From: Fabrice Fontaine Date: Fri, 30 Jul 2021 12:56:11 +0000 (+0200) Subject: package/fail2ban: fix CVE-2021-32749 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=6a7decee50fb402a28aa2e95e63a74cbcf3d6b26;p=buildroot.git package/fail2ban: fix CVE-2021-32749 fail2ban is a daemon to ban hosts that cause multiple authentication errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0 through 0.11.2, there is a vulnerability that leads to possible remote code execution in the mailing action mail-whois. Command `mail` from mailutils package used in mail actions like `mail-whois` can execute command if unescaped sequences (`\n~`) are available in "foreign" input (for instance in whois output). To exploit the vulnerability, an attacker would need to insert malicious characters into the response sent by the whois server, either via a MITM attack or by taking over a whois server. The issue is patched in versions 0.10.7 and 0.11.3. As a workaround, one may avoid the usage of action `mail-whois` or patch the vulnerability manually. Signed-off-by: Fabrice Fontaine Signed-off-by: Thomas Petazzoni --- diff --git a/package/fail2ban/0001-fixed-possible-RCE-vulnerability-unset-escape-variable.patch b/package/fail2ban/0001-fixed-possible-RCE-vulnerability-unset-escape-variable.patch new file mode 100644 index 0000000000..6d44f41d85 --- /dev/null +++ b/package/fail2ban/0001-fixed-possible-RCE-vulnerability-unset-escape-variable.patch @@ -0,0 +1,158 @@ +From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Mon, 21 Jun 2021 17:12:53 +0200 +Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable + (default tilde) stops consider "~" char after new-line as composing escape + sequence + +[Retrieved from: +https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844] +Signed-off-by: Fabrice Fontaine +--- + config/action.d/complain.conf | 2 +- + config/action.d/dshield.conf | 2 +- + config/action.d/mail-buffered.conf | 8 ++++---- + config/action.d/mail-whois-lines.conf | 2 +- + config/action.d/mail-whois.conf | 6 +++--- + config/action.d/mail.conf | 6 +++--- + 6 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf +index 3a5f882c9f..4d73b05859 100644 +--- a/config/action.d/complain.conf ++++ b/config/action.d/complain.conf +@@ -102,7 +102,7 @@ logpath = /dev/null + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Option: mailargs + # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf +index c128bef348..3d5a7a53a9 100644 +--- a/config/action.d/dshield.conf ++++ b/config/action.d/dshield.conf +@@ -179,7 +179,7 @@ tcpflags = + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Option: mailargs + # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf +index 325f185b2f..79b841049c 100644 +--- a/config/action.d/mail-buffered.conf ++++ b/config/action.d/mail-buffered.conf +@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n + The jail has been started successfully.\n + Output will be buffered until lines are available.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : started on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -28,13 +28,13 @@ actionstop = if [ -f ]; then + These hosts have been banned by Fail2Ban.\n + `cat ` + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : Summary from " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : Summary from " + rm + fi + printf %%b "Hi,\n + The jail has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: ( failures)\n" >> + These hosts have been banned by Fail2Ban.\n + `cat ` + \nRegards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : Summary" ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : Summary" + rm + fi + +diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf +index 3a3e56b2c7..d2818cb9b9 100644 +--- a/config/action.d/mail-whois-lines.conf ++++ b/config/action.d/mail-whois-lines.conf +@@ -72,7 +72,7 @@ actionunban = + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Default name of the chain + # +diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf +index 7fea34c40d..ab33b616dc 100644 +--- a/config/action.d/mail-whois.conf ++++ b/config/action.d/mail-whois.conf +@@ -20,7 +20,7 @@ norestored = 1 + actionstart = printf %%b "Hi,\n + The jail has been started successfully.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : started on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n + actionstop = printf %%b "Hi,\n + The jail has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n + Here is more information about :\n + `%(_whois_command)s`\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : banned from " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : banned from " + + # Option: actionunban + # Notes.: command executed when unbanning an IP. Take care that the +diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf +index 5d8c0e154c..f4838ddcb6 100644 +--- a/config/action.d/mail.conf ++++ b/config/action.d/mail.conf +@@ -16,7 +16,7 @@ norestored = 1 + actionstart = printf %%b "Hi,\n + The jail has been started successfully.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : started on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n + actionstop = printf %%b "Hi,\n + The jail has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n + The IP has just been banned by Fail2Ban after + attempts against .\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : banned from " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : banned from " + + # Option: actionunban + # Notes.: command executed when unbanning an IP. Take care that the diff --git a/package/fail2ban/fail2ban.mk b/package/fail2ban/fail2ban.mk index 6b92a9f642..9202dc1ddd 100644 --- a/package/fail2ban/fail2ban.mk +++ b/package/fail2ban/fail2ban.mk @@ -12,6 +12,9 @@ FAIL2BAN_CPE_ID_VENDOR = fail2ban FAIL2BAN_SELINUX_MODULES = fail2ban FAIL2BAN_SETUP_TYPE = distutils +# 0001-fixed-possible-RCE-vulnerability-unset-escape-variable.patch +FAIL2BAN_IGNORE_CVES += CVE-2021-32749 + ifeq ($(BR2_PACKAGE_PYTHON3),y) define FAIL2BAN_PYTHON_2TO3 $(HOST_DIR)/bin/2to3 --write --nobackups --no-diffs $(@D)/bin/* $(@D)/fail2ban