Debian Bug report logs -
#696184
fail2ban: CVE-2012-5642: input variable quoting flaw on <matches> content
Reported by: Henri Salo <henri@nerv.fi>
Date: Mon, 17 Dec 2012 17:39:01 UTC
Severity: important
Tags: security
Found in version fail2ban/0.8.6-3
Fixed in version fail2ban/0.8.6-3wheezy1
Done: Yaroslav Halchenko <debian@onerussian.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>
:
Bug#696184
; Package fail2ban
.
(Mon, 17 Dec 2012 17:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
New Bug report received and forwarded. Copy sent to Yaroslav Halchenko <debian@onerussian.com>
.
(Mon, 17 Dec 2012 17:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: fail2ban
Version: 0.8.6-3
Severity: important
Information from CVE request: http://www.openwall.com/lists/oss-security/2012/12/17/1
The release notes for fail2ban 0.8.8 indicate:
* [83109bc] IMPORTANT: escape the content of <matches> (if used in
custom action files) since its value could contain arbitrary
symbols. Thanks for discovery go to the NBS System security
team
This could cause issues on the system running fail2ban as it scans log
files, depending on what content is matched. There isn't much more
detail about this issue than what is described above, so I think it may
largely depend on the type of regexp used (what it matches) and the
contents of the log file being scanned (whether or not an attacher could
insert something that could be used in a malicious way).
References:
https://raw.github.com/fail2ban/fail2ban/master/ChangeLog
http://sourceforge.net/mailarchive/message.php?msg_id=30193056
https://github.com/fail2ban/fail2ban/commit/83109bc
https://bugzilla.redhat.com/show_bug.cgi?id=887914
https://bugs.gentoo.org/show_bug.cgi?id=447572
- Henri Salo
Added tag(s) security.
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org
.
(Mon, 17 Dec 2012 17:45:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#696184
; Package fail2ban
.
(Mon, 17 Dec 2012 18:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Yaroslav Halchenko <debian@onerussian.com>
:
Extra info received and forwarded to list.
(Mon, 17 Dec 2012 18:21:03 GMT) (full text, mbox, link).
Message #12 received at 696184@bugs.debian.org (full text, mbox, reply):
Thank you my consciousness ;)
Just a note: this issue is very unlikely to hit anyone since
<matches> is not used by default in any shipped action file
and it was only recently introduced so I doubt it was adopted by more
than a handful deployments.
But indeed -- wheezy should get a patched version.
Meanwhile -- anyone in need to run fail2ban on their boxes -- use 0.8.8
from sid or backports from neuro.debian.net repository
Cheers,
On Mon, 17 Dec 2012, Henri Salo wrote:
> Package: fail2ban
> Version: 0.8.6-3
> Severity: important
> Information from CVE request: http://www.openwall.com/lists/oss-security/2012/12/17/1
> The release notes for fail2ban 0.8.8 indicate:
> * [83109bc] IMPORTANT: escape the content of <matches> (if used in
> custom action files) since its value could contain arbitrary
> symbols. Thanks for discovery go to the NBS System security
> team
> This could cause issues on the system running fail2ban as it scans log
> files, depending on what content is matched. There isn't much more
> detail about this issue than what is described above, so I think it may
> largely depend on the type of regexp used (what it matches) and the
> contents of the log file being scanned (whether or not an attacher could
> insert something that could be used in a malicious way).
> References:
> https://raw.github.com/fail2ban/fail2ban/master/ChangeLog
> http://sourceforge.net/mailarchive/message.php?msg_id=30193056
> https://github.com/fail2ban/fail2ban/commit/83109bc
> https://bugzilla.redhat.com/show_bug.cgi?id=887914
> https://bugs.gentoo.org/show_bug.cgi?id=447572
> - Henri Salo
--
Yaroslav O. Halchenko
Postdoctoral Fellow, Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik
Information forwarded
to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>
:
Bug#696184
; Package fail2ban
.
(Mon, 24 Dec 2012 11:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>
.
(Mon, 24 Dec 2012 11:30:03 GMT) (full text, mbox, link).
Message #17 received at 696184@bugs.debian.org (full text, mbox, reply):
On Mon, Dec 17, 2012 at 01:16:27PM -0500, Yaroslav Halchenko wrote:
> Thank you my consciousness ;)
>
> Just a note: this issue is very unlikely to hit anyone since
>
> <matches> is not used by default in any shipped action file
> and it was only recently introduced so I doubt it was adopted by more
> than a handful deployments.
