Accepting request 333139 from security

1 OBS-URL: https://build.opensuse.org/request/show/333139 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=41
2015-09-24 04:16:01 +00:00 · 2015-09-24 04:16:01 +00:00 · ca370fae5a
commit ca370fae5a
parent fbd912c6a2 c876389bbe
4 changed files with 136 additions and 100 deletions
--- a/fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
+++ b/fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
@ -1,86 +0,0 @@
 diff -ur fail2ban-0.9.3-orig/fail2ban/tests/actiontestcase.py fail2ban-0.9.3/fail2ban/tests/actiontestcase.py
 --- fail2ban-0.9.3-orig/fail2ban/tests/actiontestcase.py	2015-08-01 03:32:13.000000000 +0200
 +++ fail2ban-0.9.3/fail2ban/tests/actiontestcase.py	2015-09-07 08:37:30.842249270 +0200
@@ -204,44 +204,44 @@
 			or self._is_logged('sleep 60 -- timed out after 3 seconds'))
 		self.assertTrue(self._is_logged('sleep 60 -- killed with SIGTERM'))
 -	def testExecuteTimeoutWithNastyChildren(self):
 -		# temporary file for a nasty kid shell script
 -		tmpFilename = tempfile.mktemp(".sh", "fail2ban_")
 -		# Create a nasty script which would hang there for a while
 -		with open(tmpFilename, 'w') as f:
 -			f.write("""#!/bin/bash
 -		trap : HUP EXIT TERM
 -
 -		echo "$$" > %s.pid
 -		echo "my pid $$ . sleeping lo-o-o-ong"
 -		sleep 10000
 -		""" % tmpFilename)
 -
 -		def getnastypid():
 -			with open(tmpFilename + '.pid') as f:
 -				return int(f.read())
 -
 -		# First test if can kill the bastard
 -		self.assertRaises(
 -			RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1)
 -		# Verify that the proccess itself got killed
 -		self.assertFalse(pid_exists(getnastypid()))  # process should have been killed
 -		self.assertTrue(self._is_logged('timed out'))
 -		self.assertTrue(self._is_logged('killed with SIGTERM'))
 -
 -		# A bit evolved case even though, previous test already tests killing children processes
 -		self.assertRaises(
 -			RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename,
 -			timeout=.2)
 -		# Verify that the proccess itself got killed
 -		self.assertFalse(pid_exists(getnastypid()))
 -		self.assertTrue(self._is_logged('timed out'))
 -		self.assertTrue(self._is_logged('killed with SIGTERM'))
 -
 -		os.unlink(tmpFilename)
 -		os.unlink(tmpFilename + '.pid')
 -
 -
 +#	def testExecuteTimeoutWithNastyChildren(self):
 +#		# temporary file for a nasty kid shell script
 +#		tmpFilename = tempfile.mktemp(".sh", "fail2ban_")
 +#		# Create a nasty script which would hang there for a while
 +#		with open(tmpFilename, 'w') as f:
 +#			f.write("""#!/bin/bash
 +#		trap : HUP EXIT TERM
 +#
 +#		echo "$$" > %s.pid
 +#		echo "my pid $$ . sleeping lo-o-o-ong"
 +#		sleep 10000
 +#		""" % tmpFilename)
 +#
 +#		def getnastypid():
 +#			with open(tmpFilename + '.pid') as f:
 +#				return int(f.read())
 +#
 +#		# First test if can kill the bastard
 +#		self.assertRaises(
 +#			RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1)
 +#		# Verify that the proccess itself got killed
 +#		self.assertFalse(pid_exists(getnastypid()))  # process should have been killed
 +#		self.assertTrue(self._is_logged('timed out'))
 +#		self.assertTrue(self._is_logged('killed with SIGTERM'))
 +#
 +#		# A bit evolved case even though, previous test already tests killing children processes
 +#		self.assertRaises(
 +#			RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename,
 +#			timeout=.2)
 +#		# Verify that the proccess itself got killed
 +#		self.assertFalse(pid_exists(getnastypid()))
 +#		self.assertTrue(self._is_logged('timed out'))
 +#		self.assertTrue(self._is_logged('killed with SIGTERM'))
 +#
 +#		os.unlink(tmpFilename)
 +#		os.unlink(tmpFilename + '.pid')
 +#
 +#
 	def testCaptureStdOutErr(self):
 		CommandAction.executeCmd('echo "How now brown cow"')
 		self.assertTrue(self._is_logged("'How now brown cow\\n'"))
--- a/fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
+++ b/fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
