On Fri, 08 Nov 2013, Colin Watson wrote:
> > we have adjusted sshd filter upstream already to be
> > ^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?:
> > ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+
> > %(__md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$
> That has the very same injection vulnerability you were worried about
> earlier in response to my initial suggestion. Consider:
> Failed password for user from 1.2.3.4 port 20000 ssh1: ruser from 2.3.4.5
> Your regex will incorrectly match the host as 2.3.4.5 from the
> client-supplied string at the end.
wow -- good catch!
> As I say, I think it is unwise to put all these likely-to-change
> alternatives in the regex, especially when doing so doesn't actually fix
> the injection vulnerability.
indeed BUT it might help to avoid unforseen injection "vectors" by
simply specifying the logline format in its entirety (thus
trailing anchor). Opening up the trailer to be anything would not be of
any benefit here
> I think the suggestion in my previous
> message is actually more robust:
> > > ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?:
> > > ssh\d*)?
indeed -- we should make it a non-greedy matching here... I will commit
it up stream within 2 hours -- need to run atm
> Once we agree on this, it'd be great if you could upload a suitable
> change to unstable so that I can set an appropriate Breaks field and
> upload openssh >= 6.3 without further qualms.
ok -- I will try to accomplish the mission today to update debian's
jail.conf and prepare this release candidate to get into unstable (later
in the evening).
--
Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Senior Research Associate, Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
