From ohauer@FreeBSD.org  Mon Dec 23 17:39:41 2013
Return-Path: <ohauer@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id BEC5E32B
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 23 Dec 2013 17:39:41 +0000 (UTC)
Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx1.freebsd.org (Postfix) with ESMTPS id 8FE101FDB;
	Mon, 23 Dec 2013 17:39:41 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id rBNHdfUO016152;
	Mon, 23 Dec 2013 17:39:41 GMT
	(envelope-from ohauer@freefall.freebsd.org)
Received: (from ohauer@localhost)
	by freefall.freebsd.org (8.14.7/8.14.7/Submit) id rBNHdf8K016151;
	Mon, 23 Dec 2013 17:39:41 GMT
	(envelope-from ohauer)
Message-Id: <201312231739.rBNHdf8K016151@freefall.freebsd.org>
Date: Mon, 23 Dec 2013 17:39:41 GMT
From: Olli Hauer <ohauer@FreeBSD.org>
Reply-To:
To: <FreeBSD-gnats-submit@freebsd.org>
Cc: <jmohacsi@bsd.hu>
Subject: [patch] security/denyhosts possible remote DOS
X-Send-Pr-Version: 3.114
X-GNATS-Notify: jmohacsi@bsd.hu

>Number:         185141
>Category:       ports
>Synopsis:       [patch] security/denyhosts possible remote DOS
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    ohauer
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 23 17:40:00 UTC 2013
>Closed-Date:    Sat Apr 05 20:01:58 UTC 2014
>Last-Modified:  Sat Apr 05 20:01:58 UTC 2014
>Originator:     ohauer
>Release:        
>Organization:
>Environment:

>Description:
On seclists.org a possible DOS for denyhosts is descibed.
 http://seclists.org/oss-sec/2013/q4/535

I don't use denyhosts but integraded the proposed patch and compared
the resulting DenyHosts/regex.py with the one from the updated debian package
(Bug was reported to Debian, and the secteam shaped already new packages)

Additional teach the port staging and some minor cleanup.


>How-To-Repeat:
Read description on seclist.org

>Fix:


--- denyhosts.diff begins here ---
Index: denyhosts/Makefile
===================================================================
--- denyhosts/Makefile	(revision 337257)
+++ denyhosts/Makefile	(working copy)
@@ -3,7 +3,7 @@
 
 PORTNAME=	denyhosts
 PORTVERSION=	2.6
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	security
 MASTER_SITES=	SF
 DISTNAME=	DenyHosts-${PORTVERSION}
@@ -11,6 +11,8 @@
 MAINTAINER=	jmohacsi@bsd.hu
 COMMENT=	Script to thwart ssh attacks
 
+LICENSE=	GPLv2
+
 USE_PYTHON=	yes
 USE_PYDISTUTILS=	yes
 PYDISTUTILS_PKGNAME=	DenyHosts
@@ -21,24 +23,21 @@
 
 PORTDOCS=	CHANGELOG.txt LICENSE.txt README.txt
 
-NO_STAGE=	yes
 post-patch:
 	@${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' \
 		${WRKSRC}/daemon-control-dist \
 		${WRKSRC}/denyhosts.cfg-dist \
 		${WRKSRC}/setup.py
-	@${RM} ${WRKSRC}/scripts/restricted_from_passwd.py.orig
+	@${REINPLACE_CMD} -i '' -e 's|!/bin/env|!/usr/bin/env|' \
+		-e 's|/sbin/nologin|/usr/sbin/nologin|' \
+		${WRKSRC}/scripts/restricted_from_invalid.py \
+		${WRKSRC}/scripts/restricted_from_passwd.py
 
 post-install:
-	${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist ${PREFIX}/etc/denyhosts.conf-dist
-	[ -f ${PREFIX}/etc/denyhosts.conf ] || \
-		${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist ${PREFIX}/etc/denyhosts.conf
-.if !defined(NOPORTDOCS)
-	@${MKDIR} ${DOCSDIR}
-. for f in ${PORTDOCS}
-	${INSTALL_DATA} ${WRKSRC}/${f} ${DOCSDIR}
-. endfor
-.endif
-	@${CAT} ${PKGMESSAGE}
+	${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist \
+		${STAGEDIR}${PREFIX}/etc/denyhosts.conf-dist
 
