Accepting request 333139 from security

1 OBS-URL: https://build.opensuse.org/request/show/333139 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=41
2015-09-24 04:16:01 +00:00 · 2015-09-24 04:16:01 +00:00 · ca370fae5a
commit ca370fae5a
parent fbd912c6a2 c876389bbe
4 changed files with 136 additions and 100 deletions
--- a/fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
+++ b/fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
@ -1,86 +0,0 @@
-diff -ur fail2ban-0.9.3-orig/fail2ban/tests/actiontestcase.py fail2ban-0.9.3/fail2ban/tests/actiontestcase.py
--- fail2ban-0.9.3-orig/fail2ban/tests/actiontestcase.py	2015-08-01 03:32:13.000000000 +0200
-+++ fail2ban-0.9.3/fail2ban/tests/actiontestcase.py	2015-09-07 08:37:30.842249270 +0200
-@@ -204,44 +204,44 @@
- 			or self._is_logged('sleep 60 -- timed out after 3 seconds'))
- 		self.assertTrue(self._is_logged('sleep 60 -- killed with SIGTERM'))
- 
-	def testExecuteTimeoutWithNastyChildren(self):
-		# temporary file for a nasty kid shell script
-		tmpFilename = tempfile.mktemp(".sh", "fail2ban_")
-		# Create a nasty script which would hang there for a while
-		with open(tmpFilename, 'w') as f:
-			f.write("""#!/bin/bash
-		trap : HUP EXIT TERM
-
-		echo "$$" > %s.pid
-		echo "my pid $$ . sleeping lo-o-o-ong"
-		sleep 10000
-		""" % tmpFilename)
-
-		def getnastypid():
-			with open(tmpFilename + '.pid') as f:
-				return int(f.read())
-
-		# First test if can kill the bastard
-		self.assertRaises(
-			RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1)
-		# Verify that the proccess itself got killed
-		self.assertFalse(pid_exists(getnastypid()))  # process should have been killed
-		self.assertTrue(self._is_logged('timed out'))
-		self.assertTrue(self._is_logged('killed with SIGTERM'))
-
-		# A bit evolved case even though, previous test already tests killing children processes
-		self.assertRaises(
-			RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename,
-			timeout=.2)
-		# Verify that the proccess itself got killed
-		self.assertFalse(pid_exists(getnastypid()))
-		self.assertTrue(self._is_logged('timed out'))
-		self.assertTrue(self._is_logged('killed with SIGTERM'))
-
-		os.unlink(tmpFilename)
-		os.unlink(tmpFilename + '.pid')
-
-
-+#	def testExecuteTimeoutWithNastyChildren(self):
-+#		# temporary file for a nasty kid shell script
-+#		tmpFilename = tempfile.mktemp(".sh", "fail2ban_")
-+#		# Create a nasty script which would hang there for a while
-+#		with open(tmpFilename, 'w') as f:
-+#			f.write("""#!/bin/bash
-+#		trap : HUP EXIT TERM
-+#
-+#		echo "$$" > %s.pid
-+#		echo "my pid $$ . sleeping lo-o-o-ong"
-+#		sleep 10000
-+#		""" % tmpFilename)
-+#
-+#		def getnastypid():
-+#			with open(tmpFilename + '.pid') as f:
-+#				return int(f.read())
-+#
-+#		# First test if can kill the bastard
-+#		self.assertRaises(
-+#			RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1)
-+#		# Verify that the proccess itself got killed
-+#		self.assertFalse(pid_exists(getnastypid()))  # process should have been killed
-+#		self.assertTrue(self._is_logged('timed out'))
-+#		self.assertTrue(self._is_logged('killed with SIGTERM'))
-+#
-+#		# A bit evolved case even though, previous test already tests killing children processes
-+#		self.assertRaises(
-+#			RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename,
-+#			timeout=.2)
-+#		# Verify that the proccess itself got killed
-+#		self.assertFalse(pid_exists(getnastypid()))
-+#		self.assertTrue(self._is_logged('timed out'))
-+#		self.assertTrue(self._is_logged('killed with SIGTERM'))
-+#
-+#		os.unlink(tmpFilename)
-+#		os.unlink(tmpFilename + '.pid')
-+#
-+#
- 	def testCaptureStdOutErr(self):
- 		CommandAction.executeCmd('echo "How now brown cow"')
- 		self.assertTrue(self._is_logged("'How now brown cow\\n'"))
--- a/fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
