Folding debian/patches into .diff.gz since we are still at 1.0 pkg source format in wheezy
Yaroslav Halchenko
11 years ago
| 1 | 1 | |
| 2 | 2 | * CVE-2012-5642: Escape the content of <matches> since its value could |
| 3 | 3 | contain arbitrary symbols (Closes: #696184) |
| 4 | * Since package source format remained 1.0, manpages patch | |
| 5 | (deb_manpages_reportbug) was not applied -- fold it into .diff.gz | |
| 4 | 6 | |
| 5 | 7 | -- Yaroslav Halchenko <debian@onerussian.com> Mon, 17 Dec 2012 13:19:32 -0500 |
| 6 | 8 |
| 0 | From: Yaroslav Halchenko <debian@onerussian.com> | |
| 1 | Date: Fri, 8 Feb 2008 00:40:57 -0500 | |
| 2 | Subject: tune ups in upstream manpages to direct users to use reportbug | |
| 3 | ||
| 4 | --- a/man/fail2ban-client.1 | |
| 5 | +++ b/man/fail2ban-client.1 | |
| 6 | @@ -251,7 +251,8 @@ action <ACT> for <JAIL> | |
| 7 | Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. | |
| 8 | Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. | |
| 9 | .SH "REPORTING BUGS" | |
| 10 | -Report bugs to <cyril.jaquier@fail2ban.org> | |
| 11 | +Please report bugs via Debian bug tracking system | |
| 12 | +http://www.debian.org/Bugs/. | |
| 13 | .SH COPYRIGHT | |
| 14 | Copyright \(co 2004-2008 Cyril Jaquier | |
| 15 | .br | |
| 16 | --- a/man/fail2ban-server.1 | |
| 17 | +++ b/man/fail2ban-server.1 | |
| 18 | @@ -35,7 +35,8 @@ print the version | |
| 19 | Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. | |
| 20 | Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. | |
| 21 | .SH "REPORTING BUGS" | |
| 22 | -Report bugs to <cyril.jaquier@fail2ban.org> | |
| 23 | +Please report bugs via Debian bug tracking system | |
| 24 | +http://www.debian.org/Bugs/. | |
| 25 | .SH COPYRIGHT | |
| 26 | Copyright \(co 2004-2008 Cyril Jaquier | |
| 27 | .br |
| 0 | From: Yaroslav Halchenko <debian@onerussian.com> | |
| 1 | Date: Mon, 8 Oct 2012 22:14:51 -0400 | |
| 2 | Subject: [PATCH] BF: escape the content of <matches> since its value could contain arbitrary symbols | |
| 3 | ||
| 4 | Contains two commits 83109bce144f443a48ef31165a5389b7b83f4e0e and 09355663f7a3c0409e08efdebf98b1bbf47d1d9c | |
| 5 | ||
| 6 | Bug-Debian: http://bugs.debian.org/696184 | |
| 7 | Origin: upstream | |
| 8 | ||
| 9 | --- | |
| 10 | server/action.py | 18 +++++++++++++++--- | |
| 11 | 1 file changed, 15 insertions(+), 3 deletions(-) | |
| 12 | ||
| 13 | --- a/server/action.py | |
| 14 | +++ b/server/action.py | |
| 15 | @@ -230,7 +230,14 @@ class Action: | |
| 16 | def execActionStop(self): | |
| 17 | stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo) | |
| 18 | return Action.executeCmd(stopCmd) | |
| 19 | - | |
| 20 | + | |
| 21 | + def escapeTag(tag): | |
| 22 | + for c in '\\#&;`|*?~<>^()[]{}$\n': | |
| 23 | + if c in tag: | |
| 24 | + tag = tag.replace(c, '\\' + c) | |
| 25 | + return tag | |
| 26 | + escapeTag = staticmethod(escapeTag) | |
| 27 | + | |
| 28 | ## | |
| 29 | # Replaces tags in query with property values in aInfo. | |
| 30 | # | |
| 31 | @@ -243,8 +250,13 @@ class Action: | |
| 32 | """ Replace tags in query | |
| 33 | """ | |
| 34 | string = query | |
| 35 | - for tag in aInfo: | |
| 36 | - string = string.replace('<' + tag + '>', str(aInfo[tag])) | |
| 37 | + for tag, value in aInfo.iteritems(): | |
| 38 | + value = str(value) # assure string | |
| 39 | + if tag == 'matches': | |
| 40 | + # That one needs to be escaped since its content is | |
| 41 | + # out of our control | |
| 42 | + value = Action.escapeTag(value) | |
| 43 | + string = string.replace('<' + tag + '>', value) | |
| 44 | # New line | |
| 45 | string = string.replace("<br>", '\n') | |
| 46 | return string |
| 250 | 250 | Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. |
| 251 | 251 | Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. |
| 252 | 252 | .SH "REPORTING BUGS" |
| 253 | Report bugs to <cyril.jaquier@fail2ban.org> | |
| 253 | Please report bugs via Debian bug tracking system | |
| 254 | http://www.debian.org/Bugs/. | |
| 254 | 255 | .SH COPYRIGHT |
| 255 | 256 | Copyright \(co 2004-2008 Cyril Jaquier |
| 256 | 257 | .br |
| 34 | 34 | Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. |
| 35 | 35 | Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. |
| 36 | 36 | .SH "REPORTING BUGS" |
| 37 | Report bugs to <cyril.jaquier@fail2ban.org> | |
| 37 | Please report bugs via Debian bug tracking system | |
| 38 | http://www.debian.org/Bugs/. | |
| 38 | 39 | .SH COPYRIGHT |
| 39 | 40 | Copyright \(co 2004-2008 Cyril Jaquier |
| 40 | 41 | .br |
| 229 | 229 | def execActionStop(self): |
| 230 | 230 | stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo) |
| 231 | 231 | return Action.executeCmd(stopCmd) |
| 232 | ||
| 232 | ||
| 233 | def escapeTag(tag): | |
| 234 | for c in '\\#&;`|*?~<>^()[]{}$\n': | |
| 235 | if c in tag: | |
| 236 | tag = tag.replace(c, '\\' + c) | |
| 237 | return tag | |
| 238 | escapeTag = staticmethod(escapeTag) | |
| 239 | ||
| 233 | 240 | ## |
| 234 | 241 | # Replaces tags in query with property values in aInfo. |
| 235 | 242 | # |
| 242 | 249 | """ Replace tags in query |
| 243 | 250 | """ |
| 244 | 251 | string = query |
| 245 | for tag in aInfo: | |
| 246 | string = string.replace('<' + tag + '>', str(aInfo[tag])) | |
| 252 | for tag, value in aInfo.iteritems(): | |
| 253 | value = str(value) # assure string | |
| 254 | if tag == 'matches': | |
| 255 | # That one needs to be escaped since its content is | |
| 256 | # out of our control | |
| 257 | value = Action.escapeTag(value) | |
| 258 | string = string.replace('<' + tag + '>', value) | |
| 247 | 259 | # New line |
| 248 | 260 | string = string.replace("<br>", '\n') |
| 249 | 261 | return string |