ports/185141: [patch] security/denyhosts possible remote DOS
Olli Hauer
ohauer at FreeBSD.org
Mon Dec 23 17:40:00 UTC 2013
>Number: 185141
>Category: ports
>Synopsis: [patch] security/denyhosts possible remote DOS
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Dec 23 17:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: ohauer
>Release:
>Organization:
>Environment:
>Description:
On seclists.org a possible DOS for denyhosts is descibed.
http://seclists.org/oss-sec/2013/q4/535
I don't use denyhosts but integraded the proposed patch and compared
the resulting DenyHosts/regex.py with the one from the updated debian package
(Bug was reported to Debian, and the secteam shaped already new packages)
Additional teach the port staging and some minor cleanup.
>How-To-Repeat:
Read description on seclist.org
>Fix:
--- denyhosts.diff begins here ---
Index: denyhosts/Makefile
===================================================================
--- denyhosts/Makefile (revision 337257)
+++ denyhosts/Makefile (working copy)
@@ -3,7 +3,7 @@
PORTNAME= denyhosts
PORTVERSION= 2.6
-PORTREVISION= 4
+PORTREVISION= 5
CATEGORIES= security
MASTER_SITES= SF
DISTNAME= DenyHosts-${PORTVERSION}
@@ -11,6 +11,8 @@
MAINTAINER= jmohacsi at bsd.hu
COMMENT= Script to thwart ssh attacks
+LICENSE= GPLv2
+
USE_PYTHON= yes
USE_PYDISTUTILS= yes
PYDISTUTILS_PKGNAME= DenyHosts
@@ -21,24 +23,21 @@
PORTDOCS= CHANGELOG.txt LICENSE.txt README.txt
-NO_STAGE= yes
post-patch:
@${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' \
${WRKSRC}/daemon-control-dist \
${WRKSRC}/denyhosts.cfg-dist \
${WRKSRC}/setup.py
- @${RM} ${WRKSRC}/scripts/restricted_from_passwd.py.orig
+ @${REINPLACE_CMD} -i '' -e 's|!/bin/env|!/usr/bin/env|' \
+ -e 's|/sbin/nologin|/usr/sbin/nologin|' \
+ ${WRKSRC}/scripts/restricted_from_invalid.py \
+ ${WRKSRC}/scripts/restricted_from_passwd.py
post-install:
- ${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist ${PREFIX}/etc/denyhosts.conf-dist
- [ -f ${PREFIX}/etc/denyhosts.conf ] || \
- ${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist ${PREFIX}/etc/denyhosts.conf
-.if !defined(NOPORTDOCS)
- @${MKDIR} ${DOCSDIR}
-. for f in ${PORTDOCS}
- ${INSTALL_DATA} ${WRKSRC}/${f} ${DOCSDIR}
-. endfor
-.endif
- @${CAT} ${PKGMESSAGE}
+ ${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist \
+ ${STAGEDIR}${PREFIX}/etc/denyhosts.conf-dist
+ @${MKDIR} ${STAGEDIR}${DOCSDIR}
+ ${INSTALL_DATA} ${PORTDOCS:S|^|${WRKSRC}/|} ${STAGEDIR}${DOCSDIR}
+
.include <bsd.port.mk>
Index: denyhosts/files/patch-DenyHosts__regex.py
===================================================================
--- denyhosts/files/patch-DenyHosts__regex.py (working copy)
+++ denyhosts/files/patch-DenyHosts__regex.py (working copy)
@@ -1,11 +1,44 @@
---- DenyHosts/regex.py.orig Sat Jun 23 14:32:34 2007
-+++ DenyHosts/regex.py Sat Jun 23 14:32:58 2007
-@@ -17,7 +17,7 @@
+# Patch shaped from http://seclists.org/oss-sec/2013/q4/535
+===================================================================
+--- ./DenyHosts/regex.py.orig 2006-12-07 20:47:04.000000000 +0100
++++ ./DenyHosts/regex.py 2013-12-23 17:17:42.000000000 +0100
+@@ -6,22 +6,22 @@
- FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
+ #DATE_FORMAT_REGEX = re.compile(r"""(?P<month>[A-z]{3,3})\s*(?P<day>\d+)""")
+-SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P<message>.*)""")
++SSHD_FORMAT_REGEX = re.compile(r""".*? (sshd.*?:|\[sshd\]) (?P<message>.*)""")
+ #SSHD_FORMAT_REGEX = re.compile(r""".* sshd.*: (?P<message>.*)""")
+
+-FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
++FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
+
+-FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
++FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
+
+-FAILED_ENTRY_REGEX3 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
++FAILED_ENTRY_REGEX3 = None
+
+-FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
++FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) from (::ffff:)?(?P<host>\S+)$""")
+
-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""")
-+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""")
++FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because none of user's groups are listed in AllowGroups$""")
- FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+-FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
++FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
+-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not listed in AllowUsers""")
++FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because not listed in AllowUsers$""")
+
+
+ # these are reserved for future versions
+@@ -42,7 +42,7 @@
+ FAILED_ENTRY_REGEX_MAP[i] = rx
+
+
+-SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>.*) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
++SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>\S+) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
+
+ TIME_SPEC_REGEX = re.compile(r"""(?P<units>\d*)\s*(?P<period>[smhdwy])?""")
