please review/accept patch against fail2ban 0.8.4-3 in stable

To: debian-release@lists.debian.org
Subject: please review/accept patch against fail2ban 0.8.4-3 in stable
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu, 16 Feb 2012 10:36:25 -0500
Message-id: <[🔎] 20120216153625.GD16995@onerussian.com>

full patch attached -- I just want to hear your feedback first and then
will do additional testing to assure correct behavior on a stable
system

Major change is to deal with grave:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650678
which prevented use of fail2ban with multiple jails enabled.  It has
been in unstable and testing for a while and I have not heard about any
negative  feedback

Also it incorporates (sorry -- that version of f2b didn't use yet 3.0
(quilt)) suggested NMU
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635746
about insecure temporary files creation.

-- 
=------------------------------------------------------------------=
Keep in touch                                     www.onerussian.com
Yaroslav Halchenko                 www.ohloh.net/accounts/yarikoptic

diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
index b80698b..8549a55 100644
--- a/config/action.d/dshield.conf
+++ b/config/action.d/dshield.conf
@@ -206,5 +206,5 @@ dest = reports@dshield.org
 # Notes.:  Base name of temporary files used for buffering
 # Values:  [ STRING ]  Default: /tmp/fail2ban-dshield
 #
-tmpfile = /tmp/fail2ban-dshield
+tmpfile = /var/run/fail2ban/tmp-dshield
 
diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
index 04788ab..b2255a1 100644
--- a/config/action.d/mail-buffered.conf
+++ b/config/action.d/mail-buffered.conf
@@ -81,7 +81,7 @@ lines = 5
 
 # Default temporary file
 #
-tmpfile = /tmp/fail2ban-mail.txt
+tmpfile = /var/run/fail2ban/tmp-mail.txt
 
 # Destination/Addressee of the mail
 #
diff --git a/config/action.d/mynetwatchman.conf b/config/action.d/mynetwatchman.conf
index 15b91b1..f0e5515 100644
--- a/config/action.d/mynetwatchman.conf
+++ b/config/action.d/mynetwatchman.conf
@@ -141,4 +141,4 @@ mnwurl = http://mynetwatchman.com/insertwebreport.asp
 # Notes.:  Base name of temporary files
 # Values:  [ STRING ]  Default: /tmp/fail2ban-mynetwatchman
 #
-tmpfile = /tmp/fail2ban-mynetwatchman
+tmpfile = /var/run/fail2ban/tmp-mynetwatchman
diff --git a/config/action.d/sendmail-buffered.conf b/config/action.d/sendmail-buffered.conf
index 90a482d..ad78b57 100644
--- a/config/action.d/sendmail-buffered.conf
+++ b/config/action.d/sendmail-buffered.conf
@@ -101,5 +101,5 @@ lines = 5
 
 # Default temporary file
 #
-tmpfile = /tmp/fail2ban-mail.txt
+tmpfile = /var/run/fail2ban/tmp-mail.txt
 
diff --git a/debian/changelog b/debian/changelog
index 7ccb6e6..0e70377 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+fail2ban (0.8.4-3+squeeze1) stable; urgency=low
+
+  [ Jonathan Wiltshire ]
+  * [e2232fc] Backport patch to fix CVE-2009-5023: Insecure creation of
+    tempfile (Closes: #544232, #635746)
+
+  [ Yaroslav Halchenko ]
+  * [6fc6c7b] Backport patch: Lock server's executeCmd to prevent racing
+    among iptables calls (Closes: #650678)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 16 Feb 2012 10:29:08 -0500
+
 fail2ban (0.8.4-3) unstable; urgency=low
 
   * Commenting out named-refused-udp jail and providing even fatter
diff --git a/server/action.py b/server/action.py
index 70f4c37..ea79dd8 100644
--- a/server/action.py
+++ b/server/action.py
@@ -25,11 +25,15 @@ __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
 import logging, os
+import threading
 #from subprocess import call
 
 # Gets the instance of the logger.
 logSys = logging.getLogger("fail2ban.actions.action")
 
+# Create a lock for running system commands
+_cmd_lock = threading.Lock()
+
 ##
 # Execute commands.
 #
@@ -301,17 +305,21 @@ class Action:
 	#@staticmethod
 	def executeCmd(realCmd):
 		logSys.debug(realCmd)
-		try:
-			# The following line gives deadlock with multiple jails
-			#retcode = call(realCmd, shell=True)
-			retcode = os.system(realCmd)
-			if retcode == 0:
-				logSys.debug("%s returned successfully" % realCmd)
-				return True
-			else:
-				logSys.error("%s returned %x" % (realCmd, retcode))
-		except OSError, e:
-			logSys.error("%s failed with %s" % (realCmd, e))
+		_cmd_lock.acquire()
+		try: # Try wrapped within another try needed for python version < 2.5
+			try:
+				# The following line gives deadlock with multiple jails
+				#retcode = call(realCmd, shell=True)
+				retcode = os.system(realCmd)
+				if retcode == 0:
+					logSys.debug("%s returned successfully" % realCmd)
+					return True
+				else:
+					logSys.error("%s returned %x" % (realCmd, retcode))
+			except OSError, e:
+				logSys.error("%s failed with %s" % (realCmd, e))
+		finally:
+			_cmd_lock.release()
 		return False
 	executeCmd = staticmethod(executeCmd)

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: please review/accept patch against fail2ban 0.8.4-3 in stable
  - From: Cyril Brulebois <kibi@debian.org>
- Re: please review/accept patch against fail2ban 0.8.4-3 in stable
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Planning for final lenny point release (5.0.10)
Next by Date: Re: please review/accept patch against fail2ban 0.8.4-3 in stable
Previous by thread: Processed: block 660022 with 659615 659659
Next by thread: Re: please review/accept patch against fail2ban 0.8.4-3 in stable
Index(es):
- Date
- Thread