'Re: [oss-security] CVE request: fail2ban 0.8.8 fixes an input variable quoting flaw on <matches> con'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: fail2ban 0.8.8 fixes an input variable quoting flaw on <matches> con
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-12-17 17:22:32
Message-ID: 50CF54D8.50003 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/17/2012 08:41 AM, Vincent Danen wrote:
> Could a CVE be assigned to this issue please?
> 
> The release notes for fail2ban 0.8.8 indicate:
> 
> * [83109bc] IMPORTANT: escape the content of <matches> (if used in 
> custom action files) since its value could contain arbitrary 
> symbols.  Thanks for discovery go to the NBS System security team
> 
> This could cause issues on the system running fail2ban as it scans
> log files, depending on what content is matched.  There isn't much
> more detail about this issue than what is described above, so I
> think it may largely depend on the type of regexp used (what it
> matches) and the contents of the log file being scanned (whether or
> not an attacher could insert something that could be used in a
> malicious way).
> 
> References:
> 
> https://raw.github.com/fail2ban/fail2ban/master/ChangeLog 
> http://sourceforge.net/mailarchive/message.php?msg_id=30193056 
> https://github.com/fail2ban/fail2ban/commit/83109bc 
> https://bugzilla.redhat.com/show_bug.cgi?id=887914 
> https://bugs.gentoo.org/show_bug.cgi?id=447572
> 

Please use CVE-2012-5642 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQz1TYAAoJEBYNRVNeJnmTQdgP/jRbo8ReeQJzUxAqsc0JiJ1a
fC6e4hnTeYw1y8007NZkxbmdnvsgZvtFvUiBe6ovuGidIKXSWqYH3LjoC/0Oim4T
NNTnL1wG8Ri93akY56/pyyHeZGamo1Ss1Kv4BgM0MXFfOOWTJmGPz1jn52E4VtBC
gnVHIZ/gNxVbIVj0QVaj3tDJOhweg9ACkunVwDasMTRi1MgQKmT3i8IVgWsVGaAo
xzxE1T1RXygjtbJNpMlBDmZP4+OjSeAzavAw81OP4j/Tse68PcBA2givh0SNG97T
neEDyWtL8IvMxYPelgUyWi0jWHv96ymuKwfzkST81+yjSYc2JqN0FnOSa2kCjCtb
tCG3K/Y2AKCbi8JozTjgDj1wTSh5I6z9DXiARan9m+JfZYChoESiQ960H1VGEd3t
qJL43vr2FnWTHpClwp4O/CQyQ4XeN8ttxTgZdvZbYUZraSFxpNZfdW1dGVwrR4Kg
opg06obA4B22o/JZmC7ZRFhFr/idY8IDXtRuuUJPnY9C6UazfP/Zv4EnylTMuYCY
CvvL58t3SnruoJHplr8d6uZWrPgSqdK7XRFGIm/L7ISuNMe67swXa3SF8+gshpXu
IIFa8qOK6QIejFMAT2BW5Xlp0Q/m3RB2cnVmEK000rLkuFlj2eYZr0aftD8uJ3Ub
vZg8/UeljGebpb7n+7w3
=mKR4
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic