1*4882a593SmuzhiyunFrom 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: sebres <serg.brester@sebres.de> 3*4882a593SmuzhiyunDate: Mon, 21 Jun 2021 17:12:53 +0200 4*4882a593SmuzhiyunSubject: [PATCH] fixed possible RCE vulnerability, unset escape variable 5*4882a593Smuzhiyun (default tilde) stops consider "~" char after new-line as composing escape 6*4882a593Smuzhiyun sequence 7*4882a593Smuzhiyun 8*4882a593Smuzhiyun[Retrieved from: 9*4882a593Smuzhiyunhttps://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844] 10*4882a593SmuzhiyunSigned-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> 11*4882a593Smuzhiyun--- 12*4882a593Smuzhiyun config/action.d/complain.conf | 2 +- 13*4882a593Smuzhiyun config/action.d/dshield.conf | 2 +- 14*4882a593Smuzhiyun config/action.d/mail-buffered.conf | 8 ++++---- 15*4882a593Smuzhiyun config/action.d/mail-whois-lines.conf | 2 +- 16*4882a593Smuzhiyun config/action.d/mail-whois.conf | 6 +++--- 17*4882a593Smuzhiyun config/action.d/mail.conf | 6 +++--- 18*4882a593Smuzhiyun 6 files changed, 13 insertions(+), 13 deletions(-) 19*4882a593Smuzhiyun 20*4882a593Smuzhiyundiff --git a/config/action.d/complain.conf b/config/action.d/complain.conf 21*4882a593Smuzhiyunindex 3a5f882c9f..4d73b05859 100644 22*4882a593Smuzhiyun--- a/config/action.d/complain.conf 23*4882a593Smuzhiyun+++ b/config/action.d/complain.conf 24*4882a593Smuzhiyun@@ -102,7 +102,7 @@ logpath = /dev/null 25*4882a593Smuzhiyun # Notes.: Your system mail command. Is passed 2 args: subject and recipient 26*4882a593Smuzhiyun # Values: CMD 27*4882a593Smuzhiyun # 28*4882a593Smuzhiyun-mailcmd = mail -s 29*4882a593Smuzhiyun+mailcmd = mail -E 'set escape' -s 30*4882a593Smuzhiyun 31*4882a593Smuzhiyun # Option: mailargs 32*4882a593Smuzhiyun # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: 33*4882a593Smuzhiyundiff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf 34*4882a593Smuzhiyunindex c128bef348..3d5a7a53a9 100644 35*4882a593Smuzhiyun--- a/config/action.d/dshield.conf 36*4882a593Smuzhiyun+++ b/config/action.d/dshield.conf 37*4882a593Smuzhiyun@@ -179,7 +179,7 @@ tcpflags = 38*4882a593Smuzhiyun # Notes.: Your system mail command. Is passed 2 args: subject and recipient 39*4882a593Smuzhiyun # Values: CMD 40*4882a593Smuzhiyun # 41*4882a593Smuzhiyun-mailcmd = mail -s 42*4882a593Smuzhiyun+mailcmd = mail -E 'set escape' -s 43*4882a593Smuzhiyun 44*4882a593Smuzhiyun # Option: mailargs 45*4882a593Smuzhiyun # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: 46*4882a593Smuzhiyundiff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf 47*4882a593Smuzhiyunindex 325f185b2f..79b841049c 100644 48*4882a593Smuzhiyun--- a/config/action.d/mail-buffered.conf 49*4882a593Smuzhiyun+++ b/config/action.d/mail-buffered.conf 50*4882a593Smuzhiyun@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n 51*4882a593Smuzhiyun The jail <name> has been started successfully.\n 52*4882a593Smuzhiyun Output will be buffered until <lines> lines are available.\n 53*4882a593Smuzhiyun Regards,\n 54*4882a593Smuzhiyun- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> 55*4882a593Smuzhiyun+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> 56*4882a593Smuzhiyun 57*4882a593Smuzhiyun # Option: actionstop 58*4882a593Smuzhiyun # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 59*4882a593Smuzhiyun@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then 60*4882a593Smuzhiyun These hosts have been banned by Fail2Ban.\n 61*4882a593Smuzhiyun `cat <tmpfile>` 62*4882a593Smuzhiyun Regards,\n 63*4882a593Smuzhiyun- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest> 64*4882a593Smuzhiyun+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest> 65*4882a593Smuzhiyun rm <tmpfile> 66*4882a593Smuzhiyun fi 67*4882a593Smuzhiyun printf %%b "Hi,\n 68*4882a593Smuzhiyun The jail <name> has been stopped.\n 69*4882a593Smuzhiyun Regards,\n 70*4882a593Smuzhiyun- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> 71*4882a593Smuzhiyun+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> 72*4882a593Smuzhiyun 73*4882a593Smuzhiyun # Option: actioncheck 74*4882a593Smuzhiyun # Notes.: command executed once before each actionban command 75*4882a593Smuzhiyun@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile> 76*4882a593Smuzhiyun These hosts have been banned by Fail2Ban.