net repository

Can you please upload a minimal fix to unstable and ask the release managers
for an unblock?

Cheers,
        Moritz

Message #22 received at 696184@bugs.debian.org (full text, mbox, reply):

From: Yaroslav Halchenko <debian@onerussian.com>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: Henri Salo <henri@nerv.fi>, 696184@bugs.debian.org

Subject: Re: Bug#696184: fail2ban: CVE-2012-5642: input variable quoting flaw on <matches> content

Date: Mon, 24 Dec 2012 13:18:26 -0500

for better or worse -- uploaded 0.8.6-3wheezy1 now.  I will let it
boil for few days to see if nothing got screwed up, and then will
request unblock

cheers,

On Mon, 24 Dec 2012, Moritz Mühlenhoff wrote:
> > But indeed -- wheezy should get a patched version.

> > Meanwhile -- anyone in need to run fail2ban on their boxes -- use 0.8.8
> > from sid or backports from neuro.debian.net repository

> Can you please upload a minimal fix to unstable and ask the release managers
> for an unblock?

-- 
Yaroslav O. Halchenko
Postdoctoral Fellow,   Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834                       Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik        

Message #27 received at 696184-close@bugs.debian.org (full text, mbox, reply):

From: Yaroslav Halchenko <debian@onerussian.com>

To: 696184-close@bugs.debian.org

Subject: Bug#696184: fixed in fail2ban 0.8.6-3wheezy1

Date: Mon, 24 Dec 2012 18:32:33 +0000

Source: fail2ban
Source-Version: 0.8.6-3wheezy1

We believe that the bug you reported is fixed in the latest version of
fail2ban, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696184@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yaroslav Halchenko <debian@onerussian.com> (supplier of updated fail2ban package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 17 Dec 2012 13:19:32 -0500
Source: fail2ban
Binary: fail2ban
Architecture: source all
Version: 0.8.6-3wheezy1
Distribution: unstable
Urgency: high
Maintainer: Yaroslav Halchenko <debian@onerussian.com>
Changed-By: Yaroslav Halchenko <debian@onerussian.com>
Description: 
 fail2ban   - ban hosts that cause multiple authentication errors
Closes: 696184
Changes: 
 fail2ban (0.8.6-3wheezy1) unstable; urgency=high
 .
   * CVE-2012-5642: Escape the content of <matches> since its value could
     contain arbitrary symbols (Closes: #696184)
   * Since package source format remained 1.0, manpages patch
     (deb_manpages_reportbug) was not applied -- fold it into .diff.gz
Checksums-Sha1: 
 b331ee66f0de34feaf74037836f2afdaeeeecf1e 1271 fail2ban_0.8.6-3wheezy1.dsc
 e1c0a268ee1abf8d15bcbab67247285028b2df3e 29532 fail2ban_0.8.6-3wheezy1.diff.gz
 c1526f63e671bba7271c3d99f931fe1fb91c8255 103714 fail2ban_0.8.6-3wheezy1_all.deb
Checksums-Sha256: 
 fc196fb63db5f0bd0d659b4a3cfdb27fa030f8b0ec46231cfc0e2abc231aaf6e 1271 fail2ban_0.8.6-3wheezy1.dsc
 1d2500643295f5f541e6fbb9e2139fa012058703ee924bf19d791e6dc733e10f 29532 fail2ban_0.8.6-3wheezy1.diff.gz
 91ae4d5643780d9d7ac2c00d89328a47e21bbcdc973209c1fa1bfac9a8c672f8 103714 fail2ban_0.8.6-3wheezy1_all.deb
Files: 
 2570fe65017b98f97aa37541ec6b0bf1 1271 net optional fail2ban_0.8.6-3wheezy1.dsc
 eee20e38a11dd704502c346fe99ee7b6 29532 net optional fail2ban_0.8.6-3wheezy1.diff.gz
 8c337176e6cf5d1468f9e6cddadccb68 103714 net optional fail2ban_0.8.6-3wheezy1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDYnB8ACgkQjRFFY3XAJMhN6wCeIgOK3MjebjHyio2C8BjdBc2E
SsYAoLKF1R9TwVSvRo4rQ1rraa+A4n4K
=gwjY
-----END PGP SIGNATURE-----

Message #32 received at 696184@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 696184@bugs.debian.org

Subject: Re: fail2ban: CVE-2012-5642: input variable quoting flaw on <matches> content

Date: Thu, 17 Jan 2013 11:42:02 -0000

Package: fail2ban

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.7) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/696184/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Message #37 received at 696184@bugs.debian.org (full text, mbox, reply):