>
> But indeed -- wheezy should get a patched version.
>
> Meanwhile -- anyone in need to run fail2ban on their boxes -- use 0.8.8
> from sid or backports from neuro.debian.net repository
Can you please upload a minimal fix to unstable and ask the release managers
for an unblock?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#696184
; Package fail2ban
.
(Mon, 24 Dec 2012 18:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Yaroslav Halchenko <debian@onerussian.com>
:
Extra info received and forwarded to list.
(Mon, 24 Dec 2012 18:21:03 GMT) (full text, mbox, link).
Message #22 received at 696184@bugs.debian.org (full text, mbox, reply):
for better or worse -- uploaded 0.8.6-3wheezy1 now. I will let it
boil for few days to see if nothing got screwed up, and then will
request unblock
cheers,
On Mon, 24 Dec 2012, Moritz Mühlenhoff wrote:
> > But indeed -- wheezy should get a patched version.
> > Meanwhile -- anyone in need to run fail2ban on their boxes -- use 0.8.8
> > from sid or backports from neuro.debian.net repository
> Can you please upload a minimal fix to unstable and ask the release managers
> for an unblock?
--
Yaroslav O. Halchenko
Postdoctoral Fellow, Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik
Reply sent
to Yaroslav Halchenko <debian@onerussian.com>
:
You have taken responsibility.
(Mon, 24 Dec 2012 18:36:03 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>
:
Bug acknowledged by developer.
(Mon, 24 Dec 2012 18:36:03 GMT) (full text, mbox, link).
Message #27 received at 696184-close@bugs.debian.org (full text, mbox, reply):
Source: fail2ban
Source-Version: 0.8.6-3wheezy1
We believe that the bug you reported is fixed in the latest version of
fail2ban, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 696184@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yaroslav Halchenko <debian@onerussian.com> (supplier of updated fail2ban package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 17 Dec 2012 13:19:32 -0500
Source: fail2ban
Binary: fail2ban
Architecture: source all
Version: 0.8.6-3wheezy1
Distribution: unstable
Urgency: high
Maintainer: Yaroslav Halchenko <debian@onerussian.com>
Changed-By: Yaroslav Halchenko <debian@onerussian.com>
Description:
fail2ban - ban hosts that cause multiple authentication errors
Closes: 696184
Changes:
fail2ban (0.8.6-3wheezy1) unstable; urgency=high
.
* CVE-2012-5642: Escape the content of <matches> since its value could
contain arbitrary symbols (Closes: #696184)
* Since package source format remained 1.0, manpages patch
(deb_manpages_reportbug) was not applied -- fold it into .diff.gz
Checksums-Sha1:
b331ee66f0de34feaf74037836f2afdaeeeecf1e 1271 fail2ban_0.8.6-3wheezy1.dsc
e1c0a268ee1abf8d15bcbab67247285028b2df3e 29532 fail2ban_0.8.6-3wheezy1.diff.gz
c1526f63e671bba7271c3d99f931fe1fb91c8255 103714 fail2ban_0.8.6-3wheezy1_all.deb
Checksums-Sha256:
fc196fb63db5f0bd0d659b4a3cfdb27fa030f8b0ec46231cfc0e2abc231aaf6e 1271 fail2ban_0.8.6-3wheezy1.dsc
1d2500643295f5f541e6fbb9e2139fa012058703ee924bf19d791e6dc733e10f 29532 fail2ban_0.8.6-3wheezy1.diff.gz
91ae4d5643780d9d7ac2c00d89328a47e21bbcdc973209c1fa1bfac9a8c672f8 103714 fail2ban_0.8.6-3wheezy1_all.deb
Files:
2570fe65017b98f97aa37541ec6b0bf1 1271 net optional fail2ban_0.8.6-3wheezy1.dsc
eee20e38a11dd704502c346fe99ee7b6 29532 net optional fail2ban_0.8.6-3wheezy1.diff.gz
8c337176e6cf5d1468f9e6cddadccb68 103714 net optional fail2ban_0.8.6-3wheezy1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlDYnB8ACgkQjRFFY3XAJMhN6wCeIgOK3MjebjHyio2C8BjdBc2E
SsYAoLKF1R9TwVSvRo4rQ1rraa+A4n4K
=gwjY
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>
:
Bug#696184
; Package fail2ban
.