\n 77*4882a593Smuzhiyun `cat <tmpfile>` 78*4882a593Smuzhiyun \nRegards,\n 79*4882a593Smuzhiyun- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest> 80*4882a593Smuzhiyun+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest> 81*4882a593Smuzhiyun rm <tmpfile> 82*4882a593Smuzhiyun fi 83*4882a593Smuzhiyun 84*4882a593Smuzhiyundiff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf 85*4882a593Smuzhiyunindex 3a3e56b2c7..d2818cb9b9 100644 86*4882a593Smuzhiyun--- a/config/action.d/mail-whois-lines.conf 87*4882a593Smuzhiyun+++ b/config/action.d/mail-whois-lines.conf 88*4882a593Smuzhiyun@@ -72,7 +72,7 @@ actionunban = 89*4882a593Smuzhiyun # Notes.: Your system mail command. Is passed 2 args: subject and recipient 90*4882a593Smuzhiyun # Values: CMD 91*4882a593Smuzhiyun # 92*4882a593Smuzhiyun-mailcmd = mail -s 93*4882a593Smuzhiyun+mailcmd = mail -E 'set escape' -s 94*4882a593Smuzhiyun 95*4882a593Smuzhiyun # Default name of the chain 96*4882a593Smuzhiyun # 97*4882a593Smuzhiyundiff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf 98*4882a593Smuzhiyunindex 7fea34c40d..ab33b616dc 100644 99*4882a593Smuzhiyun--- a/config/action.d/mail-whois.conf 100*4882a593Smuzhiyun+++ b/config/action.d/mail-whois.conf 101*4882a593Smuzhiyun@@ -20,7 +20,7 @@ norestored = 1 102*4882a593Smuzhiyun actionstart = printf %%b "Hi,\n 103*4882a593Smuzhiyun The jail <name> has been started successfully.\n 104*4882a593Smuzhiyun Regards,\n 105*4882a593Smuzhiyun- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> 106*4882a593Smuzhiyun+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> 107*4882a593Smuzhiyun 108*4882a593Smuzhiyun # Option: actionstop 109*4882a593Smuzhiyun # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 110*4882a593Smuzhiyun@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n 111*4882a593Smuzhiyun actionstop = printf %%b "Hi,\n 112*4882a593Smuzhiyun The jail <name> has been stopped.\n 113*4882a593Smuzhiyun Regards,\n 114*4882a593Smuzhiyun- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> 115*4882a593Smuzhiyun+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> 116*4882a593Smuzhiyun 117*4882a593Smuzhiyun # Option: actioncheck 118*4882a593Smuzhiyun # Notes.: command executed once before each actionban command 119*4882a593Smuzhiyun@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n 120*4882a593Smuzhiyun Here is more information about <ip> :\n 121*4882a593Smuzhiyun `%(_whois_command)s`\n 122*4882a593Smuzhiyun Regards,\n 123*4882a593Smuzhiyun- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> 124*4882a593Smuzhiyun+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> 125*4882a593Smuzhiyun 126*4882a593Smuzhiyun # Option: actionunban 127*4882a593Smuzhiyun # Notes.: command executed when unbanning an IP. Take care that the 128*4882a593Smuzhiyundiff --git a/config/action.d/mail.conf b/config/action.d/mail.conf 129*4882a593Smuzhiyunindex 5d8c0e154c..f4838ddcb6 100644 130*4882a593Smuzhiyun--- a/config/action.d/mail.conf 131*4882a593Smuzhiyun+++ b/config/action.d/mail.conf 132*4882a593Smuzhiyun@@ -16,7 +16,7 @@ norestored = 1 133*4882a593Smuzhiyun actionstart = printf %%b "Hi,\n 134*4882a593Smuzhiyun The jail <name> has been started successfully.\n 135*4882a593Smuzhiyun Regards,\n 136*4882a593Smuzhiyun- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> 137*4882a593Smuzhiyun+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest> 138*4882a593Smuzhiyun 139*4882a593Smuzhiyun # Option: actionstop 140*4882a593Smuzhiyun # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 141*4882a593Smuzhiyun@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n 142*4882a593Smuzhiyun actionstop = printf %%b "Hi,\n 143*4882a593Smuzhiyun The jail <name> has been stopped.\n 144*4882a593Smuzhiyun Regards,\n 145*4882a593Smuzhiyun- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> 146*4882a593Smuzhiyun+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest> 147*4882a593Smuzhiyun 148*4882a593Smuzhiyun # Option: actioncheck 149*4882a593Smuzhiyun # Notes.: command executed once before each actionban command 150*4882a593Smuzhiyun@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n 151*4882a593Smuzhiyun The IP <ip> has just been banned by Fail2Ban after 152*4882a593Smuzhiyun <failures> attempts against <name>.\n 153*4882a593Smuzhiyun Regards,\n 154*4882a593Smuzhiyun- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> 155*4882a593Smuzhiyun+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest> 156*4882a593Smuzhiyun 157*4882a593Smuzhiyun # Option: actionunban 158*4882a593Smuzhiyun # Notes.: command executed when unbanning an IP. Take care that the 159