Attachment #228865 for bug #259297

View | Details | Raw Unified | Return to bug 259297
Collapse All | Expand All




PORTNAME=	fail2ban
DISTVERSION=	0.11.2
PORTREVISION=	3
CATEGORIES=	security python
PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}


USES=		cpe python:3.6+,patch shebangfix
USE_GITHUB=	yes
USE_PYTHON=	autoplist distutils
PYDISTUTILS_BUILDARGS+=	--without-tests
PYDISTUTILS_INSTALLARGS+=	--install-data=${ETCDIR}
USE_RC_SUBR=	fail2ban

NO_ARCH=	yes

SHEBANG_FILES=	config/filter.d/ignorecommands/apache-fakegooglebot
SHEBANG_LANG=	fail2ban-python

NO_ARCH=	yes
SUB_LIST+=	PYTHON_CMD=${PYTHON_CMD}

PORTDOCS=	DEVELOP README.md
PYDISTUTILS_INSTALLARGS+=	--install-data=${ETCDIR}

PORTDOCS=	README.md DEVELOP

OPTIONS_DEFINE=		DOCS INOTIFY
OPTIONS_DEFAULT=	INOTIFY

INOTIFY_DESC=	Support for (lib)inotify to monitor filesystem changes

INOTIFY_RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}pyinotify>=0.8.3:devel/py-pyinotify@${PY_FLAVOR}


		${WRKSRC}/fail2ban/client/fail2bancmdline.py \
		${WRKSRC}/fail2ban/client/fail2banregex.py \
		${WRKSRC}/man/fail2ban-client.1 \
		${WRKSRC}/man/fail2ban-client.h2m ${WRKSRC}/setup.py
		${WRKSRC}/setup.py

MAN_FILES=	${WRKSRC}/man/fail2ban-client.1 \
		${WRKSRC}/man/fail2ban-client.h2m \
		${WRKSRC}/man/fail2ban-regex.1 ${WRKSRC}/man/fail2ban-server.1 \
		${WRKSRC}/man/fail2ban-server.1 \
		${WRKSRC}/man/fail2ban.1

FAIL2BAN_DBDIR=	/var/db/${PORTNAME}




From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Mon, 21 Jun 2021 17:12:53 +0200
Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
 (default tilde) stops consider "~" char after new-line as composing escape
 sequence

---
 config/action.d/complain.conf         | 2 +-
 config/action.d/dshield.conf          | 2 +-
 config/action.d/mail-buffered.conf    | 8 ++++----
 config/action.d/mail-whois-lines.conf | 2 +-
 config/action.d/mail-whois.conf       | 6 +++---
 config/action.d/mail.conf             | 6 +++---
 6 files changed, 13 insertions(+), 13 deletions(-)

diff --git config/action.d/complain.conf config/action.d/complain.conf
index 3a5f882c..4d73b058 100644
--- config/action.d/complain.conf
+++ config/action.d/complain.conf
@@ -102,7 +102,7 @@ logpath = /dev/null
 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
 # Values:  CMD
 #
-mailcmd = mail -s
+mailcmd = mail -E 'set escape' -s
 
 # Option:  mailargs
 # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
diff --git config/action.d/dshield.conf config/action.d/dshield.conf
index c128bef3..3d5a7a53 100644
--- config/action.d/dshield.conf
+++ config/action.d/dshield.conf
@@ -179,7 +179,7 @@ tcpflags =
 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
 # Values:  CMD
 #
-mailcmd = mail -s
+mailcmd = mail -E 'set escape' -s
 
 # Option:  mailargs
 # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
diff --git config/action.d/mail-buffered.conf config/action.d/mail-buffered.conf
index 325f185b..79b84104 100644
--- config/action.d/mail-buffered.conf
+++ config/action.d/mail-buffered.conf
@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
               The jail <name> has been started successfully.\n
               Output will be buffered until <lines> lines are available.\n
               Regards,\n
-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
 
