[SSHGuard-maintainers] SSHGuard errata: whitelisting IPv6 addresses

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi there,

I'm writing to report an errata affecting whitelisting IPv6 addresses in 
SSHGuard versions 1.5 through 2.4.2.

PROBLEM

Whitelisting an IPv6 address causes an extra zero byte to be written 
beyond the end of a stack variable due to a logic error in memset().

IMPACT

Whitelisting an IPv6 address may cause sshg-blocker to abort on startup 
  due to a stack check failure if compiled with '-fstack-protector'.

If stack checks are not enabled, the security impact is still likely low 
because the overflow is always one zero byte, regardless of the 
whitelist input. Further, the whitelist is configured by the system 
administrator.

In practice, this crash only seems to happen on 32-bit systems. The 
exact cause is unknown, but likely due to differences in structure 
alignment and padding ("slop") between 32 and 64-bit systems. On 64-bit 
systems, the extra byte may just be written to struct padding.

WORKAROUND

Do not whitelist IPv6 addresses.

SOLUTION

Either:

1. Upgrade to Git version 0403ed3b or later, or,

2. Apply the attached source patch to the 2.4.2 release and reinstall.

Thanks,
Kevin

[SSHGuard-maintainers] SSHGuard errata: whitelisting IPv6 addresses

Intelligently block brute-force attacks by aggregating system logs

[SSHGuard-maintainers] SSHGuard errata: whitelisting IPv6 addresses