+	@${MKDIR} ${STAGEDIR}${DOCSDIR}
+	${INSTALL_DATA} ${PORTDOCS:S|^|${WRKSRC}/|} ${STAGEDIR}${DOCSDIR}
+
 .include <bsd.port.mk>
Index: denyhosts/files/patch-DenyHosts__regex.py
===================================================================
--- denyhosts/files/patch-DenyHosts__regex.py	(working copy)
+++ denyhosts/files/patch-DenyHosts__regex.py	(working copy)
@@ -1,11 +1,44 @@
---- DenyHosts/regex.py.orig	Sat Jun 23 14:32:34 2007
-+++ DenyHosts/regex.py	Sat Jun 23 14:32:58 2007
-@@ -17,7 +17,7 @@
+# Patch shaped from http://seclists.org/oss-sec/2013/q4/535
+===================================================================
+--- ./DenyHosts/regex.py.orig	2006-12-07 20:47:04.000000000 +0100
++++ ./DenyHosts/regex.py	2013-12-23 17:17:42.000000000 +0100
+@@ -6,22 +6,22 @@
  
- FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
+ #DATE_FORMAT_REGEX = re.compile(r"""(?P<month>[A-z]{3,3})\s*(?P<day>\d+)""")
  
+-SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P<message>.*)""")
++SSHD_FORMAT_REGEX = re.compile(r""".*? (sshd.*?:|\[sshd\]) (?P<message>.*)""")
+ #SSHD_FORMAT_REGEX = re.compile(r""".* sshd.*: (?P<message>.*)""")
+ 
+-FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
++FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
+ 
+-FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
++FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
+ 
+-FAILED_ENTRY_REGEX3 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
++FAILED_ENTRY_REGEX3 = None
+ 
+-FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
++FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) from (::ffff:)?(?P<host>\S+)$""")
+ 
 -FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""")
-+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""")
++FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because none of user's groups are listed in AllowGroups$""")
  
- FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+-FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
++FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
  
+-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not listed in AllowUsers""")
++FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because not listed in AllowUsers$""")
+ 
+ 
+ # these are reserved for future versions
+@@ -42,7 +42,7 @@
+     FAILED_ENTRY_REGEX_MAP[i] = rx
+ 
+ 
+-SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>.*) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
++SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>\S+) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
+ 
+ TIME_SPEC_REGEX = re.compile(r"""(?P<units>\d*)\s*(?P<period>[smhdwy])?""")
+ 

Property changes on: denyhosts/files/patch-DenyHosts__regex.py
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Index: denyhosts/files/patch-DenyHosts_regex.py
===================================================================
--- denyhosts/files/patch-DenyHosts_regex.py	(revision 337257)
+++ denyhosts/files/patch-DenyHosts_regex.py	(working copy)
@@ -1,11 +0,0 @@
---- DenyHosts/regex.py.orig	Sat Jun 23 14:32:34 2007
-+++ DenyHosts/regex.py	Sat Jun 23 14:32:58 2007
-@@ -17,7 +17,7 @@
- 
- FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
- 
--FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""")
-+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""")
- 
- FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
- 
Index: denyhosts/files/patch-scripts_restrited-from-passwd.py
===================================================================
--- denyhosts/files/patch-scripts_restrited-from-passwd.py	(revision 337257)
+++ denyhosts/files/patch-scripts_restrited-from-passwd.py	(working copy)
@@ -1,11 +0,0 @@
---- scripts/restricted_from_passwd.py.orig	2008-11-26 12:06:31.231726279 -0500
-+++ scripts/restricted_from_passwd.py	2008-11-26 12:06:36.696728675 -0500
-@@ -11,7 +11,7 @@
- #
- ############################################################################
- 
--RESTRICTED_SHELLS = ("/sbin/nologin",
-+RESTRICTED_SHELLS = ("/usr/sbin/nologin",
-                      "/sbin/shutdown",
-                      "/sbin/halt")
- 
Index: denyhosts/pkg-descr
===================================================================
--- denyhosts/pkg-descr	(revision 337257)
+++ denyhosts/pkg-descr	(working copy)
@@ -18,4 +18,4 @@
 - Optionally sends an email of newly banned hosts and suspicious logins.
 - Resolves IP addresses to hostnames, if you want
 
