Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 499802 (CVE-2013-7176) - <net-analyzer/fail2ban-0.8.12 : Client IP Address Spoofing Weaknesses (CVE-2013-7176)
Summary: <net-analyzer/fail2ban-0.8.12 : Client IP Address Spoofing Weaknesses (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2013-7176
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/56691/
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-30 16:27 UTC by Agostino Sarubbo
Modified: 2014-06-01 16:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-01-30 16:27:36 UTC
From ${URL} :

Description

Some weaknesses have been reported in Fail2ban, which can be exploited by malicious people to conduct 
spoofing attacks.

1) Multiple errors in regular expressions within the cyrus-imap filter can be exploited to e.g. spoof 
client IP addresses and subsequently cause arbitrary IP addresses to be banned.

2) Two errors in regular expressions within the postfix filter can be exploited to e.g. spoof client IP 
addresses and subsequently cause arbitrary IP addresses to be banned.

3) Some errors in regular expressions within unspecified filters can be exploited to e.g. spoof client IP 
addresses and subsequently cause arbitrary IP addresses to be banned.

The weaknesses are reported in versions prior to 0.8.11.


Solution:
Update to version 0.8.11 or later.

Provided and/or discovered by:
1, 2) US-CERT credits Steven Hiscocks.
3) Reported by the vendor.

Original Advisory:
Fail2ban:
https://github.com/fail2ban/fail2ban/blob/master/ChangeLog

US-CERT (VU#686662):
http://www.kb.cert.org/vuls/id/686662


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers gentoo-dev 2014-01-30 21:58:42 UTC
0.8.11 should fix this, but 0.8.12 is out and should fix[1] the fix.


[1] https://github.com/fail2ban/fail2ban/releases/tag/0.8.12
Comment 2 Jeroen Roovers gentoo-dev 2014-01-30 22:09:21 UTC
Arch teams, please test and mark stable:
=net-analyzer/fail2ban-0.8.12
Targeted stable KEYWORDS : amd64 hppa ppc ppc64 x86
Comment 3 Jeroen Roovers gentoo-dev 2014-02-01 11:42:10 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2014-02-01 22:45:59 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-02-01 22:47:56 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-02-02 11:05:29 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-02-09 08:24:03 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Chris Reffett gentoo-dev Security 2014-02-09 14:32:02 UTC
GLSA vote: yes.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-02-09 15:01:20 UTC
CVE-2013-7176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7176):
  config/filter.d/postfix.conf in the postfix filter in Fail2ban before 0.8.11
  allows remote attackers to trigger the blocking of an arbitrary IP address
  via a crafted e-mail address that matches an improperly designed regular
  expression.
Comment 10 Sergey Popov gentoo-dev 2014-02-11 09:12:47 UTC
Added to existing GLSA draft
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-05-15 18:44:43 UTC
Cleanup already done be jer.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-06-01 16:01:02 UTC
This issue was resolved and addressed in
 GLSA 201406-03 at http://security.gentoo.org/glsa/glsa-201406-03.xml
by GLSA coordinator Chris Reffett (creffett).