Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 802513 (CVE-2021-32749)

Summary: net-analyzer/fail2ban: code exection via malicious whois responses (CVE-2021-32749)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: eras, hlein, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm
Whiteboard: B2 [ebuild]
Package list:
Runtime testing required: ---
Bug Depends on: 802867    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-16 23:30:07 UTC
CVE-2021-32749:

fail2ban is a daemon to ban hosts that cause multiple authentication errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0 through 0.11.2, there is a vulnerability that leads to possible remote code execution in the mailing action mail-whois. Command `mail` from mailutils package used in mail actions like `mail-whois` can execute command if unescaped sequences (`\n~`) are available in "foreign" input (for instance in whois output). To exploit the vulnerability, an attacker would need to insert malicious characters into the response sent by the whois server, either via a MITM attack or by taking over a whois server. The issue is patched in versions 0.10.7 and 0.11.3. As a workaround, one may avoid the usage of action `mail-whois` or patch the vulnerability manually.


Patch in 0.11.3, please bump.
Comment 1 Hank Leininger 2021-07-17 17:47:10 UTC
Note, the fix is broken at least with mailx. I've filed a bug upstream:

https://github.com/fail2ban/fail2ban/issues/3059

tl;dr their fix is not needed on systems where mail(1) comes from mailx, and in fact, breaks fail2ban on those systems.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-20 03:55:58 UTC
I kept an eye on the upstream bug Hank (CC'd) linked to and he ended up concluding this is a bug in GNU mailutils [0].

It's now been fixed [1] there, so we should try backport the patch if they're not going to make a release shortly.

[0] https://savannah.gnu.org/bugs/index.php?60937
[1] https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=4befcfd015256c568121653038accbd84820198f
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-21 04:51:15 UTC
(In reply to Sam James from comment #2)
> I kept an eye on the upstream bug Hank (CC'd) linked to and he ended up
> concluding this is a bug in GNU mailutils [0].
> 
> It's now been fixed [1] there, so we should try backport the patch if
> they're not going to make a release shortly.
> 

Pinged upstream: https://savannah.gnu.org/bugs/index.php?60937#comment2.
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:21:00 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:29:08 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:37:04 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:45:06 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:53:10 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:01:06 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:09:23 UTC
Package list is empty or all packages have requested keywords.
Comment 11 Hank Leininger 2021-07-30 00:47:07 UTC
Since this problem is confined to an interaction with mailutils, would it be appropriate to update RDEPEND to !net-mail/mailutils ? Either for any version (since no fixed ones are available yet) or for <= the current release since we expect the next release to include the already-committed fix (and even an -rN bump of mailutils that cherry-picks that fix would be sufficient)?

Huh, funny thing, fail2ban has no virtual/mailx dependency, and it doesn't seem that virtual is required by @system. So potentially one could have fail2ban with no mailer at all, and thus not be vulnerable because the relevant actions would not be functional.
Comment 12 Larry the Git Cow gentoo-dev 2021-07-30 07:08:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ba91eed15ea76165f60e3478cd4461ce3d0cd3d

commit 4ba91eed15ea76165f60e3478cd4461ce3d0cd3d
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2021-07-30 07:07:37 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2021-07-30 07:07:37 +0000

    net-mail/mailutils: disable escapes in non-interactive mode
    
    unlike other mail(1) implementations, mailutils mail command allowed
    escape characters in non-interactive mode, resulting in CVE-2021-32749
    in fail2ban package. backport fix for mailutils-3.12
    
    Bug: https://bugs.gentoo.org/802513
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 .../files/mailutils-3.12-disable_escapes.patch     |  24 ++++
 net-mail/mailutils/mailutils-3.12-r3.ebuild        | 144 +++++++++++++++++++++
 2 files changed, 168 insertions(+)
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 23:00:53 UTC
Ping. Looks like this can be fixed in fail2ban too?