@ -0,0 +1,120 @@
 Only in fail2ban-0.9.3/: ChangeLog.orig
 diff -ur fail2ban-0.9.3.orig/fail2ban/server/action.py fail2ban-0.9.3/fail2ban/server/action.py
 --- fail2ban-0.9.3.orig/fail2ban/server/action.py	2015-08-01 03:32:13.000000000 +0200
 +++ fail2ban-0.9.3/fail2ban/server/action.py	2015-09-23 11:54:38.066927465 +0200
@@ -560,32 +560,33 @@
 			return True
 		_cmd_lock.acquire()
 -		try: # Try wrapped within another try needed for python version < 2.5
 +		try:
 +			retcode = None  # to guarantee being defined upon early except
 			stdout = tempfile.TemporaryFile(suffix=".stdout", prefix="fai2ban_")
 			stderr = tempfile.TemporaryFile(suffix=".stderr", prefix="fai2ban_")
 -			try:
 -				popen = subprocess.Popen(
 -					realCmd, stdout=stdout, stderr=stderr, shell=True,
 -					preexec_fn=os.setsid  # so that killpg does not kill our process
 -				)
 -				stime = time.time()
 +
 +			popen = subprocess.Popen(
 +				realCmd, stdout=stdout, stderr=stderr, shell=True,
 +				preexec_fn=os.setsid  # so that killpg does not kill our process
 +			)
 +			stime = time.time()
 +			retcode = popen.poll()
 +			while time.time() - stime <= timeout and retcode is None:
 +				time.sleep(0.1)
 				retcode = popen.poll()
 -				while time.time() - stime <= timeout and retcode is None:
 -					time.sleep(0.1)
 -					retcode = popen.poll()
 -				if retcode is None:
 -					logSys.error("%s -- timed out after %i seconds." %
 -						(realCmd, timeout))
 -					pgid = os.getpgid(popen.pid)
 -					os.killpg(pgid, signal.SIGTERM)  # Terminate the process
 +			if retcode is None:
 +				logSys.error("%s -- timed out after %i seconds." %
 +				    (realCmd, timeout))
 +				pgid = os.getpgid(popen.pid)
 +				os.killpg(pgid, signal.SIGTERM)  # Terminate the process
 +				time.sleep(0.1)
 +				retcode = popen.poll()
 +				if retcode is None:  # Still going...
 +					os.killpg(pgid, signal.SIGKILL)  # Kill the process
 					time.sleep(0.1)
 					retcode = popen.poll()
 -					if retcode is None: # Still going...
 -						os.killpg(pgid, signal.SIGKILL)  # Kill the process
 -						time.sleep(0.1)
 -						retcode = popen.poll()
 -			except OSError, e:
 -				logSys.error("%s -- failed with %s" % (realCmd, e))
 +		except OSError as e:
 +			logSys.error("%s -- failed with %s" % (realCmd, e))
 		finally:
 			_cmd_lock.release()
@@ -603,15 +604,16 @@
 			return True
 		elif retcode is None:
 			logSys.error("%s -- unable to kill PID %i" % (realCmd, popen.pid))
 -		elif retcode < 0:
 -			logSys.error("%s -- killed with %s" %
 -				(realCmd, signame.get(-retcode, "signal %i" % -retcode)))
 +		elif retcode < 0 or retcode > 128:
 +			# dash would return negative while bash 128 + n
 +			sigcode = -retcode if retcode < 0 else retcode - 128
 +			logSys.error("%s -- killed with %s (return code: %s)" %
 +				(realCmd, signame.get(sigcode, "signal %i" % sigcode), retcode))
 		else:
 			msg = _RETCODE_HINTS.get(retcode, None)
 			logSys.error("%s -- returned %i" % (realCmd, retcode))
 			if msg:
 				logSys.info("HINT on %i: %s"
 							% (retcode, msg % locals()))
 -			return False
 -		raise RuntimeError("Command execution failed: %s" % realCmd)
 +		return False
 diff -ur fail2ban-0.9.3.orig/fail2ban/tests/actiontestcase.py fail2ban-0.9.3/fail2ban/tests/actiontestcase.py
 --- fail2ban-0.9.3.orig/fail2ban/tests/actiontestcase.py	2015-08-01 03:32:13.000000000 +0200
 +++ fail2ban-0.9.3/fail2ban/tests/actiontestcase.py	2015-09-23 11:54:38.074927626 +0200
@@ -196,11 +196,10 @@
 	def testExecuteTimeout(self):
 		stime = time.time()
 		# Should take a minute
 -		self.assertRaises(
 -			RuntimeError, CommandAction.executeCmd, 'sleep 60', timeout=2)
 +		self.assertFalse(CommandAction.executeCmd('sleep 60', timeout=2))
 		# give a test still 1 second, because system could be too busy
 		self.assertTrue(time.time() >= stime + 2 and time.time() <= stime + 3)
 -		self.assertTrue(self._is_logged('sleep 60 -- timed out after 2 seconds') 
