Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 364883 (CVE-2009-5023) - <net-analyzer/fail2ban-0.8.4-r3: Insecure temp file usage (CVE-2009-5023)
Summary: <net-analyzer/fail2ban-0.8.4-r3: Insecure temp file usage (CVE-2009-5023)
Alias: CVE-2009-5023
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 392481
  Show dependency tree
Reported: 2011-04-26 03:35 UTC by Tim Sammut (RETIRED)
Modified: 2014-06-01 16:00 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-04-26 03:35:09 UTC
The debian bug at $URL references the insecure use of temp files by fail2ban. This can be see (crudely) in our package with:

# grep 'tmpfile = ' /var/tmp/portage/net-analyzer/fail2ban-0.8.4-r2/work/fail2ban-0.8.4/config/action.d/*

/var/tmp/portage/net-analyzer/fail2ban-0.8.4-r2/work/fail2ban-0.8.4/config/action.d/dshield.conf:tmpfile = /tmp/fail2ban-dshield
/var/tmp/portage/net-analyzer/fail2ban-0.8.4-r2/work/fail2ban-0.8.4/config/action.d/mail-buffered.conf:tmpfile = /tmp/fail2ban-mail.txt
/var/tmp/portage/net-analyzer/fail2ban-0.8.4-r2/work/fail2ban-0.8.4/config/action.d/mynetwatchman.conf:tmpfile = /tmp/fail2ban-mynetwatchman
/var/tmp/portage/net-analyzer/fail2ban-0.8.4-r2/work/fail2ban-0.8.4/config/action.d/sendmail-buffered.conf:tmpfile = /tmp/fail2ban-mail.txt

This does appear fixed in the upstream repository (as mentioned in the debian bug). Roughly the same test produces the following output for the upstream SVN snapshot:

# grep 'tmpfile = ' *

dshield.conf:tmpfile = /var/run/fail2ban/tmp-dshield
mail-buffered.conf:tmpfile = /var/run/fail2ban/tmp-mail.txt
mynetwatchman.conf:tmpfile = /var/run/fail2ban/tmp-mynetwatchman
sendmail-buffered.conf:tmpfile = /var/run/fail2ban/tmp-mail.txt
Comment 1 Markos Chandras (RETIRED) gentoo-dev 2011-05-03 09:59:21 UTC
The target files remain the same, however the location has changed

/var/run/* is not writable by users, so *in theory* it can't be exploited by local or remote attackers.

If there are no objections, I will create a snapshot for this one
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-05-03 21:15:37 UTC
(In reply to comment #1)
> If there are no objections, I will create a snapshot for this one

No objections here. Thank you.
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2011-05-04 19:41:38 UTC
fail2ban-0.8.4-r3 is now on tree with the patch from the svn repository.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-05-04 22:33:55 UTC
(In reply to comment #3)
> fail2ban-0.8.4-r3 is now on tree with the patch from the svn repository.

Great, thank you.

Arches, please test and mark stable:
Target keywords : "amd64 hppa ppc ppc64 x86"
Comment 5 Agostino Sarubbo gentoo-dev 2011-05-05 11:22:01 UTC
amd64 ok
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2011-05-05 19:35:34 UTC
amd64 done. Thanks Agostino
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2011-05-06 02:41:12 UTC
Stable for HPPA.
Comment 8 Thomas Kahle (RETIRED) gentoo-dev 2011-05-06 07:47:57 UTC
x86 stable. Thanks
Comment 9 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-14 10:58:55 UTC
ppc/ppc64 stable, last arch done
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-05-14 15:07:39 UTC
Thanks, everyone.

GLSA Vote: Yes.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2011-05-21 11:31:28 UTC
GLSA vote: Yes. GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-06-01 16:00:58 UTC
This issue was resolved and addressed in
 GLSA 201406-03 at
by GLSA coordinator Chris Reffett (creffett).