-WWW:	http://denyhosts.sourceforge.net/
+WWW: http://denyhosts.sourceforge.net/
Index: denyhosts/pkg-plist
===================================================================
--- denyhosts/pkg-plist	(revision 337257)
+++ denyhosts/pkg-plist	(working copy)
@@ -2,79 +2,79 @@
 @unexec if cmp -s %D/etc/denyhosts.conf %D/etc/denyhosts.conf-dist; then rm -f %D/etc/denyhosts.conf; fi
 etc/denyhosts.conf-dist
 @exec [ -f %B/denyhosts.conf ] || cp -f %B/%f %B/denyhosts.conf
-%%DATADIR%%/daemon-control-dist
-%%DATADIR%%/denyhosts.cfg-dist
-%%DATADIR%%/setup.py
-%%DATADIR%%/scripts/restricted_from_invalid.py
-%%DATADIR%%/scripts/restricted_from_passwd.py
-%%DATADIR%%/plugins/README.contrib
-%%DATADIR%%/plugins/shorewall_allow.sh
-%%DATADIR%%/plugins/shorewall_deny.sh
-%%DATADIR%%/plugins/test_deny.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/constants.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/constants.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/constants.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/counter.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/counter.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/counter.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.pyo
 %%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.py
 %%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.pyc
 %%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/version.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/version.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/version.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.pyo
 %%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.py
 %%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.pyc
 %%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/util.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/util.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/util.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.pyo
 %%PYTHON_SITELIBDIR%%/DenyHosts/plugin.py
 %%PYTHON_SITELIBDIR%%/DenyHosts/plugin.pyc
 %%PYTHON_SITELIBDIR%%/DenyHosts/plugin.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.pyo
 %%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.py
 %%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.pyc
 %%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/constants.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/constants.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/constants.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/report.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/report.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/report.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.pyo
 %%PYTHON_SITELIBDIR%%/DenyHosts/python_version.py
 %%PYTHON_SITELIBDIR%%/DenyHosts/python_version.pyc
 %%PYTHON_SITELIBDIR%%/DenyHosts/python_version.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/counter.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/counter.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/counter.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.pyo
 %%PYTHON_SITELIBDIR%%/DenyHosts/regex.py
 %%PYTHON_SITELIBDIR%%/DenyHosts/regex.pyc
 %%PYTHON_SITELIBDIR%%/DenyHosts/regex.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/report.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/report.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/report.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyo
 %%PYTHON_SITELIBDIR%%/DenyHosts/sync.py
 %%PYTHON_SITELIBDIR%%/DenyHosts/sync.pyc
 %%PYTHON_SITELIBDIR%%/DenyHosts/sync.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyo
-@dirrm %%PYTHON_SITELIBDIR%%/DenyHosts
+%%PYTHON_SITELIBDIR%%/DenyHosts/util.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/util.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/util.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/version.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/version.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/version.pyo
+%%DATADIR%%/daemon-control-dist
+%%DATADIR%%/denyhosts.cfg-dist
+%%DATADIR%%/plugins/README.contrib
+%%DATADIR%%/plugins/shorewall_allow.sh
+%%DATADIR%%/plugins/shorewall_deny.sh
+%%DATADIR%%/plugins/test_deny.py
+%%DATADIR%%/scripts/restricted_from_invalid.py
+%%DATADIR%%/scripts/restricted_from_passwd.py
+%%DATADIR%%/setup.py
 @dirrm %%DATADIR%%/scripts
 @dirrm %%DATADIR%%/plugins
 @dirrm %%DATADIR%%
+@dirrm %%PYTHON_SITELIBDIR%%/DenyHosts
--- denyhosts.diff ends here ---


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: edwin 
State-Changed-When: Mon Dec 23 17:40:08 UTC 2013 
State-Changed-Why:  
Awaiting maintainers feedback (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=185141 

From: Edwin Groothuis <edwin@FreeBSD.org>
To: jmohacsi@bsd.hu
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/185141: [patch] security/denyhosts possible remote DOS
Date: Mon, 23 Dec 2013 17:40:07 UT

 Maintainer of security/denyhosts,
 
 Please note that PR ports/185141 has just been submitted.
 
