Bug 690853 - VUL-1: fail2ban: Use of insecure default temporary file
VUL-1: fail2ban: Use of insecure default temporary file
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
.
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-29 12:29 UTC by Ludwig Nussel
Modified: 2019-03-26 15:30 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-04-29 12:29:50 UTC
Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

------------------------------------------------------------------------------
Date: Fri, 29 Apr 2011 13:02:04 +0200
From: Jan Lieskovsky <jlieskov@redhat.com>
Subject: [oss-security] CVE Request -- fail2ban -- Use of insecure default temporary file
 when unbanning an IP (tmpfile = /tmp/fail2ban-mail.txt)


Hello Josh, Steve, vendors,

   It was found that fail2ban IPs banner used insecure default temporary file
when unbanning an IP address. A local attacker could use this flaw to conduct
symlink attacks in order to gain access to sensitive information or potentially
to overwrite arbitrary file on the system.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=544232
[2] https://bugzilla.redhat.com/show_bug.cgi?id=700763

Patch applied by Debian distribution:
[3] http://git.onerussian.com/?p=deb/fail2ban.git;a=commitdiff;h=ea7d352616b1e2232fcaa99b11807a86ce29ed8b

Could you allocate a CVE id for this? (Note: It should CVE-2009-* identifier)

Thank you & Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 1 Thomas Biege 2011-05-03 08:01:59 UTC
CVE-2009-5023
Comment 2 Thomas Biege 2011-05-03 10:01:20 UTC
CVE-2009-5023: CVSS v2 Base Score: 3.3 (low) (AV:L/AC:M/Au:N/C:P/I:P/A:N)
Comment 3 Stephan Kulow 2011-09-01 14:09:50 UTC
after discussion with security-team only submitted to factory: rq80518
Comment 4 Stephan Kulow 2011-09-01 14:11:41 UTC
ludwig changed his mind :)
Comment 5 Ludwig Nussel 2011-09-01 14:14:25 UTC
factory version submitted to 11.3 and 11.4
Comment 6 Bernhard Wiedemann 2011-09-01 15:00:18 UTC
This is an autogenerated message for OBS integration:
This bug (690853) was mentioned in
https://build.opensuse.org/request/show/80518 Factory / fail2ban
https://build.opensuse.org/request/show/80519 11.3 / fail2ban
https://build.opensuse.org/request/show/80520 11.4 / fail2ban
Comment 7 Swamp Workflow Management 2011-10-19 13:34:28 UTC
The SWAMPID for this issue is 43740.
This issue was rated as moderate.
Please submit fixed packages until 2011-11-02.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 8 Swamp Workflow Management 2011-10-24 08:32:14 UTC
Update released for: fail2ban
Products:
openSUSE 11.3 (i586)
openSUSE 11.4 (i586)
Comment 9 Sebastian Krahmer 2011-10-24 08:33:08 UTC
done
Comment 10 Swamp Workflow Management 2019-03-26 15:30:36 UTC
This is an autogenerated message for OBS integration:
This bug (690853) was mentioned in
https://build.opensuse.org/request/show/688767 15.1 / fail2ban