Hi there,
I'm writing to report an errata affecting whitelisting IPv6 addresses in
SSHGuard versions 1.5 through 2.4.2.
PROBLEM
Whitelisting an IPv6 address causes an extra zero byte to be written
beyond the end of a stack variable due to a logic error in memset().
IMPACT
Whitelisting an IPv6 address may cause sshg-blocker to abort on startup
due to a stack check failure if compiled with '-fstack-protector'.
If stack checks are not enabled, the security impact is still likely low
because the overflow is always one zero byte, regardless of the
whitelist input. Further, the whitelist is configured by the system
administrator.
In practice, this crash only seems to happen on 32-bit systems. The
exact cause is unknown, but likely due to differences in structure
alignment and padding ("slop") between 32 and 64-bit systems. On 64-bit
systems, the extra byte may just be written to struct padding.
WORKAROUND
Do not whitelist IPv6 addresses.
SOLUTION
Either:
1. Upgrade to Git version 0403ed3b or later, or,
2. Apply the attached source patch to the 2.4.2 release and reinstall.
Thanks,
Kevin
|