 If it contains a patch for an upgrade, an enhancement or a bug fix
 you agree on, reply to this email stating that you approve the patch
 and a committer will take care of it.
 
 The full text of the PR can be found at:
     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/185141
 
 -- 
 Edwin Groothuis via the GNATS Auto Assign Tool
 edwin@FreeBSD.org
Responsible-Changed-From-To: freebsd-ports-bugs->ohauer 
Responsible-Changed-By: ohauer 
Responsible-Changed-When: Mon Dec 23 18:20:03 UTC 2013 
Responsible-Changed-Why:  
take my PR 

http://www.freebsd.org/cgi/query-pr.cgi?pr=185141 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/185141: commit references a PR
Date: Sat,  5 Apr 2014 19:44:20 +0000 (UTC)

 Author: ohauer
 Date: Sat Apr  5 19:44:15 2014
 New Revision: 350260
 URL: http://svnweb.freebsd.org/changeset/ports/350260
 QAT: https://qat.redports.org/buildarchive/r350260/
 
 Log:
   - add stage support
   - use PYDISTUTILS_AUTOPLIST
   - rename patch files to reflect `make makepatch' naming
   - fix possible DOS
     reported on: http://seclists.org/oss-sec/2013/q4/535
   
   PR:		ports/185141
   Submitted by:	ohauer
   Approved by:	maintainer timeout
 
 Added:
   head/security/denyhosts/files/patch-DenyHosts__regex.py
      - copied, changed from r350242, head/security/denyhosts/files/patch-DenyHosts_regex.py
   head/security/denyhosts/files/patch-scripts__restricted_from_passwd.py
      - copied, changed from r350242, head/security/denyhosts/files/patch-scripts_restrited-from-passwd.py
 Deleted:
   head/security/denyhosts/files/patch-DenyHosts_regex.py
   head/security/denyhosts/files/patch-scripts_restrited-from-passwd.py
 Modified:
   head/security/denyhosts/Makefile
   head/security/denyhosts/pkg-descr
   head/security/denyhosts/pkg-plist
 
 Modified: head/security/denyhosts/Makefile
 ==============================================================================
 --- head/security/denyhosts/Makefile	Sat Apr  5 19:16:48 2014	(r350259)
 +++ head/security/denyhosts/Makefile	Sat Apr  5 19:44:15 2014	(r350260)
 @@ -3,7 +3,7 @@
  
  PORTNAME=	denyhosts
  PORTVERSION=	2.6
 -PORTREVISION=	4
 +PORTREVISION=	5
  CATEGORIES=	security
  MASTER_SITES=	SF
  DISTNAME=	DenyHosts-${PORTVERSION}
 @@ -11,9 +11,19 @@ DISTNAME=	DenyHosts-${PORTVERSION}
  MAINTAINER=	jmohacsi@bsd.hu
  COMMENT=	Script to thwart ssh attacks
  
 +LICENSE=	GPLv2
 +
  USE_PYTHON=	yes
  USE_PYDISTUTILS=	yes
 -PYDISTUTILS_PKGNAME=	DenyHosts
 +PYDISTUTILS_AUTOPLIST=	yes
 +
 +USES=		shebangfix
 +env_OLD_CMD=	/bin/env
 +env_CMD=	${SETENV}
 +SHEBANG_LANG=	python env
 +SHEBANG_FILES=	plugins/test_deny.py \
 +		scripts/restricted_from_invalid.py \
 +		scripts/restricted_from_passwd.py
  
  USE_RC_SUBR=	denyhosts
  SUB_LIST+=	PYTHON=${PYTHON_CMD}
 @@ -21,24 +31,20 @@ SUB_FILES=	pkg-message
  