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
                  These hosts have been banned by Fail2Ban.\n
                  `cat <tmpfile>`
                  Regards,\n
-                 Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+                 Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
                  rm <tmpfile>
              fi
              printf %%b "Hi,\n
              The jail <name> has been stopped.\n
              Regards,\n
-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
                 These hosts have been banned by Fail2Ban.\n
                 `cat <tmpfile>`
                 \nRegards,\n
-                Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
+                Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
                 rm <tmpfile>
             fi
 
diff --git config/action.d/mail-whois-lines.conf config/action.d/mail-whois-lines.conf
index 3a3e56b2..d2818cb9 100644
--- config/action.d/mail-whois-lines.conf
+++ config/action.d/mail-whois-lines.conf
@@ -72,7 +72,7 @@ actionunban =
 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
 # Values:  CMD
 #
-mailcmd = mail -s
+mailcmd = mail -E 'set escape' -s
 
 # Default name of the chain
 #
diff --git config/action.d/mail-whois.conf config/action.d/mail-whois.conf
index 7fea34c4..ab33b616 100644
--- config/action.d/mail-whois.conf
+++ config/action.d/mail-whois.conf
@@ -20,7 +20,7 @@ norestored = 1
 actionstart = printf %%b "Hi,\n
               The jail <name> has been started successfully.\n
               Regards,\n
-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
 
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
 actionstop = printf %%b "Hi,\n
              The jail <name> has been stopped.\n
              Regards,\n
-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
             Here is more information about <ip> :\n
             `%(_whois_command)s`\n
             Regards,\n
-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+            Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
diff --git config/action.d/mail.conf config/action.d/mail.conf
index 5d8c0e15..f4838ddc 100644
--- config/action.d/mail.conf
+++ config/action.d/mail.conf
@@ -16,7 +16,7 @@ norestored = 1
 actionstart = printf %%b "Hi,\n
               The jail <name> has been started successfully.\n
               Regards,\n
-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started  on <fq-hostname>" <dest>
+              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started  on <fq-hostname>" <dest>
 
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
 actionstop = printf %%b "Hi,\n
              The jail <name> has been stopped.\n
              Regards,\n
-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
             The IP <ip> has just been banned by Fail2Ban after
             <failures> attempts against <name>.\n
             Regards,\n
-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+            Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
-- 
2.33.1


