--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
unblock fail2ban/0.8.6-3wheezy1
Please unblock package fail2ban -- addressed a CVE (through a cherry-pick from
"upstream" changes released in 0.8.8, in experimental). likelihood that anyone
running vulnerable version was affected is close to 0, since it requires a
custom configuration enabling use of <matches>. Here is a debdiff -- seems to
be working fine ;-)
~/deb/builds/fail2ban$ debdiff 0.8.6-3/fail2ban_0.8.6-3.dsc 0.8.6-3wheezy1/fail2ban_0.8.6-3wheezy1.dsc
diff -u fail2ban-0.8.6/debian/changelog fail2ban-0.8.6/debian/changelog
--- fail2ban-0.8.6/debian/changelog
+++ fail2ban-0.8.6/debian/changelog
@@ -1,3 +1,12 @@
+fail2ban (0.8.6-3wheezy1) unstable; urgency=high
+
+ * CVE-2012-5642: Escape the content of <matches> since its value could
+ contain arbitrary symbols (Closes: #696184)
+ * Since package source format remained 1.0, manpages patch
+ (deb_manpages_reportbug) was not applied -- fold it into .diff.gz
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 17 Dec 2012 13:19:32 -0500
+
fail2ban (0.8.6-3) unstable; urgency=low
* Added dovecot section to Debian's jail.conf. Thanks to Laurent
diff -u fail2ban-0.8.6/debian/gbp.conf fail2ban-0.8.6/debian/gbp.conf
--- fail2ban-0.8.6/debian/gbp.conf
+++ fail2ban-0.8.6/debian/gbp.conf
@@ -2,7 +2,7 @@
# the default branch for upstream sources:
upstream-branch = upstream
# the default branch for the debian patch:
-debian-branch = debian
+debian-branch = debian-releases/wheezy
# use pristine-tar
pristine-tar = True
# the default tag formats used:
reverted:
--- fail2ban-0.8.6/debian/patches/series
+++ fail2ban-0.8.6.orig/debian/patches/series
@@ -1 +0,0 @@
-deb_manpages_reportbug
reverted:
--- fail2ban-0.8.6/debian/patches/deb_manpages_reportbug
+++ fail2ban-0.8.6.orig/debian/patches/deb_manpages_reportbug
@@ -1,28 +0,0 @@
-From: Yaroslav Halchenko <debian@onerussian.com>
-Date: Fri, 8 Feb 2008 00:40:57 -0500
-Subject: tune ups in upstream manpages to direct users to use reportbug
-
---- a/man/fail2ban-client.1
-+++ b/man/fail2ban-client.1
-@@ -251,7 +251,8 @@ action <ACT> for <JAIL>
- Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
- Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
- .SH "REPORTING BUGS"
--Report bugs to <cyril.jaquier@fail2ban.org>
-+Please report bugs via Debian bug tracking system
-+http://www.debian.org/Bugs/.
- .SH COPYRIGHT
- Copyright \(co 2004-2008 Cyril Jaquier
- .br
---- a/man/fail2ban-server.1
-+++ b/man/fail2ban-server.1
-@@ -35,7 +35,8 @@ print the version
- Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
- Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
- .SH "REPORTING BUGS"
--Report bugs to <cyril.jaquier@fail2ban.org>
-+Please report bugs via Debian bug tracking system
-+http://www.debian.org/Bugs/.
- .SH COPYRIGHT
- Copyright \(co 2004-2008 Cyril Jaquier
- .br
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/man/fail2ban-server.1
+++ fail2ban-0.8.6/man/fail2ban-server.1
@@ -35,7 +35,8 @@
Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
.SH "REPORTING BUGS"
-Report bugs to <cyril.jaquier@fail2ban.org>
+Please report bugs via Debian bug tracking system
+http://www.debian.org/Bugs/.
.SH COPYRIGHT
Copyright \(co 2004-2008 Cyril Jaquier
.br
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/man/fail2ban-client.1
+++ fail2ban-0.8.6/man/fail2ban-client.1
@@ -251,7 +251,8 @@
Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
.SH "REPORTING BUGS"
-Report bugs to <cyril.jaquier@fail2ban.org>
+Please report bugs via Debian bug tracking system
+http://www.debian.org/Bugs/.
.SH COPYRIGHT
Copyright \(co 2004-2008 Cyril Jaquier
.br
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/server/action.py
+++ fail2ban-0.8.6/server/action.py
@@ -230,7 +230,14 @@
def execActionStop(self):
stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
return Action.executeCmd(stopCmd)
-
+
+ def escapeTag(tag):
+ for c in '\\#&;`|*?~<>^()[]{}$\n':
+ if c in tag:
+ tag = tag.replace(c, '\\' + c)
+ return tag
+ escapeTag = staticmethod(escapeTag)
+
##
# Replaces tags in query with property values in aInfo.
#
@@ -243,8 +250,13 @@
""" Replace tags in query
"""
string = query
- for tag in aInfo:
- string = string.replace('<' + tag + '>', str(aInfo[tag]))
+ for tag, value in aInfo.iteritems():
+ value = str(value) # assure string
+ if tag == 'matches':
+ # That one needs to be escaped since its content is
+ # out of our control
+ value = Action.escapeTag(value)
+ string = string.replace('<' + tag + '>', value)
# New line
string = string.replace("<br>", '\n')
return string
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental'), (100, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
On Thu, 2013-01-03 at 00:04 -0500, Yaroslav Halchenko wrote:
> Please unblock package fail2ban -- addressed a CVE (through a cherry-pick from
> "upstream" changes released in 0.8.8, in experimental). likelihood that anyone
> running vulnerable version was affected is close to 0, since it requires a
> custom configuration enabling use of <matches>. Here is a debdiff -- seems to
> be working fine ;-)
Unblocked; thanks.
Regards,
Adam
--- End Message ---