From: Yaroslav Halchenko <yoh@debian.org>

To: Jonathan Wiltshire <jmw@debian.org>, 696184@bugs.debian.org

Cc: Aron Xu <aron@debian.org>

Subject: Re: Bug#696184: fail2ban: CVE-2012-5642: input variable quoting flaw on <matches> content

Date: Thu, 17 Jan 2013 15:24:05 -0500

On Thu, 17 Jan 2013, Jonathan Wiltshire wrote:

> Package: fail2ban

> Dear maintainer,

> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:

> squeeze (6.0.7) - use target "stable"

> Please prepare a minimal-changes upload targetting each of these suites,

no need for squeeze -- buggy unsafe feature  was introduced in 0.8.6 by yours
truly while squeeze carries 0.8.4

squeeze backports -- would like to get  fresh version from wheezy (hm
http://packages.debian.org/squeeze-backports/fail2ban  doesn't even list
corresponding changelog, so can't deduce maintainer of bpo build
easily... got the .deb -- CCing Aron)

-- 
Yaroslav O. Halchenko
Postdoctoral Fellow,   Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834                       Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik        

Message #42 received at 696184@bugs.debian.org (full text, mbox, reply):

From: Aron Xu <aron@debian.org>

To: Yaroslav Halchenko <yoh@debian.org>

Cc: Jonathan Wiltshire <jmw@debian.org>, 696184@bugs.debian.org

Subject: Re: Bug#696184: fail2ban: CVE-2012-5642: input variable quoting flaw on <matches> content

Date: Sat, 19 Jan 2013 17:42:00 +0800

On Fri, Jan 18, 2013 at 4:24 AM, Yaroslav Halchenko <yoh@debian.org> wrote:
>
> squeeze backports -- would like to get  fresh version from wheezy (hm
> http://packages.debian.org/squeeze-backports/fail2ban  doesn't even list
> corresponding changelog, so can't deduce maintainer of bpo build
> easily... got the .deb -- CCing Aron)
>

I'll update the squeeze-backports version ASAP, thanks for notifying me!

--
Regards,
Aron Xu

Message #47 received at 696184@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: Yaroslav Halchenko <yoh@debian.org>

Cc: 696184@bugs.debian.org, Aron Xu <aron@debian.org>

Subject: Re: Bug#696184: fail2ban: CVE-2012-5642: input variable quoting flaw on <matches> content

Date: Sat, 19 Jan 2013 16:57:59 +0000

[Message part 1 (text/plain, inline)]

On Thu, Jan 17, 2013 at 03:24:05PM -0500, Yaroslav Halchenko wrote:
> 
> On Thu, 17 Jan 2013, Jonathan Wiltshire wrote:
> 
> > Package: fail2ban
> 
> > Dear maintainer,
> 
> > Recently you fixed one or more security problems and as a result you closed
> > this bug. These problems were not serious enough for a Debian Security
> > Advisory, so they are now on my radar for fixing in the following suites
> > through point releases:
> 
> > squeeze (6.0.7) - use target "stable"
> 
> > Please prepare a minimal-changes upload targetting each of these suites,
> 
> no need for squeeze -- buggy unsafe feature  was introduced in 0.8.6 by yours
> truly while squeeze carries 0.8.4

Thanks, updated the security tracker.


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits

[signature.asc (application/pgp-signature, inline)]

Message #52 received at 696184@bugs.debian.org (full text, mbox, reply):

From: Aron Xu <aron@debian.org>

To: Yaroslav Halchenko <yoh@debian.org>

Cc: Jonathan Wiltshire <jmw@debian.org>, 696184@bugs.debian.org

Subject: Re: Bug#696184: fail2ban: CVE-2012-5642: input variable quoting flaw on <matches> content

Date: Tue, 22 Jan 2013 16:01:40 +0800

On Sat, Jan 19, 2013 at 5:42 PM, Aron Xu <aron@debian.org> wrote:
> On Fri, Jan 18, 2013 at 4:24 AM, Yaroslav Halchenko <yoh@debian.org> wrote:
>>
>> squeeze backports -- would like to get  fresh version from wheezy (hm
>> http://packages.debian.org/squeeze-backports/fail2ban  doesn't even list
>> corresponding changelog, so can't deduce maintainer of bpo build
>> easily... got the .deb -- CCing Aron)
>>
>
> I'll update the squeeze-backports version ASAP, thanks for notifying me!
>

Uploaded just now.

--
Regards,
Aron Xu

Send a report that this bug log contains spam.