Bug 1059934 (CVE-2013-7177)

Summary: CVE-2013-7177 fail2ban: remote denial of service in cyrus-imap filter
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, Axel.Thimm, carnil, jonathan.underwood, orion, vonsch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:43:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1059936    
Bug Blocks:    

Description Murray McAllister 2014-01-31 01:22:12 UTC 
A denial of service flaw was found in fail2ban's cyrus-imap filter. A remote attacker could use this flaw to cause an attacker-chosen IP address to be blocked.

This issue only affects versions prior to 0.8.11. As such, only the version of fail2ban in EPEL 5 should be affected.

The Secunia advisory (http://secunia.com/advisories/56691/) also notes the following:

"Some errors in regular expressions within unspecified filters can be exploited to e.g. spoof client IP addresses and subsequently cause arbitrary IP addresses to be banned."

This may be the "In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters to avoid another similar vulnerability" part of the 0.8.11 changelog, but I am not sure. Recommend upgrading to 0.8.11 or later.

References:
https://github.com/fail2ban/fail2ban/blob/master/ChangeLog
http://www.kb.cert.org/vuls/id/686662
http://secunia.com/advisories/56691/
https://github.com/fail2ban/fail2ban/commit/bd175f026737d66e7110868fb50b3760ff75e087
Comment 1 Murray McAllister 2014-01-31 01:27:08 UTC 
Created fail2ban tracking bugs for this issue:

Affects: epel-5 [bug 1059936]
Comment 2 Murray McAllister 2014-01-31 01:30:15 UTC 
Looking in fail2ban-0.8.11-2.fc19.src.rpm:

failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$

Is this a problem? Does it need all the entries from <https://github.com/fail2ban/fail2ban/commit/bd175f026737d66e7110868fb50b3760ff75e087>?