libpam-shield: doesn't block any IP when allow_missing_dns=no

Debian Bug report logs - #658830
libpam-shield: doesn't block any IP when allow_missing_dns=no

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Laurentiu Pancescu <lpancescu@googlemail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libpam-shield: doesn't block any IP when allow_missing_dns=no

Date: Mon, 06 Feb 2012 10:47:35 +0100

Package: libpam-shield
Version: 0.9.2-3.2 
Severity: grave
Tags: security

With allow_missing_dns and allow_missing_reverse set to "no" (default 
configuration in Squeeze), pam_shield doesn't take any action 
whatsoever, besides logging the IP. If I set both variables to "yes", 
the IPs are null-routed as expected. I tested by connecting via SSH from 
a system without DNS records.

This seems to be a bug fixed upstream in September 2010 [1]. Is this 
package still actively maintained in Debian? Upstream seems to be quite 
active, but the Debian changelog doesn't seem to suggest any code 
changes since December 2007.

-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686-bigmem (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=locale: Cannot set 
LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory 
ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam-shield depends on:
ii  libc6                 2.11.3-2           Embedded GNU C Library: 
Shared lib
ii  libgdbm3              1.8.3-9            GNU dbm database routines 
(runtime
ii  libpam0g              1.1.1-6.1+squeeze1 Pluggable Authentication 
Modules l

libpam-shield recommends no packages.

Versions of packages libpam-shield suggests:
ii  iproute                       20100519-3 networking and traffic 
control too
ii  iptables                      1.4.8-3    administration tools for 
packet fi

-- Configuration Files:
/etc/security/shield.conf changed:
debug on
block all-users
allow_missing_dns yes
allow_missing_reverse yes
allow localhost
db /var/lib/pam_shield/db
trigger_cmd /usr/sbin/shield-trigger
max_conns 3
interval 1h
retention 1w

-- debconf information:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = "en_US:en",
        LC_ALL = (unset),
        LC_CTYPE = "UTF-8",
        LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory

Message #10 received at 658830@bugs.debian.org (full text, mbox, reply):

From: Laurentiu Pancescu <lpancescu@googlemail.com>

To: Laurentiu Pancescu <lpancescu@googlemail.com>, 658830@bugs.debian.org

Subject: Re: Bug#658830: libpam-shield: doesn't block any IP when allow_missing_dns=no

Date: Mon, 06 Feb 2012 11:10:04 +0100

Sorry, I forgot the link to the bugfix [1]

[1] 
https://github.com/walterdejong/pam_shield/commit/afa7b246018787fe6028289c414c33292641e1e0

On 2/6/12 10:47 , Laurentiu Pancescu wrote:
> Package: libpam-shield
> Version: 0.9.2-3.2 Severity: grave
> Tags: security
>
> With allow_missing_dns and allow_missing_reverse set to "no" (default
> configuration in Squeeze), pam_shield doesn't take any action
> whatsoever, besides logging the IP. If I set both variables to "yes",
> the IPs are null-routed as expected. I tested by connecting via SSH from
> a system without DNS records.
>
> This seems to be a bug fixed upstream in September 2010 [1]. Is this
> package still actively maintained in Debian? Upstream seems to be quite
> active, but the Debian changelog doesn't seem to suggest any code
> changes since December 2007.
>

Message #17 received at 658830@bugs.debian.org (full text, mbox, reply):

From: Jonathan Niehof <jtniehof@gmail.com>

To: 658830@bugs.debian.org

Date: Sat, 3 Mar 2012 16:22:24 -0700

I have backported and tested the fix, RFS is #662076. Note that it
still won't do anything without "auth optional pam_shield.so" at the
top of common-auth, but it will block with that. Still working on
upstream and then bringing in the latest from there, shouldn't be too
long.

Thanks to Laurentiu for the heads-up, and my apologies for how long it
took; a family emergency intervened.

Message #22 received at 658830@bugs.debian.org (full text, mbox, reply):

From: Jonathan Niehof <jtniehof@gmail.com>

To: 658830@bugs.debian.org

Date: Fri, 11 May 2012 13:46:57 -0600

[Message part 1 (text/plain, inline)]

Attaching a debdiff between the 0.9.2-3.2 and the fixed 0.9.2-3.3

[pam-shield_0.9.2-3.2-to-3.3.debdiff (application/octet-stream, attachment)]

Message #27 received at 658830@bugs.debian.org (full text, mbox, reply):

From: Jonathan Niehof <jtniehof@gmail.com>

To: 658830@bugs.debian.org

Date: Sat, 12 May 2012 13:25:38 -0600

A candidate CVE has been assigned: 2012-2350

Message #32 received at 658830-close@bugs.debian.org (full text, mbox, reply):

From: Jonathan Niehof <jtniehof@gmail.com>

To: 658830-close@bugs.debian.org

Subject: Bug#658830: fixed in pam-shield 0.9.2-3.3

Date: Sun, 13 May 2012 22:15:11 +0000

Source: pam-shield
Source-Version: 0.9.2-3.3

We believe that the bug you reported is fixed in the latest version of
pam-shield, which is due to be installed in the Debian FTP archive:

