This is an errata notice for SSHGuard. This issue impacts the 1.6.0
release, but has actually been around for quite some time.
## Problem ##
When blocking attackers from a loaded blacklist file, SSHGuard will
write past the boundaries of a fixed-length buffer.
This problem only affects users running SSHGuard with blacklisting
enabled, while using the `ipfw` backend.
## Impact ##
SSHGuard will crash with a segmentation fault upon startup when loading
a blacklist with enough (less than 100) entries. Because the blacklist
file is generally owned by the superuser, it is unlikely that this
vulnerability could be used to gain superuser privileges. If you are
affected, please consider using one of the workarounds:
## Workaround ##
Any one of these should work around the issue:
1. Don't use blacklisting.
2. Don't use the `ipfw` backend.
3. If you need blacklisting, delete the blacklist file before starting.
## Solution ##
We're working on one. The "long-term" solution is to switch `ipfw` to
the "command" backend and use ipfw tables instead of individual rules.
For the time being:
1. Increase the length of the fixed buffer. Eventually, though, this
will run into the same problem.
2. There is a patch on the mailing list that adds the blacklisted
addresses one at a time. I haven't taken a look at it yet.
## Credits ##
Thanks to Greg Putrich <gr...@n0...> for analyzing and proposing a
fix to this issue. Thanks to the many people who have reported this
issue beforehand, even though I never got around to acting on them.
--
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090
|
