Launchpad has imported 10 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=244943.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2007-06-19T23:42:56+00:00 Jonathan wrote: Description of problem: See this: http://www.ossec.net/en/attacking-loganalysis.html#denyhosts which details a DOS vulnerability in the current version of Denyhosts (2.6). In particular this part details the problem and the fix: " FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed because none of user's groups are listed in AllowGroups""") It is basically looking for "User from .." anywhere in the log, not checking if it is in the middle of the "bad protocol version" log. How do we fix that? Just make the regex more robust (an "$" at the end would solve it)! You may think it is not a big deal but what if instead of one IP address I pass all? -- all on hosts.deny means block every IP. Would it block the whole internet out of the box? Yes, it would! " Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/162406/comments/0 ------------------------------------------------------------------------ On 2007-06-19T23:48:27+00:00 Jonathan wrote: A perhaps clearer description of the fix: We spoke with DenyHosts author, Phil Schwartz, but no official patch is available yet. However, by changing the FAILED_ENTRY_REGEX5 (at regex.py) to the following, fixes the problem: FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed because none of user's groups are listed in AllowGroups$""") Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/162406/comments/1 ------------------------------------------------------------------------ On 2007-06-19T23:53:35+00:00 Jonathan wrote: Created attachment 157433 Fix DOS vulnerability in REGEX5 Trivial patch - thought it might save you a few mins :) Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/162406/comments/2 ------------------------------------------------------------------------ On 2007-06-19T23:54:59+00:00 Jason wrote: Actually I've already applied a fix and a build is in progress. Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/162406/comments/3 ------------------------------------------------------------------------ On 2007-06-19T23:57:22+00:00 Jonathan wrote: Oh, ok, sorry for the noise. Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/162406/comments/4 ------------------------------------------------------------------------ On 2007-06-20T00:04:28+00:00 Jason wrote: Builds: http://koji.fedoraproject.org/koji/buildinfo?buildID=9311 (f8) http://koji.fedoraproject.org/koji/buildinfo?buildID=9312 (f7) I will push the f7 package to updates-testing as soon as it's finished. Testing would be appreciated. I'll push it to release tomorrow if there are no issues. Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/162406/comments/5 ------------------------------------------------------------------------ On 2007-06-20T00:12:25+00:00 Jonathan wrote: OK, I just pulled the F7 build from Koji and installed it. Inspecting regex.py I see the correct fix to REGEX5, as well as the previous fix to REGEX7 and so all looks well to me. # diff -u /home/rpmb/tmp/DenyHosts-2.6/DenyHosts/regex.py.original regex.py --- /home/rpmb/tmp/DenyHosts-2.6/DenyHosts/regex.py.original 2007-06-20 00:50:28.000000000 +0100 +++ regex.py 2007-06-20 01:05:47.000000000 +0100 @@ -17,11 +17,11 @@ FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""") -FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""") +FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""") FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") -FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not listed in AllowUsers""") +FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""") # these are reserved for future versions Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/162406/comments/6 ------------------------------------------------------------------------ On 2007-06-20T02:06:01+00:00 Jason wrote: OK, exploit tested here on fixed package with no effect. Fix committed to eight branches and built for six. Push to F7 release requested. Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/162406/comments/7 ------------------------------------------------------------------------ On 2007-06-20T20:05:43+00:00 Fedora wrote: denyhosts-2.6-5.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/162406/comments/8 ------------------------------------------------------------------------ On 2007-08-15T10:29:19+00:00 Lubomir wrote: *** Bug 252291 has been marked as a duplicate of this bug. *** Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/162406/comments/9 ** Changed in: denyhosts (Fedora) Importance: Unknown => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/162406 Title: CVE-2007-4323: DoS via log injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/162406/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