(Thu, 17 Jan 2013 17:36:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>
.
(Thu, 17 Jan 2013 17:36:08 GMT) (full text, mbox, link).
Message #32 received at 696184@bugs.debian.org (full text, mbox, reply):
Package: fail2ban
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.7) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/696184/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>
:
Bug#696184
; Package fail2ban
.
(Thu, 17 Jan 2013 20:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Yaroslav Halchenko <yoh@debian.org>
:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>
.
(Thu, 17 Jan 2013 20:27:03 GMT) (full text, mbox, link).
Message #37 received at 696184@bugs.debian.org (full text, mbox, reply):
On Thu, 17 Jan 2013, Jonathan Wiltshire wrote:
> Package: fail2ban
> Dear maintainer,
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
> squeeze (6.0.7) - use target "stable"
> Please prepare a minimal-changes upload targetting each of these suites,
no need for squeeze -- buggy unsafe feature was introduced in 0.8.6 by yours
truly while squeeze carries 0.8.4
squeeze backports -- would like to get fresh version from wheezy (hm
http://packages.debian.org/squeeze-backports/fail2ban doesn't even list
corresponding changelog, so can't deduce maintainer of bpo build
easily... got the .deb -- CCing Aron)
--
Yaroslav O. Halchenko
Postdoctoral Fellow, Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik
Information forwarded
to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>
:
Bug#696184
; Package fail2ban
.
(Sat, 19 Jan 2013 09:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Aron Xu <aron@debian.org>
:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>
.
(Sat, 19 Jan 2013 09:45:06 GMT) (full text, mbox, link).
Message #42 received at 696184@bugs.debian.org (full text, mbox, reply):
On Fri, Jan 18, 2013 at 4:24 AM, Yaroslav Halchenko <yoh@debian.org> wrote:
>
> squeeze backports -- would like to get fresh version from wheezy (hm
> http://packages.debian.org/squeeze-backports/fail2ban doesn't even list
> corresponding changelog, so can't deduce maintainer of bpo build
> easily... got the .deb -- CCing Aron)
>
I'll update the squeeze-backports version ASAP, thanks for notifying me!
--
Regards,
Aron Xu
Information forwarded
to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>
:
Bug#696184
; Package fail2ban
.
(Sat, 19 Jan 2013 17:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>
.
(Sat, 19 Jan 2013 17:03:03 GMT) (full text, mbox, link).
Message #47 received at 696184@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu, Jan 17, 2013 at 03:24:05PM -0500, Yaroslav Halchenko wrote:
>
> On Thu, 17 Jan 2013, Jonathan Wiltshire wrote:
>
> > Package: fail2ban
>
> > Dear maintainer,
>
> > Recently you fixed one or more security problems and as a result you closed
> > this bug. These problems were not serious enough for a Debian Security
> > Advisory, so they are now on my radar for fixing in the following suites
> > through point releases:
>
> > squeeze (6.0.7) - use target "stable"
>
> > Please prepare a minimal-changes upload targetting each of these suites,
>
> no need for squeeze -- buggy unsafe feature was introduced in 0.8.6 by yours
> truly while squeeze carries 0.8.4
Thanks, updated the security tracker.
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<directhex> i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>
:
Bug#696184
; Package fail2ban
.
(Tue, 22 Jan 2013 08:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Aron Xu <aron@debian.org>
:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>
.
(Tue, 22 Jan 2013 08:03:03 GMT) (full text, mbox, link).
Message #52 received at 696184@bugs.debian.org (full text, mbox, reply):
On Sat, Jan 19, 2013 at 5:42 PM, Aron Xu <aron@debian.org> wrote:
> On Fri, Jan 18, 2013 at 4:24 AM, Yaroslav Halchenko <yoh@debian.org> wrote:
>>
>> squeeze backports -- would like to get fresh version from wheezy (hm
>> http://packages.debian.org/squeeze-backports/fail2ban doesn't even list
>> corresponding changelog, so can't deduce maintainer of bpo build
>> easily... got the .deb -- CCing Aron)
>>
>
> I'll update the squeeze-backports version ASAP, thanks for notifying me!
>
Uploaded just now.
--
Regards,
Aron Xu
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 20 Feb 2013 07:28:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:09:28 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.