From nobody Wed Oct 27 15:50:16 2021 X-Original-To: dev-commits-ports-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 529CB182056F; Wed, 27 Oct 2021 15:50:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HfY6w1rZTz3Nwk; Wed, 27 Oct 2021 15:50:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 202B112FA3; Wed, 27 Oct 2021 15:50:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 19RFoGVH016476; Wed, 27 Oct 2021 15:50:16 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 19RFoGxu016471; Wed, 27 Oct 2021 15:50:16 GMT (envelope-from git) Date: Wed, 27 Oct 2021 15:50:16 GMT Message-Id: <202110271550.19RFoGxu016471@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: Yasuhiro Kimura Subject: git: 69221920c9fa - 2021Q4 - security/py-fail2ban: Add upstream patch to fix possible RCE vulnerability List-Id: Commits to the quarterly branches of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-branches@freebsd.org X-BeenThere: dev-commits-ports-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: yasu X-Git-Repository: ports X-Git-Refname: refs/heads/2021Q4 X-Git-Reftype: branch X-Git-Commit: 69221920c9faeff24c581ac1ee6d89ca4f1bbf11 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch 2021Q4 has been updated by yasu: URL: https://cgit.FreeBSD.org/ports/commit/?id=69221920c9faeff24c581ac1ee6d89ca4f1bbf11 commit 69221920c9faeff24c581ac1ee6d89ca4f1bbf11 Author: Yasuhiro Kimura AuthorDate: 2021-10-20 09:42:38 +0000 Commit: Yasuhiro Kimura CommitDate: 2021-10-27 15:49:50 +0000 security/py-fail2ban: Add upstream patch to fix possible RCE vulnerability * Switch to DISTVERSION * Pet portclippy * Reformat Makefile with portfmt PR: 259297 Approved by: maintainer Obtained from: https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844 MFH: 2021Q4 Security: CVE-2021-32749 Security: https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm Differential Revision: https://reviews.freebsd.org/D32576 (cherry picked from commit 644e5b65b9503bed420885c9fefc8b3941dd009d) --- security/py-fail2ban/Makefile | 26 ++-- security/py-fail2ban/files/patch-CVE-2021-32749 | 158 ++++++++++++++++++++++++ 2 files changed, 169 insertions(+), 15 deletions(-) diff --git a/security/py-fail2ban/Makefile b/security/py-fail2ban/Makefile index 3d557c22d2cd..28d37d32a73f 100644 --- a/security/py-fail2ban/Makefile +++ b/security/py-fail2ban/Makefile @@ -1,6 +1,6 @@ PORTNAME= fail2ban -PORTVERSION= 0.11.2 -PORTREVISION= 2 +DISTVERSION= 0.11.2 +PORTREVISION= 3 CATEGORIES= security python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} @@ -15,24 +15,22 @@ RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}sqlite3>0:databases/py-sqlite3@${PY_FLAVOR} USES= cpe python:3.6+,patch shebangfix USE_GITHUB= yes USE_PYTHON= autoplist distutils +PYDISTUTILS_BUILDARGS+= --without-tests +PYDISTUTILS_INSTALLARGS+= --install-data=${ETCDIR} USE_RC_SUBR= fail2ban -NO_ARCH= yes - SHEBANG_FILES= config/filter.d/ignorecommands/apache-fakegooglebot SHEBANG_LANG= fail2ban-python +NO_ARCH= yes SUB_LIST+= PYTHON_CMD=${PYTHON_CMD} -PYDISTUTILS_BUILDARGS+= --without-tests -PYDISTUTILS_INSTALLARGS+= --install-data=${ETCDIR} - -PORTDOCS= README.md DEVELOP +PORTDOCS= DEVELOP README.md -OPTIONS_DEFINE= DOCS INOTIFY -OPTIONS_DEFAULT=INOTIFY +OPTIONS_DEFINE= DOCS INOTIFY +OPTIONS_DEFAULT= INOTIFY -INOTIFY_DESC= Support for (lib)inotify to monitor filesystem changes +INOTIFY_DESC= Support for (lib)inotify to monitor filesystem changes INOTIFY_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}pyinotify>=0.8.3:devel/py-pyinotify@${PY_FLAVOR} @@ -41,13 +39,11 @@ FILES= ${WRKSRC}/bin/fail2ban-client \ ${WRKSRC}/fail2ban/client/fail2bancmdline.py \ ${WRKSRC}/fail2ban/client/fail2banregex.py \ ${WRKSRC}/man/fail2ban-client.1 \ - ${WRKSRC}/man/fail2ban-client.h2m \ - ${WRKSRC}/setup.py + ${WRKSRC}/man/fail2ban-client.h2m ${WRKSRC}/setup.py MAN_FILES= ${WRKSRC}/man/fail2ban-client.1 \ ${WRKSRC}/man/fail2ban-client.h2m \ - ${WRKSRC}/man/fail2ban-regex.1 \ - ${WRKSRC}/man/fail2ban-server.1 \ + ${WRKSRC}/man/fail2ban-regex.1 ${WRKSRC}/man/fail2ban-server.1 \ ${WRKSRC}/man/fail2ban.1 FAIL2BAN_DBDIR= /var/db/${PORTNAME} diff --git a/security/py-fail2ban/files/patch-CVE-2021-32749 b/security/py-fail2ban/files/patch-CVE-2021-32749 new file mode 100644 index 000000000000..cdea27c37f8a --- /dev/null +++ b/security/py-fail2ban/files/patch-CVE-2021-32749 @@ -0,0 +1,158 @@ +From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Mon, 21 Jun 2021 17:12:53 +0200 +Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable + (default tilde) stops consider "~" char after new-line as composing escape + sequence + +--- + config/action.d/complain.conf | 2 +- + config/action.d/dshield.conf | 2 +- + config/action.d/mail-buffered.conf | 8 ++++---- + config/action.d/mail-whois-lines.conf | 2 +- + config/action.d/mail-whois.conf | 6 +++--- + config/action.d/mail.conf | 6 +++--- + 6 files changed, 13 insertions(+), 13 deletions(-) + +diff --git config/action.d/complain.conf config/action.d/complain.conf +index 3a5f882c..4d73b058 100644 +--- config/action.d/complain.conf ++++ config/action.d/complain.conf +@@ -102,7 +102,7 @@ logpath = /dev/null + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Option: mailargs + # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +diff --git config/action.d/dshield.conf config/action.d/dshield.conf +index c128bef3..3d5a7a53 100644 +--- config/action.d/dshield.conf ++++ config/action.d/dshield.conf +@@ -179,7 +179,7 @@ tcpflags = + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Option: mailargs + # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +diff --git config/action.d/mail-buffered.conf config/action.d/mail-buffered.conf +index 325f185b..79b84104 100644 +--- config/action.d/mail-buffered.conf ++++ config/action.d/mail-buffered.conf +@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n + The jail has been started successfully.\n + Output will be buffered until lines are available.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : started on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -28,13 +28,13 @@ actionstop = if [ -f ]; then + These hosts have been banned by Fail2Ban.\n + `cat ` + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : Summary from " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : Summary from " + rm + fi + printf %%b "Hi,\n + The jail has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: ( failures)\n" >> + These hosts have been banned by Fail2Ban.\n + `cat ` + \nRegards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : Summary" ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : Summary" + rm + fi + +diff --git config/action.d/mail-whois-lines.conf config/action.d/mail-whois-lines.conf +index 3a3e56b2..d2818cb9 100644 +--- config/action.d/mail-whois-lines.conf ++++ config/action.d/mail-whois-lines.conf +@@ -72,7 +72,7 @@ actionunban = + # Notes.: Your system mail command. Is passed 2 args: subject and recipient + # Values: CMD + # +-mailcmd = mail -s ++mailcmd = mail -E 'set escape' -s + + # Default name of the chain + # +diff --git config/action.d/mail-whois.conf config/action.d/mail-whois.conf +index 7fea34c4..ab33b616 100644 +--- config/action.d/mail-whois.conf ++++ config/action.d/mail-whois.conf +@@ -20,7 +20,7 @@ norestored = 1 + actionstart = printf %%b "Hi,\n + The jail has been started successfully.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : started on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n + actionstop = printf %%b "Hi,\n + The jail has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n + Here is more information about :\n + `%(_whois_command)s`\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : banned from " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : banned from " + + # Option: actionunban + # Notes.: command executed when unbanning an IP. Take care that the +diff --git config/action.d/mail.conf config/action.d/mail.conf +index 5d8c0e15..f4838ddc 100644 +--- config/action.d/mail.conf ++++ config/action.d/mail.conf +@@ -16,7 +16,7 @@ norestored = 1 + actionstart = printf %%b "Hi,\n + The jail has been started successfully.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : started on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " + + # Option: actionstop + # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n + actionstop = printf %%b "Hi,\n + The jail has been stopped.\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " + + # Option: actioncheck + # Notes.: command executed once before each actionban command +@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n + The IP has just been banned by Fail2Ban after + attempts against .\n + Regards,\n +- Fail2Ban"|mail -s "[Fail2Ban] : banned from " ++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : banned from " + + # Option: actionunban + # Notes.: command executed when unbanning an IP. Take care that the +-- +2.33.1 +