  PORTDOCS=	CHANGELOG.txt LICENSE.txt README.txt
  
 -NO_STAGE=	yes
  post-patch:
  	@${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' \
  		${WRKSRC}/daemon-control-dist \
  		${WRKSRC}/denyhosts.cfg-dist \
  		${WRKSRC}/setup.py
 -	@${RM} ${WRKSRC}/scripts/restricted_from_passwd.py.orig
 +
 +pre-install:
 +	@${FIND} ${WRKSRC} -type f \( -name \*.bak -o -name \*.orig \) -delete
  
  post-install:
 -	${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist ${PREFIX}/etc/denyhosts.conf-dist
 -	[ -f ${PREFIX}/etc/denyhosts.conf ] || \
 -		${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist ${PREFIX}/etc/denyhosts.conf
 -.if !defined(NOPORTDOCS)
 -	@${MKDIR} ${DOCSDIR}
 -. for f in ${PORTDOCS}
 -	${INSTALL_DATA} ${WRKSRC}/${f} ${DOCSDIR}
 -. endfor
 -.endif
 -	@${CAT} ${PKGMESSAGE}
 +	${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist \
 +		${STAGEDIR}${PREFIX}/etc/denyhosts.conf-dist
 +
 +	@${MKDIR} ${STAGEDIR}${DOCSDIR}
 +	${INSTALL_DATA} ${PORTDOCS:S|^|${WRKSRC}/|} ${STAGEDIR}${DOCSDIR}
  
  .include <bsd.port.mk>
 
 Copied and modified: head/security/denyhosts/files/patch-DenyHosts__regex.py (from r350242, head/security/denyhosts/files/patch-DenyHosts_regex.py)
 ==============================================================================
 --- head/security/denyhosts/files/patch-DenyHosts_regex.py	Sat Apr  5 16:08:16 2014	(r350242, copy source)
 +++ head/security/denyhosts/files/patch-DenyHosts__regex.py	Sat Apr  5 19:44:15 2014	(r350260)
 @@ -1,11 +1,44 @@
 ---- DenyHosts/regex.py.orig	Sat Jun 23 14:32:34 2007
 -+++ DenyHosts/regex.py	Sat Jun 23 14:32:58 2007
 -@@ -17,7 +17,7 @@
 +# Patch shaped from http://seclists.org/oss-sec/2013/q4/535
 +===================================================================
 +--- ./DenyHosts/regex.py.orig	2006-12-07 20:47:04.000000000 +0100
 ++++ ./DenyHosts/regex.py	2013-12-23 17:17:42.000000000 +0100
 +@@ -6,22 +6,22 @@
   
 - FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
 + #DATE_FORMAT_REGEX = re.compile(r"""(?P<month>[A-z]{3,3})\s*(?P<day>\d+)""")
 + 
 +-SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P<message>.*)""")
 ++SSHD_FORMAT_REGEX = re.compile(r""".*? (sshd.*?:|\[sshd\]) (?P<message>.*)""")
 + #SSHD_FORMAT_REGEX = re.compile(r""".* sshd.*: (?P<message>.*)""")
 + 
 +-FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
 ++FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
 + 
 +-FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
 ++FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
 + 
 +-FAILED_ENTRY_REGEX3 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
 ++FAILED_ENTRY_REGEX3 = None
 + 
 +-FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
 ++FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) from (::ffff:)?(?P<host>\S+)$""")
   
  -FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""")
 -+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""")
 ++FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because none of user's groups are listed in AllowGroups$""")
 + 
 +-FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
 ++FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
 + 
 +-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not listed in AllowUsers""")
 ++FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because not listed in AllowUsers$""")
 + 
 + 
 + # these are reserved for future versions
 +@@ -42,7 +42,7 @@
 +     FAILED_ENTRY_REGEX_MAP[i] = rx
 + 
 + 
 +-SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>.*) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
 ++SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>\S+) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
   
 - FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
 + TIME_SPEC_REGEX = re.compile(r"""(?P<units>\d*)\s*(?P<period>[smhdwy])?""")
   
