[Buildroot] [PATCH 1/1] package/fail2ban: fix CVE-2021-32749
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Fri Jul 30 21:36:18 UTC 2021
On Fri, 30 Jul 2021 14:56:11 +0200
Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:
> fail2ban is a daemon to ban hosts that cause multiple authentication
> errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0
> through 0.11.2, there is a vulnerability that leads to possible remote
> code execution in the mailing action mail-whois. Command `mail` from
> mailutils package used in mail actions like `mail-whois` can execute
> command if unescaped sequences (`\n~`) are available in "foreign" input
> (for instance in whois output). To exploit the vulnerability, an
> attacker would need to insert malicious characters into the response
> sent by the whois server, either via a MITM attack or by taking over a
> whois server. The issue is patched in versions 0.10.7 and 0.11.3. As a
> workaround, one may avoid the usage of action `mail-whois` or patch the
> vulnerability manually.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ---
> ...-vulnerability-unset-escape-variable.patch | 158 ++++++++++++++++++
> package/fail2ban/fail2ban.mk | 3 +
> 2 files changed, 161 insertions(+)
> create mode 100644 package/fail2ban/0001-fixed-possible-RCE-vulnerability-unset-escape-variable.patch
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list