Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 499802 (CVE-2013-7176)

Summary: <net-analyzer/fail2ban-0.8.12 : Client IP Address Spoofing Weaknesses (CVE-2013-7176)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/56691/
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-01-30 16:27:36 UTC
From ${URL} :

Description

Some weaknesses have been reported in Fail2ban, which can be exploited by malicious people to conduct 
spoofing attacks.

1) Multiple errors in regular expressions within the cyrus-imap filter can be exploited to e.g. spoof 
client IP addresses and subsequently cause arbitrary IP addresses to be banned.

2) Two errors in regular expressions within the postfix filter can be exploited to e.g. spoof client IP 
addresses and subsequently cause arbitrary IP addresses to be banned.

3) Some errors in regular expressions within unspecified filters can be exploited to e.g. spoof client IP 
addresses and subsequently cause arbitrary IP addresses to be banned.

The weaknesses are reported in versions prior to 0.8.11.


Solution:
Update to version 0.8.11 or later.

Provided and/or discovered by:
1, 2) US-CERT credits Steven Hiscocks.
3) Reported by the vendor.

Original Advisory:
Fail2ban:
https://github.com/fail2ban/fail2ban/blob/master/ChangeLog

US-CERT (VU#686662):
http://www.kb.cert.org/vuls/id/686662


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers gentoo-dev 2014-01-30 21:58:42 UTC
0.8.11 should fix this, but 0.8.12 is out and should fix[1] the fix.


[1] https://github.com/fail2ban/fail2ban/releases/tag/0.8.12
Comment 2 Jeroen Roovers gentoo-dev 2014-01-30 22:09:21 UTC
Arch teams, please test and mark stable:
=net-analyzer/fail2ban-0.8.12
Targeted stable KEYWORDS : amd64 hppa ppc ppc64 x86
Comment 3 Jeroen Roovers gentoo-dev 2014-02-01 11:42:10 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2014-02-01 22:45:59 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-02-01 22:47:56 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-02-02 11:05:29 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-02-09 08:24:03 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Chris Reffett (RETIRED) gentoo-dev Security 2014-02-09 14:32:02 UTC
GLSA vote: yes.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-02-09 15:01:20 UTC
CVE-2013-7176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7176):
  config/filter.d/postfix.conf in the postfix filter in Fail2ban before 0.8.11
  allows remote attackers to trigger the blocking of an arbitrary IP address
  via a crafted e-mail address that matches an improperly designed regular
  expression.
Comment 10 Sergey Popov gentoo-dev 2014-02-11 09:12:47 UTC
Added to existing GLSA draft
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-05-15 18:44:43 UTC
Cleanup already done be jer.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-06-01 16:01:02 UTC
This issue was resolved and addressed in
 GLSA 201406-03 at http://security.gentoo.org/glsa/glsa-201406-03.xml
by GLSA coordinator Chris Reffett (creffett).