From 684bf8155787efb2140d5b6ba9af5b8e52740e1d Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 24 Dec 2012 12:44:24 -0500 Subject: [PATCH] Folding debian/patches into .diff.gz since we are still at 1.0 pkg source format in wheezy --- debian/changelog | 2 + debian/patches/deb_manpages_reportbug | 28 ----------- debian/patches/series | 2 - .../up_escape-the-content-of-matches.patch | 47 ------------------- man/fail2ban-client.1 | 3 +- man/fail2ban-server.1 | 3 +- server/action.py | 18 +++++-- 7 files changed, 21 insertions(+), 82 deletions(-) delete mode 100644 debian/patches/deb_manpages_reportbug delete mode 100644 debian/patches/series delete mode 100644 debian/patches/up_escape-the-content-of-matches.patch diff --git a/debian/changelog b/debian/changelog index c26ee5fa..efe1bf33 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,8 @@ fail2ban (0.8.6-3wheezy1) unstable; urgency=high * CVE-2012-5642: Escape the content of since its value could contain arbitrary symbols (Closes: #696184) + * Since package source format remained 1.0, manpages patch + (deb_manpages_reportbug) was not applied -- fold it into .diff.gz -- Yaroslav Halchenko Mon, 17 Dec 2012 13:19:32 -0500 diff --git a/debian/patches/deb_manpages_reportbug b/debian/patches/deb_manpages_reportbug deleted file mode 100644 index f6f33706..00000000 --- a/debian/patches/deb_manpages_reportbug +++ /dev/null @@ -1,28 +0,0 @@ -From: Yaroslav Halchenko -Date: Fri, 8 Feb 2008 00:40:57 -0500 -Subject: tune ups in upstream manpages to direct users to use reportbug - ---- a/man/fail2ban-client.1 -+++ b/man/fail2ban-client.1 -@@ -251,7 +251,8 @@ action for - Written by Cyril Jaquier . - Many contributions by Yaroslav O. Halchenko . - .SH "REPORTING BUGS" --Report bugs to -+Please report bugs via Debian bug tracking system -+http://www.debian.org/Bugs/. - .SH COPYRIGHT - Copyright \(co 2004-2008 Cyril Jaquier - .br ---- a/man/fail2ban-server.1 -+++ b/man/fail2ban-server.1 -@@ -35,7 +35,8 @@ print the version - Written by Cyril Jaquier . - Many contributions by Yaroslav O. Halchenko . - .SH "REPORTING BUGS" --Report bugs to -+Please report bugs via Debian bug tracking system -+http://www.debian.org/Bugs/. - .SH COPYRIGHT - Copyright \(co 2004-2008 Cyril Jaquier - .br diff --git a/debian/patches/series b/debian/patches/series deleted file mode 100644 index 60cb5deb..00000000 --- a/debian/patches/series +++ /dev/null @@ -1,2 +0,0 @@ -up_escape-the-content-of-matches.patch -deb_manpages_reportbug diff --git a/debian/patches/up_escape-the-content-of-matches.patch b/debian/patches/up_escape-the-content-of-matches.patch deleted file mode 100644 index faa93888..00000000 --- a/debian/patches/up_escape-the-content-of-matches.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Yaroslav Halchenko -Date: Mon, 8 Oct 2012 22:14:51 -0400 -Subject: [PATCH] BF: escape the content of since its value could contain arbitrary symbols - - Contains two commits 83109bce144f443a48ef31165a5389b7b83f4e0e and 09355663f7a3c0409e08efdebf98b1bbf47d1d9c - -Bug-Debian: http://bugs.debian.org/696184 -Origin: upstream - ---- - server/action.py | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - ---- a/server/action.py -+++ b/server/action.py -@@ -230,7 +230,14 @@ class Action: - def execActionStop(self): - stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo) - return Action.executeCmd(stopCmd) -- -+ -+ def escapeTag(tag): -+ for c in '\\#&;`|*?~<>^()[]{}$\n': -+ if c in tag: -+ tag = tag.replace(c, '\\' + c) -+ return tag -+ escapeTag = staticmethod(escapeTag) -+ - ## - # Replaces tags in query with property values in aInfo. - # -@@ -243,8 +250,13 @@ class Action: - """ Replace tags in query - """ - string = query -- for tag in aInfo: -- string = string.replace('<' + tag + '>', str(aInfo[tag])) -+ for tag, value in aInfo.iteritems(): -+ value = str(value) # assure string -+ if tag == 'matches': -+ # That one needs to be escaped since its content is -+ # out of our control -+ value = Action.escapeTag(value) -+ string = string.replace('<' + tag + '>', value) - # New line - string = string.replace("
", '\n') - return string diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1 index d0217175..9806a4a7 100644 --- a/man/fail2ban-client.1 +++ b/man/fail2ban-client.1 @@ -251,7 +251,8 @@ action for Written by Cyril Jaquier . Many contributions by Yaroslav O. Halchenko . .SH "REPORTING BUGS" -Report bugs to +Please report bugs via Debian bug tracking system +http://www.debian.org/Bugs/. .SH COPYRIGHT Copyright \(co 2004-2008 Cyril Jaquier .br diff --git a/man/fail2ban-server.1 b/man/fail2ban-server.1 index 7212bcdd..0341980e 100644 --- a/man/fail2ban-server.1 +++ b/man/fail2ban-server.1 @@ -35,7 +35,8 @@ print the version Written by Cyril Jaquier . Many contributions by Yaroslav O. Halchenko . .SH "REPORTING BUGS" -Report bugs to +Please report bugs via Debian bug tracking system +http://www.debian.org/Bugs/. .SH COPYRIGHT Copyright \(co 2004-2008 Cyril Jaquier .br diff --git a/server/action.py b/server/action.py index e8f6bd12..1a89e0d3 100644 --- a/server/action.py +++ b/server/action.py @@ -230,7 +230,14 @@ class Action: def execActionStop(self): stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo) return Action.executeCmd(stopCmd) - + + def escapeTag(tag): + for c in '\\#&;`|*?~<>^()[]{}$\n': + if c in tag: + tag = tag.replace(c, '\\' + c) + return tag + escapeTag = staticmethod(escapeTag) + ## # Replaces tags in query with property values in aInfo. # @@ -243,8 +250,13 @@ class Action: """ Replace tags in query """ string = query - for tag in aInfo: - string = string.replace('<' + tag + '>', str(aInfo[tag])) + for tag, value in aInfo.iteritems(): + value = str(value) # assure string + if tag == 'matches': + # That one needs to be escaped since its content is + # out of our control + value = Action.escapeTag(value) + string = string.replace('<' + tag + '>', value) # New line string = string.replace("
", '\n') return string