Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 181213 - app-admin/denyhosts < 2.6-r1 Log injection / DoS (CVE-2007-{4323,5715})
Summary: app-admin/denyhosts < 2.6-r1 Log injection / DoS (CVE-2007-{4323,5715})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.ossec.net/en/attacking-log...
Whiteboard: B3 [glsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2007-06-07 17:08 UTC by Sune Kloppenborg Jeppesen
Modified: 2007-10-31 01:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2007-06-07 17:08:24 UTC
Another log injection issue in denyhosts.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-28 09:33:28 UTC
Adding netmon herd. This is a whole SSH DoS issue. The initial fix seems incomplete, i sent you an email.
Comment 2 Benjamin Smee (strerror) (RETIRED) gentoo-dev 2007-06-28 12:01:47 UTC
Waiting on reply from upstream.

From my perspective this is an upstream issue. If I'm getting to the stage where I have to maintain a patchset from the main codebase then I'd rather just yank it from the tree as I'm not interested in maintaining security patches for what is after all meant to be a security tool.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-28 12:21:42 UTC
thanks for your reply, let's hope that upstream will fix this, otherwise we will have to mask this package.
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2007-06-28 18:06:49 UTC
I think we should yank it, even if he does fix it, local users can still attack it with logger.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-16 14:58:57 UTC
Benjamin, any news from upstream?
Comment 6 Peter Volkov (RETIRED) gentoo-dev 2007-09-13 15:13:55 UTC
I agree that this is upstream issue. But while we are waiting for news from UPSTREAM I've bumped ebuild with the fixes from redhat:
https://bugzilla.redhat.com/show_bug.cgi?id=237449
https://bugzilla.redhat.com/show_bug.cgi?id=244943
It should address this log injection.

Now I'm not sure what best shall we do, stabilize or mask. Taking short look at forums I'd say that users use it and it's better to keep. But personally I do not use this tool so I'd like somebody else to take this decision.
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2007-09-24 16:22:31 UTC
I think we should mask this one.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-09-24 18:08:13 UTC
(In reply to comment #7)
> I think we should mask this one.

Why? Masking doesn't make anything easier for us than stabling this.

It should be the maintainer's decision to Last-Rite and not that of Security once a security issue is fixed.
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2007-09-24 18:18:36 UTC
@rbu It was just my personal opinion.

Arches please test and mark stable. Target keywords are:

denyhosts-2.6-r1.ebuild:KEYWORDS="alpha amd64 hppa ~ppc sparc x86"
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-24 18:25:49 UTC
x86 stable
Comment 11 Jeroen Roovers gentoo-dev 2007-09-25 00:26:06 UTC
Stable for HPPA.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2007-09-25 14:28:27 UTC
alpha/sparc stable
Comment 13 Philippe Chaintreuil 2007-09-26 17:11:31 UTC
By the way, I just wanted to throw in my two cents as a user of this package.

I find it a helpful and useful program, and would be very sad if it was removed from the tree.

It is a little sad that UPSTREAM seems to be losing interest in this program.  He's getting slower and slower about fixing/improving things.  But I'd rather have this program than not have it.  Additionally I appreciate the maintainers of this ebuild for keeping it patched & working when it matters -- especially when UPSTREAM is slow/appears dead.


> local users can still attack it with logger.

I trust my local users -- that's why they have accounts.  I don't trust people trying to break into my machine from the internet -- that's why I use this program.

<rant>
I know, I know.... layers of security ... an onion....  But that's hog-wash if I don't have a defense from random people running scripts against my box from all over the world at all hours of the day.  At least if a local user starts doing something strange, I know where they live and can go smack them upside the head.  Plane tickets to China are too expensive.
</rant>
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2007-09-29 00:59:20 UTC
This is CVE-2007-4323.
Comment 15 Steve Dibb (RETIRED) gentoo-dev 2007-09-29 02:19:03 UTC
amd64 stable
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2007-09-29 09:00:19 UTC
B3 -> [glsa?]

Please vote.
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-02 21:21:21 UTC
it can block SSH connections from everywhere. I vote yes.
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-06 13:32:19 UTC
voting yes too, request filed.
Comment 19 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-13 12:11:02 UTC
GLSA 200710-14, sorry for the delay.