full patch attached -- I just want to hear your feedback first and then will do additional testing to assure correct behavior on a stable system Major change is to deal with grave: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650678 which prevented use of fail2ban with multiple jails enabled. It has been in unstable and testing for a while and I have not heard about any negative feedback Also it incorporates (sorry -- that version of f2b didn't use yet 3.0 (quilt)) suggested NMU http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635746 about insecure temporary files creation. -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic
diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf index b80698b..8549a55 100644 --- a/config/action.d/dshield.conf +++ b/config/action.d/dshield.conf @@ -206,5 +206,5 @@ dest = reports@dshield.org # Notes.: Base name of temporary files used for buffering # Values: [ STRING ] Default: /tmp/fail2ban-dshield # -tmpfile = /tmp/fail2ban-dshield +tmpfile = /var/run/fail2ban/tmp-dshield diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf index 04788ab..b2255a1 100644 --- a/config/action.d/mail-buffered.conf +++ b/config/action.d/mail-buffered.conf @@ -81,7 +81,7 @@ lines = 5 # Default temporary file # -tmpfile = /tmp/fail2ban-mail.txt +tmpfile = /var/run/fail2ban/tmp-mail.txt # Destination/Addressee of the mail # diff --git a/config/action.d/mynetwatchman.conf b/config/action.d/mynetwatchman.conf index 15b91b1..f0e5515 100644 --- a/config/action.d/mynetwatchman.conf +++ b/config/action.d/mynetwatchman.conf @@ -141,4 +141,4 @@ mnwurl = http://mynetwatchman.com/insertwebreport.asp # Notes.: Base name of temporary files # Values: [ STRING ] Default: /tmp/fail2ban-mynetwatchman # -tmpfile = /tmp/fail2ban-mynetwatchman +tmpfile = /var/run/fail2ban/tmp-mynetwatchman diff --git a/config/action.d/sendmail-buffered.conf b/config/action.d/sendmail-buffered.conf index 90a482d..ad78b57 100644 --- a/config/action.d/sendmail-buffered.conf +++ b/config/action.d/sendmail-buffered.conf @@ -101,5 +101,5 @@ lines = 5 # Default temporary file # -tmpfile = /tmp/fail2ban-mail.txt +tmpfile = /var/run/fail2ban/tmp-mail.txt diff --git a/debian/changelog b/debian/changelog index 7ccb6e6..0e70377 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +fail2ban (0.8.4-3+squeeze1) stable; urgency=low + + [ Jonathan Wiltshire ] + * [e2232fc] Backport patch to fix CVE-2009-5023: Insecure creation of + tempfile (Closes: #544232, #635746) + + [ Yaroslav Halchenko ] + * [6fc6c7b] Backport patch: Lock server's executeCmd to prevent racing + among iptables calls (Closes: #650678) + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 16 Feb 2012 10:29:08 -0500 + fail2ban (0.8.4-3) unstable; urgency=low * Commenting out named-refused-udp jail and providing even fatter diff --git a/server/action.py b/server/action.py index 70f4c37..ea79dd8 100644 --- a/server/action.py +++ b/server/action.py @@ -25,11 +25,15 @@ __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" import logging, os +import threading #from subprocess import call # Gets the instance of the logger. logSys = logging.getLogger("fail2ban.actions.action") +# Create a lock for running system commands +_cmd_lock = threading.Lock() + ## # Execute commands. # @@ -301,17 +305,21 @@ class Action: #@staticmethod def executeCmd(realCmd): logSys.debug(realCmd) - try: - # The following line gives deadlock with multiple jails - #retcode = call(realCmd, shell=True) - retcode = os.system(realCmd) - if retcode == 0: - logSys.debug("%s returned successfully" % realCmd) - return True - else: - logSys.error("%s returned %x" % (realCmd, retcode)) - except OSError, e: - logSys.error("%s failed with %s" % (realCmd, e)) + _cmd_lock.acquire() + try: # Try wrapped within another try needed for python version < 2.5 + try: + # The following line gives deadlock with multiple jails + #retcode = call(realCmd, shell=True) + retcode = os.system(realCmd) + if retcode == 0: + logSys.debug("%s returned successfully" % realCmd) + return True + else: + logSys.error("%s returned %x" % (realCmd, retcode)) + except OSError, e: + logSys.error("%s failed with %s" % (realCmd, e)) + finally: + _cmd_lock.release() return False executeCmd = staticmethod(executeCmd)
Attachment:
signature.asc
Description: Digital signature