1From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
2From: sebres <serg.brester@sebres.de>
3Date: Mon, 21 Jun 2021 17:12:53 +0200
4Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
5 (default tilde) stops consider "~" char after new-line as composing escape
6 sequence
7
8[Retrieved from:
9https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844]
10Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
11---
12 config/action.d/complain.conf         | 2 +-
13 config/action.d/dshield.conf          | 2 +-
14 config/action.d/mail-buffered.conf    | 8 ++++----
15 config/action.d/mail-whois-lines.conf | 2 +-
16 config/action.d/mail-whois.conf       | 6 +++---
17 config/action.d/mail.conf             | 6 +++---
18 6 files changed, 13 insertions(+), 13 deletions(-)
19
20diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
21index 3a5f882c9f..4d73b05859 100644
22--- a/config/action.d/complain.conf
23+++ b/config/action.d/complain.conf
24@@ -102,7 +102,7 @@ logpath = /dev/null
25 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
26 # Values:  CMD
27 #
28-mailcmd = mail -s
29+mailcmd = mail -E 'set escape' -s
30
31 # Option:  mailargs
32 # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
33diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
34index c128bef348..3d5a7a53a9 100644
35--- a/config/action.d/dshield.conf
36+++ b/config/action.d/dshield.conf
37@@ -179,7 +179,7 @@ tcpflags =
38 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
39 # Values:  CMD
40 #
41-mailcmd = mail -s
42+mailcmd = mail -E 'set escape' -s
43
44 # Option:  mailargs
45 # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
46diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
47index 325f185b2f..79b841049c 100644
48--- a/config/action.d/mail-buffered.conf
49+++ b/config/action.d/mail-buffered.conf
50@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
51               The jail <name> has been started successfully.\n
52               Output will be buffered until <lines> lines are available.\n
53               Regards,\n
54-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
55+              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
56
57 # Option:  actionstop
58 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
59@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
60                  These hosts have been banned by Fail2Ban.\n
61                  `cat <tmpfile>`
62                  Regards,\n
63-                 Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
64+                 Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
65                  rm <tmpfile>
66              fi
67              printf %%b "Hi,\n
68              The jail <name> has been stopped.\n
69              Regards,\n
70-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
71+             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
72
73 # Option:  actioncheck
74 # Notes.:  command executed once before each actionban command
75@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
76                 These hosts have been banned by Fail2Ban.\n
77                 `cat <tmpfile>`
78                 \nRegards,\n
79-                Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
80+                Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
81                 rm <tmpfile>
82             fi
83
84diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
85index 3a3e56b2c7..d2818cb9b9 100644
86--- a/config/action.d/mail-whois-lines.conf
87+++ b/config/action.d/mail-whois-lines.conf
88@@ -72,7 +72,7 @@ actionunban =
89 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
90 # Values:  CMD
91 #
92-mailcmd = mail -s
93+mailcmd = mail -E 'set escape' -s
94
95 # Default name of the chain
96 #
97diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
98index 7fea34c40d..ab33b616dc 100644
99--- a/config/action.d/mail-whois.conf
100+++ b/config/action.d/mail-whois.conf
101@@ -20,7 +20,7 @@ norestored = 1
102 actionstart = printf %%b "Hi,\n
103               The jail <name> has been started successfully.\n
104               Regards,\n
105-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
106+              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
107
108 # Option:  actionstop
109 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
110@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
111 actionstop = printf %%b "Hi,\n
112              The jail <name> has been stopped.\n
113              Regards,\n
114-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
115+             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
116
117 # Option:  actioncheck
118 # Notes.:  command executed once before each actionban command
119@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
120             Here is more information about <ip> :\n
121             `%(_whois_command)s`\n
122             Regards,\n
123-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
124+            Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
125
126 # Option:  actionunban
127 # Notes.:  command executed when unbanning an IP. Take care that the
128diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
129index 5d8c0e154c..f4838ddcb6 100644
130--- a/config/action.d/mail.conf
131+++ b/config/action.d/mail.conf
132@@ -16,7 +16,7 @@ norestored = 1
133 actionstart = printf %%b "Hi,\n
134               The jail <name> has been started successfully.\n
135               Regards,\n
136-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started  on <fq-hostname>" <dest>
137+              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started  on <fq-hostname>" <dest>
138
139 # Option:  actionstop
140 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
141@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
142 actionstop = printf %%b "Hi,\n
143              The jail <name> has been stopped.\n
144              Regards,\n
145-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
146+             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
147
148 # Option:  actioncheck
149 # Notes.:  command executed once before each actionban command
150@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
151             The IP <ip> has just been banned by Fail2Ban after
152             <failures> attempts against <name>.\n
153             Regards,\n
154-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
155+            Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
156
157 # Option:  actionunban
158 # Notes.:  command executed when unbanning an IP. Take care that the
159