Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 17 Dec 2012 10:22:32 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vincent Danen <vdanen@...hat.com>
Subject: Re: CVE request: fail2ban 0.8.8 fixes an input variable
 quoting flaw on <matches> content

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/17/2012 08:41 AM, Vincent Danen wrote:
> Could a CVE be assigned to this issue please?
> 
> The release notes for fail2ban 0.8.8 indicate:
> 
> * [83109bc] IMPORTANT: escape the content of <matches> (if used in 
> custom action files) since its value could contain arbitrary 
> symbols.  Thanks for discovery go to the NBS System security team
> 
> This could cause issues on the system running fail2ban as it scans
> log files, depending on what content is matched.  There isn't much
> more detail about this issue than what is described above, so I
> think it may largely depend on the type of regexp used (what it
> matches) and the contents of the log file being scanned (whether or
> not an attacher could insert something that could be used in a
> malicious way).
> 
> References:
> 
> https://raw.github.com/fail2ban/fail2ban/master/ChangeLog 
> http://sourceforge.net/mailarchive/message.php?msg_id=30193056 
> https://github.com/fail2ban/fail2ban/commit/83109bc 
> https://bugzilla.redhat.com/show_bug.cgi?id=887914 
> https://bugs.gentoo.org/show_bug.cgi?id=447572
> 

Please use CVE-2012-5642 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQz1TYAAoJEBYNRVNeJnmTQdgP/jRbo8ReeQJzUxAqsc0JiJ1a
fC6e4hnTeYw1y8007NZkxbmdnvsgZvtFvUiBe6ovuGidIKXSWqYH3LjoC/0Oim4T
NNTnL1wG8Ri93akY56/pyyHeZGamo1Ss1Kv4BgM0MXFfOOWTJmGPz1jn52E4VtBC
gnVHIZ/gNxVbIVj0QVaj3tDJOhweg9ACkunVwDasMTRi1MgQKmT3i8IVgWsVGaAo
xzxE1T1RXygjtbJNpMlBDmZP4+OjSeAzavAw81OP4j/Tse68PcBA2givh0SNG97T
neEDyWtL8IvMxYPelgUyWi0jWHv96ymuKwfzkST81+yjSYc2JqN0FnOSa2kCjCtb
tCG3K/Y2AKCbi8JozTjgDj1wTSh5I6z9DXiARan9m+JfZYChoESiQ960H1VGEd3t
qJL43vr2FnWTHpClwp4O/CQyQ4XeN8ttxTgZdvZbYUZraSFxpNZfdW1dGVwrR4Kg
opg06obA4B22o/JZmC7ZRFhFr/idY8IDXtRuuUJPnY9C6UazfP/Zv4EnylTMuYCY
CvvL58t3SnruoJHplr8d6uZWrPgSqdK7XRFGIm/L7ISuNMe67swXa3SF8+gshpXu
IIFa8qOK6QIejFMAT2BW5Xlp0Q/m3RB2cnVmEK000rLkuFlj2eYZr0aftD8uJ3Ub
vZg8/UeljGebpb7n+7w3
=mKR4
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