Return to bug 259297

Lines 1-6 Link Here

(-)b/security/py-fail2ban/Makefile (-15 / +11 lines)
1	PORTNAME= fail2ban	1	PORTNAME= fail2ban
2	PORTVERSION= 0.11.2	2	DISTVERSION= 0.11.2
3	PORTREVISION= 2	3	PORTREVISION= 3
4	CATEGORIES= security python	4	CATEGORIES= security python
5	PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}	5	PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}
6		6
Lines 15-38 RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}sqlite3>0:databases/py-sqlite3@${PY_FLAVOR} Link Here
15	USES= cpe python:3.6+,patch shebangfix	15	USES= cpe python:3.6+,patch shebangfix
16	USE_GITHUB= yes	16	USE_GITHUB= yes
17	USE_PYTHON= autoplist distutils	17	USE_PYTHON= autoplist distutils
		18	PYDISTUTILS_BUILDARGS+= --without-tests
		19	PYDISTUTILS_INSTALLARGS+= --install-data=${ETCDIR}
18	USE_RC_SUBR= fail2ban	20	USE_RC_SUBR= fail2ban
19		21
20	NO_ARCH= yes
21
22	SHEBANG_FILES= config/filter.d/ignorecommands/apache-fakegooglebot	22	SHEBANG_FILES= config/filter.d/ignorecommands/apache-fakegooglebot
23	SHEBANG_LANG= fail2ban-python	23	SHEBANG_LANG= fail2ban-python
24		24
		25	NO_ARCH= yes
25	SUB_LIST+= PYTHON_CMD=${PYTHON_CMD}	26	SUB_LIST+= PYTHON_CMD=${PYTHON_CMD}
26		27
27	PYDISTUTILS_BUILDARGS+= --without-tests	28	PORTDOCS= DEVELOP README.md
28	PYDISTUTILS_INSTALLARGS+= --install-data=${ETCDIR}
29
30	PORTDOCS= README.md DEVELOP
31		29
32	OPTIONS_DEFINE= DOCS INOTIFY	30	OPTIONS_DEFINE= DOCS INOTIFY
33	OPTIONS_DEFAULT=INOTIFY	31	OPTIONS_DEFAULT= INOTIFY
34		32
35	INOTIFY_DESC= Support for (lib)inotify to monitor filesystem changes	33	INOTIFY_DESC= Support for (lib)inotify to monitor filesystem changes
36		34
37	INOTIFY_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}pyinotify>=0.8.3:devel/py-pyinotify@${PY_FLAVOR}	35	INOTIFY_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}pyinotify>=0.8.3:devel/py-pyinotify@${PY_FLAVOR}
38		36
Lines 41-53 FILES= ${WRKSRC}/bin/fail2ban-client \ Link Here
41	${WRKSRC}/fail2ban/client/fail2bancmdline.py \	39	${WRKSRC}/fail2ban/client/fail2bancmdline.py \
42	${WRKSRC}/fail2ban/client/fail2banregex.py \	40	${WRKSRC}/fail2ban/client/fail2banregex.py \
43	${WRKSRC}/man/fail2ban-client.1 \	41	${WRKSRC}/man/fail2ban-client.1 \
44	${WRKSRC}/man/fail2ban-client.h2m \	42	${WRKSRC}/man/fail2ban-client.h2m ${WRKSRC}/setup.py
45	${WRKSRC}/setup.py
46		43
47	MAN_FILES= ${WRKSRC}/man/fail2ban-client.1 \	44	MAN_FILES= ${WRKSRC}/man/fail2ban-client.1 \
48	${WRKSRC}/man/fail2ban-client.h2m \	45	${WRKSRC}/man/fail2ban-client.h2m \
49	${WRKSRC}/man/fail2ban-regex.1 \	46	${WRKSRC}/man/fail2ban-regex.1 ${WRKSRC}/man/fail2ban-server.1 \
50	${WRKSRC}/man/fail2ban-server.1 \
51	${WRKSRC}/man/fail2ban.1	47	${WRKSRC}/man/fail2ban.1
52		48
53	FAIL2BAN_DBDIR= /var/db/${PORTNAME}	49	FAIL2BAN_DBDIR= /var/db/${PORTNAME}