 +		self.assertTrue(self._is_logged('sleep 60 -- timed out after 2 seconds')
 			or self._is_logged('sleep 60 -- timed out after 3 seconds'))
 		self.assertTrue(self._is_logged('sleep 60 -- killed with SIGTERM'))
@@ -222,17 +221,16 @@
 				return int(f.read())
 		# First test if can kill the bastard
 -		self.assertRaises(
 -			RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1)
 +		self.assertFalse(CommandAction.executeCmd(
 +		                 'bash %s' % tmpFilename, timeout=.1))
 		# Verify that the proccess itself got killed
 		self.assertFalse(pid_exists(getnastypid()))  # process should have been killed
 		self.assertTrue(self._is_logged('timed out'))
 		self.assertTrue(self._is_logged('killed with SIGTERM'))
 		# A bit evolved case even though, previous test already tests killing children processes
 -		self.assertRaises(
 -			RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename,
 -			timeout=.2)
 +		self.assertFalse(CommandAction.executeCmd(
 +			'out=`bash %s`; echo ALRIGHT' % tmpFilename, timeout=.2))
 		# Verify that the proccess itself got killed
 		self.assertFalse(pid_exists(getnastypid()))
 		self.assertTrue(self._is_logged('timed out'))
--- a/fail2ban.changes
+++ b/fail2ban.changes
@ -1,3 +1,13 @@
 -------------------------------------------------------------------
 Wed Sep 23 10:10:17 UTC 2015 - jweberhofer@weberhofer.at
 - Added fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
  to fix the former failing test and removed
  fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
 - Do not longer create test-package. Developers should not use the packaged
  version of fail2ban.
 -------------------------------------------------------------------
 Mon Sep  7 09:45:56 UTC 2015 - jweberhofer@weberhofer.at
--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -37,8 +37,8 @@ Source200:      %{name}-rpmlintrc
 Patch100:       fail2ban-opensuse-locations.patch
 # PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file
 Patch101:       fail2ban-opensuse-service.patch
-# PATCH-FIX-OPENSUSE fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch jweberhofer@weberhofer.at -- disable test which currently fails on some systems
+# PATCH-FIX-UPSTREAM fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch jweberhofer@weberhofer.at -- fix failing test
-Patch102:       fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
+Patch102:       fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
 # PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
 Patch200:       fail2ban-disable-iptables-w-option.patch
 # PATCH-FIX-OPENSUSE fail2ban-exclude-dev-log-tests.patch jweberhofer@weberhofer.at -- remove tests that can't work on opensuse < 13.3
@ -82,13 +82,6 @@ reject the IP address, can send e-mails, or set host.deny entries.  These rules
 can be defined by the user. Fail2Ban can read multiple log files such as sshd
 or Apache web server ones.
 %package tests
 Summary:        Test-cases for fail2ban
 Group:          System/Monitoring
 %description tests
 This package contains fail2ban's testcases
 %package -n SuSEfirewall2-fail2ban
 Summary:        Files for integrating fail2ban into SuSEfirewall2 via systemd
 Group:          Productivity/Networking/Security
@ -265,6 +258,10 @@ systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf
 %{_mandir}/man5/*
 %doc README.md TODO ChangeLog COPYING doc/*.txt
 # do not include tests as they are executed during the build process
 %exclude %{_bindir}/fail2ban-testcases
 %exclude %{python_sitelib}/%{name}/tests
 %if 0%{?_unitdir:1}
 %files -n SuSEfirewall2-fail2ban
 %defattr(-,root,root)
@ -272,11 +269,6 @@ systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf
 %{_unitdir}/fail2ban.service.d
 %endif
 %files tests
 %defattr(-,root,root)
 %{_bindir}/fail2ban-testcases
 %{python_sitelib}/%{name}/tests
 %files -n nagios-plugins-fail2ban
 %defattr(-,root,root)
 %doc files/nagios/README COPYING