Bug 700763 (CVE-2009-5023)

Summary: CVE-2009-5023 fail2ban: Use of insecure default temporary file when unbanning an IP
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jonathan.underwood, jrusnack, maxamillion, vdanen
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-10 22:23:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 700765, 700767, 700768, 700769    
Bug Blocks:    

Description Jan Lieskovsky 2011-04-29 10:53:36 UTC 
It was found that fail2ban IPs banner used insecure default temporary file
when unbanning an IP address. A local attacker could use this flaw to conduct
symlink attacks in order to gain access to sensitive information or potentially
to overwrite arbitrary file on the system.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=544232

Patch applied by Debian distribution:
[2] http://git.onerussian.com/?p=deb/fail2ban.git;a=commitdiff;h=ea7d352616b1e2232fcaa99b11807a86ce29ed8b
Comment 1 Jan Lieskovsky 2011-04-29 10:55:24 UTC 
This issue affects the versions of the fail2ban package, as present
within EPEL-4, EPEL-5 and EPEL-6 repositories.

This issue affects the versions of the fail2ban package, as shipped
with Fedora release of 13 and 14.

Please schedule an update.
Comment 2 Jan Lieskovsky 2011-04-29 10:56:57 UTC 
Created fail2ban tracking bugs for this issue

Affects: epel-4 [bug 700765]
Affects: epel-5 [bug 700767]
Affects: epel-6 [bug 700768]
Affects: fedora-all [bug 700769]
Comment 3 Jan Lieskovsky 2011-04-29 11:01:39 UTC 
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2011/04/29/1
Comment 4 Tomas Hoger 2011-04-29 12:15:45 UTC 
(In reply to comment #1)
> This issue affects the versions of the fail2ban package, as shipped
> with Fedora release of 13 and 14.

This seems to be fixed in Fedora already - see fail2ban-0.8.4-notmp.patch:
http://pkgs.fedoraproject.org/gitweb/?p=fail2ban.git;a=blob;f=fail2ban-0.8.4-notmp.patch;h=dc09397f00790fdb494efced4f44675a9f56b0b7;hb=master

(In reply to comment #0)
> Patch applied by Debian distribution:
> http://git.onerussian.com/?p=deb/fail2ban.git;a=commitdiff;h=ea7d352616b1e2232fcaa99b11807a86ce29ed8b

Which seems to be a git-svn clone of the upstream SVN commit:
http://fail2ban.svn.sourceforge.net/viewvc/fail2ban?view=revision&revision=767
Comment 5 Axel Thimm 2011-04-30 13:32:29 UTC 

*** This bug has been marked as a duplicate of bug 669965 ***
Comment 6 Vincent Danen 2011-05-02 22:04:21 UTC 
Please don't close SRT bugs.  It does not look like fail2ban in EPEL has been fixed yet, so this bug shouldn't be closed.

This has also been assigned the name CVE-2009-5023.
Comment 7 Vincent Danen 2011-07-05 03:48:07 UTC 
*** Bug 718836 has been marked as a duplicate of this bug. ***