Added Link Here

(-)b/security/py-fail2ban/files/patch-CVE-2021-32749 (-1 / +158 lines)
0	-	1	From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
		2	From: sebres <serg.brester@sebres.de>
		3	Date: Mon, 21 Jun 2021 17:12:53 +0200
		4	Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
		5	(default tilde) stops consider "~" char after new-line as composing escape
		6	sequence
		7
		8	---
		9	config/action.d/complain.conf \| 2 +-
		10	config/action.d/dshield.conf \| 2 +-
		11	config/action.d/mail-buffered.conf \| 8 ++++----
		12	config/action.d/mail-whois-lines.conf \| 2 +-
		13	config/action.d/mail-whois.conf \| 6 +++---
		14	config/action.d/mail.conf \| 6 +++---
		15	6 files changed, 13 insertions(+), 13 deletions(-)
		16
		17	diff --git config/action.d/complain.conf config/action.d/complain.conf
		18	index 3a5f882c..4d73b058 100644
		19	--- config/action.d/complain.conf
		20	+++ config/action.d/complain.conf
		21	@@ -102,7 +102,7 @@ logpath = /dev/null
		22	# Notes.: Your system mail command. Is passed 2 args: subject and recipient
		23	# Values: CMD
		24	#
		25	-mailcmd = mail -s
		26	+mailcmd = mail -E 'set escape' -s
		27
		28	# Option: mailargs
		29	# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
		30	diff --git config/action.d/dshield.conf config/action.d/dshield.conf
		31	index c128bef3..3d5a7a53 100644
		32	--- config/action.d/dshield.conf
		33	+++ config/action.d/dshield.conf
		34	@@ -179,7 +179,7 @@ tcpflags =
		35	# Notes.: Your system mail command. Is passed 2 args: subject and recipient
		36	# Values: CMD
		37	#
		38	-mailcmd = mail -s
		39	+mailcmd = mail -E 'set escape' -s
		40
		41	# Option: mailargs
		42	# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
		43	diff --git config/action.d/mail-buffered.conf config/action.d/mail-buffered.conf
		44	index 325f185b..79b84104 100644
		45	--- config/action.d/mail-buffered.conf
		46	+++ config/action.d/mail-buffered.conf
		47	@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
		48	The jail <name> has been started successfully.\n
		49	Output will be buffered until <lines> lines are available.\n
		50	Regards,\n
		51	- Fail2Ban"\|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
		52	+ Fail2Ban"\|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
		53
		54	# Option: actionstop
		55	# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
		56	@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
		57	These hosts have been banned by Fail2Ban.\n
		58	`cat <tmpfile>`
		59	Regards,\n
		60	- Fail2Ban"\|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
		61	+ Fail2Ban"\|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
		62	rm <tmpfile>
		63	fi
		64	printf %%b "Hi,\n
		65	The jail <name> has been stopped.\n
66	Regards,\n
67	- Fail2Ban"\|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
68	+ Fail2Ban"\|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
69
70	# Option: actioncheck
71	# Notes.: command executed once before each actionban command
72	@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
73	These hosts have been banned by Fail2Ban.\n
74	`cat <tmpfile>`
75	\nRegards,\n
76	- Fail2Ban"\|mail -s "[Fail2Ban] <name>: Summary" <dest>
77	+ Fail2Ban"\|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
78	rm <tmpfile>
79	fi
80
81	diff --git config/action.d/mail-whois-lines.conf config/action.d/mail-whois-lines.conf
82	index 3a3e56b2..d2818cb9 100644
83	--- config/action.d/mail-whois-lines.conf
84	+++ config/action.d/mail-whois-lines.conf
85	@@ -72,7 +72,7 @@ actionunban =
86	# Notes.: Your system mail command. Is passed 2 args: subject and recipient
87	# Values: CMD
88	#
89	-mailcmd = mail -s
90	+mailcmd = mail -E 'set escape' -s
91
92	# Default name of the chain
93	#
94	diff --git config/action.d/mail-whois.conf config/action.d/mail-whois.conf
95	index 7fea34c4..ab33b616 100644
96	--- config/action.d/mail-whois.conf
97	+++ config/action.d/mail-whois.conf
98	@@ -20,7 +20,7 @@ norestored = 1
99	actionstart = printf %%b "Hi,\n
100	The jail <name> has been started successfully.\n
101	Regards,\n
102	- Fail2Ban"\|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
103	+ Fail2Ban"\|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
104
105	# Option: actionstop
106	# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
107	@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
108	actionstop = printf %%b "Hi,\n
109	The jail <name> has been stopped.\n
110	Regards,\n
111	- Fail2Ban"\|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
112	+ Fail2Ban"\|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
113
114	# Option: actioncheck
115	# Notes.: command executed once before each actionban command
116	@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
117	Here is more information about <ip> :\n
118	`%(_whois_command)s`\n
119	Regards,\n
120	- Fail2Ban"\|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
121	+ Fail2Ban"\|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
122
123	# Option: actionunban
124	# Notes.: command executed when unbanning an IP. Take care that the
125	diff --git config/action.d/mail.conf config/action.d/mail.conf
126	index 5d8c0e15..f4838ddc 100644
127	--- config/action.d/mail.conf
128	+++ config/action.d/mail.conf
129	@@ -16,7 +16,7 @@ norestored = 1
130	actionstart = printf %%b "Hi,\n
131	The jail <name> has been started successfully.\n
132	Regards,\n
133	- Fail2Ban"\|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
134	+ Fail2Ban"\|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
135
136	# Option: actionstop
137	# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
138	@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
139	actionstop = printf %%b "Hi,\n
140	The jail <name> has been stopped.\n
141	Regards,\n
142	- Fail2Ban"\|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
143	+ Fail2Ban"\|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
144
145	# Option: actioncheck
146	# Notes.: command executed once before each actionban command
147	@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
148	The IP <ip> has just been banned by Fail2Ban after
149	<failures> attempts against <name>.\n
150	Regards,\n
151	- Fail2Ban"\|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
152	+ Fail2Ban"\|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
153
154	# Option: actionunban
155	# Notes.: command executed when unbanning an IP. Take care that the
156	--
157	2.33.1
158