kumquat-buildroot/package/fail2ban/0001-fixed-possible-RCE-vulnerability-unset-escape-variable.patch
Fabrice Fontaine 6a7decee50 package/fail2ban: fix CVE-2021-32749
fail2ban is a daemon to ban hosts that cause multiple authentication
errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0
through 0.11.2, there is a vulnerability that leads to possible remote
code execution in the mailing action mail-whois. Command `mail` from
mailutils package used in mail actions like `mail-whois` can execute
command if unescaped sequences (`\n~`) are available in "foreign" input
(for instance in whois output). To exploit the vulnerability, an
attacker would need to insert malicious characters into the response
sent by the whois server, either via a MITM attack or by taking over a
whois server. The issue is patched in versions 0.10.7 and 0.11.3. As a
workaround, one may avoid the usage of action `mail-whois` or patch the
vulnerability manually.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-07-30 23:35:17 +02:00

159 lines
7.0 KiB
Diff

From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Mon, 21 Jun 2021 17:12:53 +0200
Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
(default tilde) stops consider "~" char after new-line as composing escape
sequence
[Retrieved from:
https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
config/action.d/complain.conf | 2 +-
config/action.d/dshield.conf | 2 +-
config/action.d/mail-buffered.conf | 8 ++++----
config/action.d/mail-whois-lines.conf | 2 +-
config/action.d/mail-whois.conf | 6 +++---
config/action.d/mail.conf | 6 +++---
6 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
index 3a5f882c9f..4d73b05859 100644
--- a/config/action.d/complain.conf
+++ b/config/action.d/complain.conf
@@ -102,7 +102,7 @@ logpath = /dev/null
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
# Values: CMD
#
-mailcmd = mail -s
+mailcmd = mail -E 'set escape' -s
# Option: mailargs
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
index c128bef348..3d5a7a53a9 100644
--- a/config/action.d/dshield.conf
+++ b/config/action.d/dshield.conf
@@ -179,7 +179,7 @@ tcpflags =
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
# Values: CMD
#
-mailcmd = mail -s
+mailcmd = mail -E 'set escape' -s
# Option: mailargs
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
index 325f185b2f..79b841049c 100644
--- a/config/action.d/mail-buffered.conf
+++ b/config/action.d/mail-buffered.conf
@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Output will be buffered until <lines> lines are available.\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
rm <tmpfile>
fi
printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
\nRegards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
rm <tmpfile>
fi
diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
index 3a3e56b2c7..d2818cb9b9 100644
--- a/config/action.d/mail-whois-lines.conf
+++ b/config/action.d/mail-whois-lines.conf
@@ -72,7 +72,7 @@ actionunban =
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
# Values: CMD
#
-mailcmd = mail -s
+mailcmd = mail -E 'set escape' -s
# Default name of the chain
#
diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
index 7fea34c40d..ab33b616dc 100644
--- a/config/action.d/mail-whois.conf
+++ b/config/action.d/mail-whois.conf
@@ -20,7 +20,7 @@ norestored = 1
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
Here is more information about <ip> :\n
`%(_whois_command)s`\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
index 5d8c0e154c..f4838ddcb6 100644
--- a/config/action.d/mail.conf
+++ b/config/action.d/mail.conf
@@ -16,7 +16,7 @@ norestored = 1
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the