 
 Copied and modified: head/security/denyhosts/files/patch-scripts__restricted_from_passwd.py (from r350242, head/security/denyhosts/files/patch-scripts_restrited-from-passwd.py)
 ==============================================================================
 --- head/security/denyhosts/files/patch-scripts_restrited-from-passwd.py	Sat Apr  5 16:08:16 2014	(r350242, copy source)
 +++ head/security/denyhosts/files/patch-scripts__restricted_from_passwd.py	Sat Apr  5 19:44:15 2014	(r350260)
 @@ -1,11 +1,10 @@
 ---- scripts/restricted_from_passwd.py.orig	2008-11-26 12:06:31.231726279 -0500
 -+++ scripts/restricted_from_passwd.py	2008-11-26 12:06:36.696728675 -0500
 -@@ -11,7 +11,7 @@
 - #
 +--- ./scripts/restricted_from_passwd.py.orig	2013-12-28 18:51:41.000000000 +0100
 ++++ ./scripts/restricted_from_passwd.py	2013-12-28 18:51:41.000000000 +0100
 +@@ -12,6 +12,7 @@
   ############################################################################
   
 --RESTRICTED_SHELLS = ("/sbin/nologin",
 -+RESTRICTED_SHELLS = ("/usr/sbin/nologin",
 + RESTRICTED_SHELLS = ("/sbin/nologin",
 ++                     "/usr/sbin/nologin",
                        "/sbin/shutdown",
                        "/sbin/halt")
   
 
 Modified: head/security/denyhosts/pkg-descr
 ==============================================================================
 --- head/security/denyhosts/pkg-descr	Sat Apr  5 19:16:48 2014	(r350259)
 +++ head/security/denyhosts/pkg-descr	Sat Apr  5 19:44:15 2014	(r350260)
 @@ -18,4 +18,4 @@ Denyhosts helps you:
  - Optionally sends an email of newly banned hosts and suspicious logins.
  - Resolves IP addresses to hostnames, if you want
  
 -WWW:	http://denyhosts.sourceforge.net/
 +WWW: http://denyhosts.sourceforge.net/
 
 Modified: head/security/denyhosts/pkg-plist
 ==============================================================================
 --- head/security/denyhosts/pkg-plist	Sat Apr  5 19:16:48 2014	(r350259)
 +++ head/security/denyhosts/pkg-plist	Sat Apr  5 19:44:15 2014	(r350260)
 @@ -1,80 +1,3 @@
 -bin/denyhosts.py
  @unexec if cmp -s %D/etc/denyhosts.conf %D/etc/denyhosts.conf-dist; then rm -f %D/etc/denyhosts.conf; fi
  etc/denyhosts.conf-dist
  @exec [ -f %B/denyhosts.conf ] || cp -f %B/%f %B/denyhosts.conf
 -%%DATADIR%%/daemon-control-dist
 -%%DATADIR%%/denyhosts.cfg-dist
 -%%DATADIR%%/setup.py
 -%%DATADIR%%/scripts/restricted_from_invalid.py
 -%%DATADIR%%/scripts/restricted_from_passwd.py
 -%%DATADIR%%/plugins/README.contrib
 -%%DATADIR%%/plugins/shorewall_allow.sh
 -%%DATADIR%%/plugins/shorewall_deny.sh
 -%%DATADIR%%/plugins/test_deny.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/version.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/version.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/version.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/util.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/util.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/util.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/plugin.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/plugin.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/plugin.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/constants.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/constants.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/constants.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/report.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/report.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/report.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/python_version.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/python_version.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/python_version.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/counter.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/counter.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/counter.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/regex.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/regex.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/regex.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/sync.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/sync.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/sync.pyo
 -%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.py
 -%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyc
 -%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyo
 -@dirrm %%PYTHON_SITELIBDIR%%/DenyHosts
 -@dirrm %%DATADIR%%/scripts
 -@dirrm %%DATADIR%%/plugins
 -@dirrm %%DATADIR%%
 _______________________________________________
 svn-ports-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-ports-all
 To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: feedback->closed 
State-Changed-By: ohauer 
State-Changed-When: Sat Apr 5 20:01:36 UTC 2014 
State-Changed-Why:  
Committed! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=185141 
>Unformatted:
