Accepting request 333138 from home:weberho:branches:security

- Added fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
  to fix the former failing test and removed
  fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
- Do not longer create test-package. Developers should not use the packaged
  version of fail2ban.

OBS-URL: https://build.opensuse.org/request/show/333138
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=65

fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch

@@ -1,86 +0,0 @@
-diff -ur fail2ban-0.9.3-orig/fail2ban/tests/actiontestcase.py fail2ban-0.9.3/fail2ban/tests/actiontestcase.py
---- fail2ban-0.9.3-orig/fail2ban/tests/actiontestcase.py	2015-08-01 03:32:13.000000000 +0200
-+++ fail2ban-0.9.3/fail2ban/tests/actiontestcase.py	2015-09-07 08:37:30.842249270 +0200
-@@ -204,44 +204,44 @@
- 			or self._is_logged('sleep 60 -- timed out after 3 seconds'))
- 		self.assertTrue(self._is_logged('sleep 60 -- killed with SIGTERM'))
- 
--	def testExecuteTimeoutWithNastyChildren(self):
--		# temporary file for a nasty kid shell script
--		tmpFilename = tempfile.mktemp(".sh", "fail2ban_")
--		# Create a nasty script which would hang there for a while
--		with open(tmpFilename, 'w') as f:
--			f.write("""#!/bin/bash
--		trap : HUP EXIT TERM
--
--		echo "$$" > %s.pid
--		echo "my pid $$ . sleeping lo-o-o-ong"
--		sleep 10000
--		""" % tmpFilename)
--
--		def getnastypid():
--			with open(tmpFilename + '.pid') as f:
--				return int(f.read())
--
--		# First test if can kill the bastard
--		self.assertRaises(
--			RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1)
--		# Verify that the proccess itself got killed
--		self.assertFalse(pid_exists(getnastypid()))  # process should have been killed
--		self.assertTrue(self._is_logged('timed out'))
--		self.assertTrue(self._is_logged('killed with SIGTERM'))
--
--		# A bit evolved case even though, previous test already tests killing children processes
--		self.assertRaises(
--			RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename,
--			timeout=.2)
--		# Verify that the proccess itself got killed
--		self.assertFalse(pid_exists(getnastypid()))
--		self.assertTrue(self._is_logged('timed out'))
--		self.assertTrue(self._is_logged('killed with SIGTERM'))
--
--		os.unlink(tmpFilename)
--		os.unlink(tmpFilename + '.pid')
--
--
-+#	def testExecuteTimeoutWithNastyChildren(self):
-+#		# temporary file for a nasty kid shell script
-+#		tmpFilename = tempfile.mktemp(".sh", "fail2ban_")
-+#		# Create a nasty script which would hang there for a while
-+#		with open(tmpFilename, 'w') as f:
-+#			f.write("""#!/bin/bash
-+#		trap : HUP EXIT TERM
-+#
-+#		echo "$$" > %s.pid
-+#		echo "my pid $$ . sleeping lo-o-o-ong"
-+#		sleep 10000
-+#		""" % tmpFilename)
-+#
-+#		def getnastypid():
-+#			with open(tmpFilename + '.pid') as f:
-+#				return int(f.read())
-+#
-+#		# First test if can kill the bastard
-+#		self.assertRaises(
-+#			RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1)
-+#		# Verify that the proccess itself got killed
-+#		self.assertFalse(pid_exists(getnastypid()))  # process should have been killed
-+#		self.assertTrue(self._is_logged('timed out'))
-+#		self.assertTrue(self._is_logged('killed with SIGTERM'))
-+#
-+#		# A bit evolved case even though, previous test already tests killing children processes
-+#		self.assertRaises(
-+#			RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename,
-+#			timeout=.2)
-+#		# Verify that the proccess itself got killed
-+#		self.assertFalse(pid_exists(getnastypid()))
-+#		self.assertTrue(self._is_logged('timed out'))
-+#		self.assertTrue(self._is_logged('killed with SIGTERM'))
-+#
-+#		os.unlink(tmpFilename)
-+#		os.unlink(tmpFilename + '.pid')
-+#
-+#
- 	def testCaptureStdOutErr(self):
- 		CommandAction.executeCmd('echo "How now brown cow"')
- 		self.assertTrue(self._is_logged("'How now brown cow\\n'"))

fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch

@@ -0,0 +1,120 @@
+Only in fail2ban-0.9.3/: ChangeLog.orig
+diff -ur fail2ban-0.9.3.orig/fail2ban/server/action.py fail2ban-0.9.3/fail2ban/server/action.py
+--- fail2ban-0.9.3.orig/fail2ban/server/action.py	2015-08-01 03:32:13.000000000 +0200
++++ fail2ban-0.9.3/fail2ban/server/action.py	2015-09-23 11:54:38.066927465 +0200
+@@ -560,32 +560,33 @@
+ 			return True
+ 
+ 		_cmd_lock.acquire()
+-		try: # Try wrapped within another try needed for python version < 2.5
++		try:
++			retcode = None  # to guarantee being defined upon early except
+ 			stdout = tempfile.TemporaryFile(suffix=".stdout", prefix="fai2ban_")
+ 			stderr = tempfile.TemporaryFile(suffix=".stderr", prefix="fai2ban_")
+-			try:
+-				popen = subprocess.Popen(
+-					realCmd, stdout=stdout, stderr=stderr, shell=True,
+-					preexec_fn=os.setsid  # so that killpg does not kill our process
+-				)
+-				stime = time.time()
++
++			popen = subprocess.Popen(
++				realCmd, stdout=stdout, stderr=stderr, shell=True,
++				preexec_fn=os.setsid  # so that killpg does not kill our process
++			)
++			stime = time.time()
++			retcode = popen.poll()
++			while time.time() - stime <= timeout and retcode is None:
++				time.sleep(0.1)
+ 				retcode = popen.poll()
+-				while time.time() - stime <= timeout and retcode is None:
+-					time.sleep(0.1)
+-					retcode = popen.poll()
+-				if retcode is None:
+-					logSys.error("%s -- timed out after %i seconds." %
+-						(realCmd, timeout))
+-					pgid = os.getpgid(popen.pid)
+-					os.killpg(pgid, signal.SIGTERM)  # Terminate the process
++			if retcode is None:
++				logSys.error("%s -- timed out after %i seconds." %
++				    (realCmd, timeout))
++				pgid = os.getpgid(popen.pid)
++				os.killpg(pgid, signal.SIGTERM)  # Terminate the process
++				time.sleep(0.1)
++				retcode = popen.poll()
++				if retcode is None:  # Still going...
++					os.killpg(pgid, signal.SIGKILL)  # Kill the process
+ 					time.sleep(0.1)
+ 					retcode = popen.poll()
+-					if retcode is None: # Still going...
+-						os.killpg(pgid, signal.SIGKILL)  # Kill the process
+-						time.sleep(0.1)
+-						retcode = popen.poll()
+-			except OSError, e:
+-				logSys.error("%s -- failed with %s" % (realCmd, e))
++		except OSError as e:
++			logSys.error("%s -- failed with %s" % (realCmd, e))
+ 		finally:
+ 			_cmd_lock.release()
+ 
+@@ -603,15 +604,16 @@
+ 			return True
+ 		elif retcode is None:
+ 			logSys.error("%s -- unable to kill PID %i" % (realCmd, popen.pid))
+-		elif retcode < 0:
+-			logSys.error("%s -- killed with %s" %
+-				(realCmd, signame.get(-retcode, "signal %i" % -retcode)))
++		elif retcode < 0 or retcode > 128:
++			# dash would return negative while bash 128 + n
++			sigcode = -retcode if retcode < 0 else retcode - 128
++			logSys.error("%s -- killed with %s (return code: %s)" %
++				(realCmd, signame.get(sigcode, "signal %i" % sigcode), retcode))
+ 		else:
+ 			msg = _RETCODE_HINTS.get(retcode, None)
+ 			logSys.error("%s -- returned %i" % (realCmd, retcode))
+ 			if msg:
+ 				logSys.info("HINT on %i: %s"
+ 							% (retcode, msg % locals()))
+-			return False
+-		raise RuntimeError("Command execution failed: %s" % realCmd)
++		return False
+ 
+diff -ur fail2ban-0.9.3.orig/fail2ban/tests/actiontestcase.py fail2ban-0.9.3/fail2ban/tests/actiontestcase.py
+--- fail2ban-0.9.3.orig/fail2ban/tests/actiontestcase.py	2015-08-01 03:32:13.000000000 +0200
++++ fail2ban-0.9.3/fail2ban/tests/actiontestcase.py	2015-09-23 11:54:38.074927626 +0200
+@@ -196,11 +196,10 @@
+ 	def testExecuteTimeout(self):
+ 		stime = time.time()
+ 		# Should take a minute
+-		self.assertRaises(
+-			RuntimeError, CommandAction.executeCmd, 'sleep 60', timeout=2)
++		self.assertFalse(CommandAction.executeCmd('sleep 60', timeout=2))
+ 		# give a test still 1 second, because system could be too busy
+ 		self.assertTrue(time.time() >= stime + 2 and time.time() <= stime + 3)
+-		self.assertTrue(self._is_logged('sleep 60 -- timed out after 2 seconds') 
++		self.assertTrue(self._is_logged('sleep 60 -- timed out after 2 seconds')
+ 			or self._is_logged('sleep 60 -- timed out after 3 seconds'))
+ 		self.assertTrue(self._is_logged('sleep 60 -- killed with SIGTERM'))
+ 
+@@ -222,17 +221,16 @@
+ 				return int(f.read())
+ 
+ 		# First test if can kill the bastard
+-		self.assertRaises(
+-			RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1)
++		self.assertFalse(CommandAction.executeCmd(
++		                 'bash %s' % tmpFilename, timeout=.1))
+ 		# Verify that the proccess itself got killed
+ 		self.assertFalse(pid_exists(getnastypid()))  # process should have been killed
+ 		self.assertTrue(self._is_logged('timed out'))
+ 		self.assertTrue(self._is_logged('killed with SIGTERM'))
+ 
+ 		# A bit evolved case even though, previous test already tests killing children processes
+-		self.assertRaises(
+-			RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename,
+-			timeout=.2)
++		self.assertFalse(CommandAction.executeCmd(
++			'out=`bash %s`; echo ALRIGHT' % tmpFilename, timeout=.2))
+ 		# Verify that the proccess itself got killed
+ 		self.assertFalse(pid_exists(getnastypid()))
+ 		self.assertTrue(self._is_logged('timed out'))

fail2ban.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Sep 23 10:10:17 UTC 2015 - jweberhofer@weberhofer.at
+
+- Added fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
+  to fix the former failing test and removed
+  fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
+
+- Do not longer create test-package. Developers should not use the packaged
+  version of fail2ban.
+
 -------------------------------------------------------------------
 Mon Sep  7 09:45:56 UTC 2015 - jweberhofer@weberhofer.at
 

fail2ban.spec

@@ -37,8 +37,8 @@ Source200:      %{name}-rpmlintrc
 Patch100:       fail2ban-opensuse-locations.patch
 # PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file
 Patch101:       fail2ban-opensuse-service.patch
-# PATCH-FIX-OPENSUSE fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch jweberhofer@weberhofer.at -- disable test which currently fails on some systems
-Patch102:       fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
+# PATCH-FIX-UPSTREAM fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch jweberhofer@weberhofer.at -- fix failing test
+Patch102:       fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
 # PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
 Patch200:       fail2ban-disable-iptables-w-option.patch
 # PATCH-FIX-OPENSUSE fail2ban-exclude-dev-log-tests.patch jweberhofer@weberhofer.at -- remove tests that can't work on opensuse < 13.3
@@ -82,13 +82,6 @@ reject the IP address, can send e-mails, or set host.deny entries.  These rules
 can be defined by the user. Fail2Ban can read multiple log files such as sshd
 or Apache web server ones.
 
-%package tests
-Summary:        Test-cases for fail2ban
-Group:          System/Monitoring
-
-%description tests
-This package contains fail2ban's testcases
-
 %package -n SuSEfirewall2-fail2ban
 Summary:        Files for integrating fail2ban into SuSEfirewall2 via systemd
 Group:          Productivity/Networking/Security
@@ -265,6 +258,10 @@ systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf
 %{_mandir}/man5/*
 %doc README.md TODO ChangeLog COPYING doc/*.txt
 
+# do not include tests as they are executed during the build process
+%exclude %{_bindir}/fail2ban-testcases
+%exclude %{python_sitelib}/%{name}/tests
+
 %if 0%{?_unitdir:1}
 %files -n SuSEfirewall2-fail2ban
 %defattr(-,root,root)
@@ -272,11 +269,6 @@ systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf
 %{_unitdir}/fail2ban.service.d
 %endif
 
-%files tests
-%defattr(-,root,root)
-%{_bindir}/fail2ban-testcases
-%{python_sitelib}/%{name}/tests
-
 %files -n nagios-plugins-fail2ban
 %defattr(-,root,root)
 %doc files/nagios/README COPYING