+
Property changes on: denyhosts/files/patch-DenyHosts__regex.py
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Index: denyhosts/files/patch-DenyHosts_regex.py
===================================================================
--- denyhosts/files/patch-DenyHosts_regex.py (revision 337257)
+++ denyhosts/files/patch-DenyHosts_regex.py (working copy)
@@ -1,11 +0,0 @@
---- DenyHosts/regex.py.orig Sat Jun 23 14:32:34 2007
-+++ DenyHosts/regex.py Sat Jun 23 14:32:58 2007
-@@ -17,7 +17,7 @@
-
- FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
-
--FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""")
-+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""")
-
- FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
-
Index: denyhosts/files/patch-scripts_restrited-from-passwd.py
===================================================================
--- denyhosts/files/patch-scripts_restrited-from-passwd.py (revision 337257)
+++ denyhosts/files/patch-scripts_restrited-from-passwd.py (working copy)
@@ -1,11 +0,0 @@
---- scripts/restricted_from_passwd.py.orig 2008-11-26 12:06:31.231726279 -0500
-+++ scripts/restricted_from_passwd.py 2008-11-26 12:06:36.696728675 -0500
-@@ -11,7 +11,7 @@
- #
- ############################################################################
-
--RESTRICTED_SHELLS = ("/sbin/nologin",
-+RESTRICTED_SHELLS = ("/usr/sbin/nologin",
- "/sbin/shutdown",
- "/sbin/halt")
-
Index: denyhosts/pkg-descr
===================================================================
--- denyhosts/pkg-descr (revision 337257)
+++ denyhosts/pkg-descr (working copy)
@@ -18,4 +18,4 @@
- Optionally sends an email of newly banned hosts and suspicious logins.
- Resolves IP addresses to hostnames, if you want
-WWW: http://denyhosts.sourceforge.net/
+WWW: http://denyhosts.sourceforge.net/
Index: denyhosts/pkg-plist
===================================================================
--- denyhosts/pkg-plist (revision 337257)
+++ denyhosts/pkg-plist (working copy)
@@ -2,79 +2,79 @@
@unexec if cmp -s %D/etc/denyhosts.conf %D/etc/denyhosts.conf-dist; then rm -f %D/etc/denyhosts.conf; fi
etc/denyhosts.conf-dist
@exec [ -f %B/denyhosts.conf ] || cp -f %B/%f %B/denyhosts.conf
-%%DATADIR%%/daemon-control-dist
-%%DATADIR%%/denyhosts.cfg-dist
-%%DATADIR%%/setup.py
-%%DATADIR%%/scripts/restricted_from_invalid.py
-%%DATADIR%%/scripts/restricted_from_passwd.py
-%%DATADIR%%/plugins/README.contrib
-%%DATADIR%%/plugins/shorewall_allow.sh
-%%DATADIR%%/plugins/shorewall_deny.sh
-%%DATADIR%%/plugins/test_deny.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/constants.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/constants.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/constants.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/counter.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/counter.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/counter.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.pyo
%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.py
%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.pyc
%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/version.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/version.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/version.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.pyo
%%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.py
%%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.pyc
%%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/util.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/util.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/util.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.pyo
%%PYTHON_SITELIBDIR%%/DenyHosts/plugin.py
%%PYTHON_SITELIBDIR%%/DenyHosts/plugin.pyc
%%PYTHON_SITELIBDIR%%/DenyHosts/plugin.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.pyo
%%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.py
%%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.pyc
%%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/constants.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/constants.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/constants.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/report.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/report.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/report.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.pyo
%%PYTHON_SITELIBDIR%%/DenyHosts/python_version.py
%%PYTHON_SITELIBDIR%%/DenyHosts/python_version.pyc
%%PYTHON_SITELIBDIR%%/DenyHosts/python_version.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/counter.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/counter.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/counter.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.pyo
%%PYTHON_SITELIBDIR%%/DenyHosts/regex.py
%%PYTHON_SITELIBDIR%%/DenyHosts/regex.pyc
%%PYTHON_SITELIBDIR%%/DenyHosts/regex.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/report.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/report.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/report.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyo
%%PYTHON_SITELIBDIR%%/DenyHosts/sync.py
%%PYTHON_SITELIBDIR%%/DenyHosts/sync.pyc
%%PYTHON_SITELIBDIR%%/DenyHosts/sync.pyo
-%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.py
-%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyc
-%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyo
- at dirrm %%PYTHON_SITELIBDIR%%/DenyHosts
+%%PYTHON_SITELIBDIR%%/DenyHosts/util.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/util.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/util.pyo
+%%PYTHON_SITELIBDIR%%/DenyHosts/version.py
+%%PYTHON_SITELIBDIR%%/DenyHosts/version.pyc
+%%PYTHON_SITELIBDIR%%/DenyHosts/version.pyo
+%%DATADIR%%/daemon-control-dist
+%%DATADIR%%/denyhosts.cfg-dist
+%%DATADIR%%/plugins/README.contrib
+%%DATADIR%%/plugins/shorewall_allow.sh
+%%DATADIR%%/plugins/shorewall_deny.sh
+%%DATADIR%%/plugins/test_deny.py
+%%DATADIR%%/scripts/restricted_from_invalid.py
+%%DATADIR%%/scripts/restricted_from_passwd.py
+%%DATADIR%%/setup.py
@dirrm %%DATADIR%%/scripts
@dirrm %%DATADIR%%/plugins
@dirrm %%DATADIR%%
+ at dirrm %%PYTHON_SITELIBDIR%%/DenyHosts
--- denyhosts.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list