Ubuntu
crowdsec-firewall-bouncer package

blocks wrong IPv4 and IPv6 addresses on LE systems (reversed byte order)

Bug #2069596 reported by Cyril Brulebois
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
crowdsec-firewall-bouncer (Ubuntu)
New
Undecided
Unassigned

Bug Description

Hi,

The crowdsec-firewall-bouncer binary package is affected by a bug in the golang-github-google-nftables-dev binary package, leading to blocking the wrong IP addresses (both IPv4 and IPv6) on all little-endian systems.

Upstream bug reports, about Ubuntu:
 - https://github.com/google/nftables/issues/225
 - https://github.com/crowdsecurity/cs-firewall-bouncer/issues/368

Debian bug reports:
 - https://bugs.debian.org/1071247
 - https://bugs.debian.org/1071248

That's been fixed in Debian testing/unstable:
 - golang-github-google-nftables/0.1.0-4
 - crowdsec-firewall-bouncer/0.0.25-4

and that's also getting fixed in stable (bookworm) via a trivial backport of those packages, now in bookworm-proposed-updates, to be published in the 12.6 point release at the end of the month:
 - golang-github-google-nftables/0.1.0-4~deb12u1
 - crowdsec-firewall-bouncer/0.0.25-4~deb12u1

I'm not familiar with Ubuntu's way of sync-ing from Debian, that's why I thought it would be best to file a bug there directly (against the leaf package), as opposed to contacting the maintainers documented at https://packages.ubuntu.com/ (which recommends using Launchpad anyway).

Just to be crystal-clear: the fix is in the golang-github-google-nftables source package, while the crowdsec-firewall-bouncer one only requires a rebuild against the fixed package.

I'm also ticking the security vulnerability box, for the same reason I put the Debian Security team in the loop for the Debian bug reports: I'd rather have more eyes than fewer eyes on that kind of topic: the bouncer is currently giving a false sense of security as it doesn't actually block suspicious addresses, and also block other ones.

Cheers,
Cyril.

Revision history for this message
Mark Esler (eslerm) wrote :

Thank you for taking the time to report this Cyril.

Do you know if Google intends to assign a CVE?

information type: Private Security → Public Security
Revision history for this message
Cyril Brulebois (kibi) wrote : Re: [Bug 2069596] Re: blocks wrong IPv4 and IPv6 addresses on LE systems (reversed byte order)

Hi,

Mark Esler <email address hidden> (2024-06-19):
> Thank you for taking the time to report this Cyril.

No worries at all.

> Do you know if Google intends to assign a CVE?

That I don't know, I've been mainly in contact with CrowdSec's upstream
developers (who notified me about the problem with the Debian/Ubuntu
packages) and with the various Debian teams to see how to best address
this in stable (i.e. security then release teams).

Note the google/nftables issue was detected and fixed a year ago
already, we just failed to notice earlier. :(

Cheers,
--
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.