[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#697258: unblock: fail2ban/0.8.6-3wheezy1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

unblock fail2ban/0.8.6-3wheezy1

Please unblock package fail2ban -- addressed a CVE (through a cherry-pick from
"upstream" changes released in 0.8.8, in experimental).  likelihood that anyone
running vulnerable version was affected is close to 0, since it requires a
custom configuration enabling use of <matches>.   Here is a debdiff -- seems to
be working fine ;-)

~/deb/builds/fail2ban$ debdiff 0.8.6-3/fail2ban_0.8.6-3.dsc 0.8.6-3wheezy1/fail2ban_0.8.6-3wheezy1.dsc 
diff -u fail2ban-0.8.6/debian/changelog fail2ban-0.8.6/debian/changelog
--- fail2ban-0.8.6/debian/changelog
+++ fail2ban-0.8.6/debian/changelog
@@ -1,3 +1,12 @@
+fail2ban (0.8.6-3wheezy1) unstable; urgency=high
+
+  * CVE-2012-5642: Escape the content of <matches> since its value could
+    contain arbitrary symbols (Closes: #696184)
+  * Since package source format remained 1.0, manpages patch
+    (deb_manpages_reportbug) was not applied -- fold it into .diff.gz
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 17 Dec 2012 13:19:32 -0500
+
 fail2ban (0.8.6-3) unstable; urgency=low
 
   * Added dovecot section to Debian's jail.conf.  Thanks to Laurent
diff -u fail2ban-0.8.6/debian/gbp.conf fail2ban-0.8.6/debian/gbp.conf
--- fail2ban-0.8.6/debian/gbp.conf
+++ fail2ban-0.8.6/debian/gbp.conf
@@ -2,7 +2,7 @@
 # the default branch for upstream sources:
 upstream-branch = upstream
 # the default branch for the debian patch:
-debian-branch = debian
+debian-branch = debian-releases/wheezy
 # use pristine-tar
 pristine-tar = True
 # the default tag formats used:
reverted:
--- fail2ban-0.8.6/debian/patches/series
+++ fail2ban-0.8.6.orig/debian/patches/series
@@ -1 +0,0 @@
-deb_manpages_reportbug
reverted:
--- fail2ban-0.8.6/debian/patches/deb_manpages_reportbug
+++ fail2ban-0.8.6.orig/debian/patches/deb_manpages_reportbug
@@ -1,28 +0,0 @@
-From: Yaroslav Halchenko <debian@onerussian.com>
-Date: Fri, 8 Feb 2008 00:40:57 -0500
-Subject: tune ups in upstream manpages to direct users to use reportbug
-
---- a/man/fail2ban-client.1
-+++ b/man/fail2ban-client.1
-@@ -251,7 +251,8 @@ action <ACT> for <JAIL>
- Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
- Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
- .SH "REPORTING BUGS"
--Report bugs to <cyril.jaquier@fail2ban.org>
-+Please report bugs via Debian bug tracking system
-+http://www.debian.org/Bugs/.
- .SH COPYRIGHT
- Copyright \(co 2004-2008 Cyril Jaquier
- .br
---- a/man/fail2ban-server.1
-+++ b/man/fail2ban-server.1
-@@ -35,7 +35,8 @@ print the version
- Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
- Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
- .SH "REPORTING BUGS"
--Report bugs to <cyril.jaquier@fail2ban.org>
-+Please report bugs via Debian bug tracking system
-+http://www.debian.org/Bugs/.
- .SH COPYRIGHT
- Copyright \(co 2004-2008 Cyril Jaquier
- .br
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/man/fail2ban-server.1
+++ fail2ban-0.8.6/man/fail2ban-server.1
@@ -35,7 +35,8 @@
 Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
 Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
 .SH "REPORTING BUGS"
-Report bugs to <cyril.jaquier@fail2ban.org>
+Please report bugs via Debian bug tracking system
+http://www.debian.org/Bugs/.
 .SH COPYRIGHT
 Copyright \(co 2004-2008 Cyril Jaquier
 .br
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/man/fail2ban-client.1
+++ fail2ban-0.8.6/man/fail2ban-client.1
@@ -251,7 +251,8 @@
 Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
 Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
 .SH "REPORTING BUGS"
-Report bugs to <cyril.jaquier@fail2ban.org>
+Please report bugs via Debian bug tracking system
+http://www.debian.org/Bugs/.
 .SH COPYRIGHT
 Copyright \(co 2004-2008 Cyril Jaquier
 .br
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/server/action.py
+++ fail2ban-0.8.6/server/action.py
@@ -230,7 +230,14 @@
    def execActionStop(self):
        stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
        return Action.executeCmd(stopCmd)
-   
+
+   def escapeTag(tag):
+       for c in '\\#&;`|*?~<>^()[]{}$\n':
+           if c in tag:
+               tag = tag.replace(c, '\\' + c)
+       return tag
+   escapeTag = staticmethod(escapeTag)
+
    ##
    # Replaces tags in query with property values in aInfo.
    #
@@ -243,8 +250,13 @@
        """ Replace tags in query
        """
        string = query
-       for tag in aInfo:
-           string = string.replace('<' + tag + '>', str(aInfo[tag]))
+       for tag, value in aInfo.iteritems():
+           value = str(value)            # assure string
+           if tag == 'matches':
+               # That one needs to be escaped since its content is
+               # out of our control
+               value = Action.escapeTag(value)
+           string = string.replace('<' + tag + '>', value)
        # New line
        string = string.replace("<br>", '\n')
        return string



-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental'), (100, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Reply to: