ports/113800: [patch] security/sshguard{, -ipfw, -pf} doesn't recognize all IPv6 addresses

Sun Jun 17 15:40:04 UTC 2007

>Number:         113800
>Category:       ports
>Synopsis:       [patch] security/sshguard{,-ipfw,-pf} doesn't recognize all IPv6 addresses
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jun 17 15:40:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Henrik Brix Andersen
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
pil.dk
>Environment:
System: FreeBSD lothlorien.brixandersen.dk 7.0-CURRENT FreeBSD 7.0-CURRENT #44: Wed Jun 13 13:26:40 CEST 2007 root at lothlorien.brixandersen.dk:/usr/obj/usr/src/sys/LOTHLORIEN i386


	
>Description:

The regex used to recognize IPv6 addresses in
security/sshguard{,-ipfw,-pf} doesn't catch all IPv6 addresses. The
author (and port maintainer) is aware of this issue and supplied the
following patch, which fixes the issue. The patch will be part of
sshguard-1.1, which is due soonish.

He OK'ed that I submit the patch for inclusion in FreeBSD ports.

	
>How-To-Repeat:
	
>Fix:

--- sshguard.diff begins here ---
diff -urpN /usr/ports/security/sshguard/Makefile security/sshguard/Makefile
--- /usr/ports/security/sshguard/Makefile	Wed Jun 13 00:13:32 2007
+++ security/sshguard/Makefile	Sun Jun 17 17:25:16 2007
@@ -7,6 +7,7 @@
 
 PORTNAME=	sshguard
 DISTVERSION=	1.0
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
diff -urpN /usr/ports/security/sshguard/files/patch-attack_scanner.l security/sshguard/files/patch-attack_scanner.l
--- /usr/ports/security/sshguard/files/patch-attack_scanner.l	Thu Jan  1 01:00:00 1970
+++ security/sshguard/files/patch-attack_scanner.l	Sun Jun 17 17:22:37 2007
@@ -0,0 +1,11 @@
+--- src/attack_scanner.l.orig	Wed May 23 20:53:53 2007
++++ src/attack_scanner.l	Sat Jun 16 17:45:43 2007
+@@ -46,7 +46,7 @@ NUMBER      [1-9][0-9]*
+  /* an IPv4 address */
+ (25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?)(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?|0)){3} { yylval.str = yytext; return IPv4; }
+  /* an IPv6 address */
+-((([a-fA-F0-9]{1,4}:){2}(:[a-fA-F0-9]{1,4}){1,5})|(:(:[a-fA-F0-9]{1,4}){1,6}|([a-fA-F0-9]{1,4}:)(:[a-fA-F0-9]{1,4}){1,6}|([a-fA-F0-9]{1,4}:){2}(:[a-fA-F0-9]{1,4}){1,5}|([a-fA-F0-9]{1,4}:){3}(:[a-fA-F0-9]{1,4}){1,4}|([a-fA-F0-9]{1,4}:){4}(:[a-fA-F0-9]{1,4}){1,3}|([a-fA-F0-9]{1,4}:){5}(:[a-fA-F0-9]{1,4}){1,2}|([a-fA-F0-9]{1,4}:){6}:[a-fA-F0-9]{1,4}))           { yylval.str = yytext; return IPv6;  }
++(([a-fA-F0-9]{1,4}(:[a-fA-F0-9]{1,4}){7})|(([a-fA-F0-9]{1,4}:){2}(:[a-fA-F0-9]{1,4}){1,5})|(:(:[a-fA-F0-9]{1,4}){1,6}|([a-fA-F0-9]{1,4}:)(:[a-fA-F0-9]{1,4}){1,6}|([a-fA-F0-9]{1,4}:){2}(:[a-fA-F0-9]{1,4}){1,5}|([a-fA-F0-9]{1,4}:){3}(:[a-fA-F0-9]{1,4}){1,4}|([a-fA-F0-9]{1,4}:){4}(:[a-fA-F0-9]{1,4}){1,3}|([a-fA-F0-9]{1,4}:){5}(:[a-fA-F0-9]{1,4}){1,2}|([a-fA-F0-9]{1,4}:){6}:[a-fA-F0-9]{1,4}))           { yylval.str = yytext; return IPv6;  }
+ 
+  /* an host address (PTR) */
+ localhost|([-a-zA-Z0-9]+\.)+[a-zA-Z]+                           { yylval.str = yytext; return HOSTADDR; }
--- sshguard.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