libpam-shield_0.9.2-3.3_amd64.deb
  to main/p/pam-shield/libpam-shield_0.9.2-3.3_amd64.deb
pam-shield_0.9.2-3.3.diff.gz
  to main/p/pam-shield/pam-shield_0.9.2-3.3.diff.gz
pam-shield_0.9.2-3.3.dsc
  to main/p/pam-shield/pam-shield_0.9.2-3.3.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 658830@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Niehof <jtniehof@gmail.com> (supplier of updated pam-shield package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 26 Feb 2012 09:55:31 -0700
Source: pam-shield
Binary: libpam-shield
Architecture: source amd64
Version: 0.9.2-3.3
Distribution: unstable
Urgency: high
Maintainer: Mateusz Kaduk <mateusz@kaduk.net>
Changed-By: Jonathan Niehof <jtniehof@gmail.com>
Description: 
 libpam-shield - locks out remote attackers trying password guessing
Closes: 658830
Changes: 
 pam-shield (0.9.2-3.3) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2012-2350: block IPs when allow_missing_dns is no
     (Closes: #658830).
Checksums-Sha1: 
 ec15570454c63dfb89e8559f24edfd3d361cbe3a 2486 pam-shield_0.9.2-3.3.dsc
 ab779f05eb8899e7faa45528f8fe0ea5b2d96206 7904 pam-shield_0.9.2-3.3.diff.gz
 662ce4e13916f40cec743d4d0ffd3c05103ae141 24004 libpam-shield_0.9.2-3.3_amd64.deb
Checksums-Sha256: 
 bc8bd71ff3c9abdda289d3ecfd908bcbb3ef6c3e681cdb26fc2eee406cbdfb1c 2486 pam-shield_0.9.2-3.3.dsc
 72607006e707a681315d1a7214840dcebc315edeb77e79c33e8d2f63e4f4cd08 7904 pam-shield_0.9.2-3.3.diff.gz
 e78b63166f9d9e22307d60d5c8bdda20c6de15c209c9d401eace892bcb910832 24004 libpam-shield_0.9.2-3.3_amd64.deb
Files: 
 4f8c383885145d9195ad4846a718e263 2486 admin optional pam-shield_0.9.2-3.3.dsc
 a9c97b2a9c4f2f35a4ad6225d7399b32 7904 admin optional pam-shield_0.9.2-3.3.diff.gz
 28f6929cdd8d4621c261f579a1ca56b2 24004 admin optional libpam-shield_0.9.2-3.3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQQcBAEBCAAGBQJPsC0GAAoJELjWss0C1vRzMS4f/RVaVRdT5s4FQFxRT9eCczG8
bt+t7+CKWmjA0/X8q2H4uS/5OdyNcDcALhzFGqICfmt+J44/G7USli+WySGZx2gQ
bYs65BVf5/jng0AJvzAnQ0w+8wlShAzYnNDnzRPDrep6HG6qRqgwMm9V+/73WOex
dPRXDA0VKvYnD3Dc4FjvlD4dkK4i0NLcGCzavpJlWwbPdM1l8Bp7a/75X/es7xL7
MCj6sylUxCsANWtSxW9pw3VCt7GhnUz/yfIOk3ACcGBbK/LSIDT3h/ZwH08J0d4/
mTPsrF1Gkcgxl9sc2kaYlej3Y1Avc77mmWDacGIF6yKUjPFkbFAW4OW4CQRWkaES
xILmi1TOFtkwLsia6wpag9N99tEIY0EU/gZYwxx3iVT+v/Qu6x+bEFqgOS8brHnI
K8rQxSMMSrZX9W6CpWpMxBWsqtuEX9mHfqmOTWhwjQa1tv71CsVq7UtdY1Zru/yb
q82iUyzRTfDt4eZWejxH4bl6+Q17mLQnCvs+ZaGeXRxGP0gd/DUsk/w/7BQd779O
YNEbpz9DwQciup5NGDYJIZWrTZZodPgg6HF9nV7CG8h4n012IL4u6wbf3tzTA4eP
Cnd2jGRmOSjHrovCIOWIkTXee79JMJlvuOTuxTxSkmUg5JB7rAtMhOJRgKW92TL6
XVlhD214dL1Z+t4Qx5GiYWAb+JjfIOjq/riH35dGIBG1dM1U7dJJqL4IV7bUIlYd
pJpnPbgvkRp8DSM525WQNi8D3AJgJ1UScn5KXZPcrFM868MdAMxJYObRFxlIahEH
Afrqke555B2TFE7wVjEVauIFfjJSrmZl3hPy4W7Dyu8tz6iVaFQRr3LSrlGwyo0V
cZUvrIMGWhSzryoi5hbFBCn7nXb9Kno5uVlZ6iR49KK/IYZxZ4Qua2wgC2jQOsSx
oNcXPF1EOAjdNKu8++vHLploTb5rtD3XZofqtbM86KczAT69CJhOZfIUB3jblP1K
JFYqhk2rSx4TWIoREGZv6eVskmF/FyiTb34Wz4XJRtEdmqzFvsSKswRH4P/MuTFi
hejfU7TwIxhyqrvaL/VnodOpMvTDFVLj3G2m9BLddBA+tJStUdZA9v2jEV90ccjC
JGRSaJ/YCa5baN4DacYk+IjHS/aXAqIZnq9KGwWLVVDEswDxf9kSdfCHvrLdbXjS
TEWUgGZRqjOLDaEwJ5NXPOqBb6ACxPeAkQTLNerp7EOjb2h+WapGwYRqlHH63eRh
hTG1mF9eLnGatp5t4spgnYBEiU/X3fuLgTeIxZvetcbmATc5pSdLRBXubn1Qkw9K
9sZnN/XoRTXRsGATwesJ/O84X/nZqwo0xP5nXDyY4j4QftH6KKdjs2W20PM3msk=
=Ro8V
-----END PGP SIGNATURE-----

Message #37 received at 658830@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 658830@bugs.debian.org

Subject: Re: libpam-shield: doesn't block any IP when allow_missing_dns=no

Date: Sun, 08 Jul 2012 15:24:39 -0000

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/658830/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.