+++ b/fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
@ -0,0 +1,120 @@
+Only in fail2ban-0.9.3/: ChangeLog.orig
+diff -ur fail2ban-0.9.3.orig/fail2ban/server/action.py fail2ban-0.9.3/fail2ban/server/action.py
+--- fail2ban-0.9.3.orig/fail2ban/server/action.py	2015-08-01 03:32:13.000000000 +0200
+++ fail2ban-0.9.3/fail2ban/server/action.py	2015-09-23 11:54:38.066927465 +0200
+@@ -560,32 +560,33 @@
+ 			return True
+ 
+ 		_cmd_lock.acquire()
+-		try: # Try wrapped within another try needed for python version < 2.5
+		try:
+			retcode = None  # to guarantee being defined upon early except
+ 			stdout = tempfile.TemporaryFile(suffix=".stdout", prefix="fai2ban_")
+ 			stderr = tempfile.TemporaryFile(suffix=".stderr", prefix="fai2ban_")
+-			try:
+-				popen = subprocess.Popen(
+-					realCmd, stdout=stdout, stderr=stderr, shell=True,
+-					preexec_fn=os.setsid  # so that killpg does not kill our process
+-				)
+-				stime = time.time()
+
+			popen = subprocess.Popen(
+				realCmd, stdout=stdout, stderr=stderr, shell=True,
+				preexec_fn=os.setsid  # so that killpg does not kill our process
+			)
+			stime = time.time()
+			retcode = popen.poll()
+			while time.time() - stime <= timeout and retcode is None:
+				time.sleep(0.1)
+ 				retcode = popen.poll()
+-				while time.time() - stime <= timeout and retcode is None:
+-					time.sleep(0.1)
+-					retcode = popen.poll()
+-				if retcode is None:
+-					logSys.error("%s -- timed out after %i seconds." %
+-						(realCmd, timeout))
+-					pgid = os.getpgid(popen.pid)
+-					os.killpg(pgid, signal.SIGTERM)  # Terminate the process
+			if retcode is None:
+				logSys.error("%s -- timed out after %i seconds." %
+				    (realCmd, timeout))
+				pgid = os.getpgid(popen.pid)
+				os.killpg(pgid, signal.SIGTERM)  # Terminate the process
+				time.sleep(0.1)
+				retcode = popen.poll()
+				if retcode is None:  # Still going...
+					os.killpg(pgid, signal.SIGKILL)  # Kill the process
+ 					time.sleep(0.1)
+ 					retcode = popen.poll()
+-					if retcode is None: # Still going...
+-						os.killpg(pgid, signal.SIGKILL)  # Kill the process
+-						time.sleep(0.1)
+-						retcode = popen.poll()
+-			except OSError, e:
+-				logSys.error("%s -- failed with %s" % (realCmd, e))
+		except OSError as e:
+			logSys.error("%s -- failed with %s" % (realCmd, e))
+ 		finally:
+ 			_cmd_lock.release()
+ 
+@@ -603,15 +604,16 @@
+ 			return True
+ 		elif retcode is None:
+ 			logSys.error("%s -- unable to kill PID %i" % (realCmd, popen.pid))
+-		elif retcode < 0:
+-			logSys.error("%s -- killed with %s" %
+-				(realCmd, signame.get(-retcode, "signal %i" % -retcode)))
+		elif retcode < 0 or retcode > 128:
+			# dash would return negative while bash 128 + n
+			sigcode = -retcode if retcode < 0 else retcode - 128
+			logSys.error("%s -- killed with %s (return code: %s)" %
+				(realCmd, signame.get(sigcode, "signal %i" % sigcode), retcode))
+ 		else:
+ 			msg = _RETCODE_HINTS.get(retcode, None)
+ 			logSys.error("%s -- returned %i" % (realCmd, retcode))
+ 			if msg:
+ 				logSys.info("HINT on %i: %s"
+ 							% (retcode, msg % locals()))
+-			return False
+-		raise RuntimeError("Command execution failed: %s" % realCmd)
+		return False
+ 
+diff -ur fail2ban-0.9.3.orig/fail2ban/tests/actiontestcase.py fail2ban-0.9.3/fail2ban/tests/actiontestcase.py
+--- fail2ban-0.9.3.orig/fail2ban/tests/actiontestcase.py	2015-08-01 03:32:13.000000000 +0200
+++ fail2ban-0.9.3/fail2ban/tests/actiontestcase.py	2015-09-23 11:54:38.074927626 +0200
+@@ -196,11 +196,10 @@
+ 	def testExecuteTimeout(self):
+ 		stime = time.time()
+ 		# Should take a minute
+-		self.assertRaises(
+-			RuntimeError, CommandAction.executeCmd, 'sleep 60', timeout=2)
+		self.assertFalse(CommandAction.executeCmd('sleep 60', timeout=2))
+ 		# give a test still 1 second, because system could be too busy
+ 		self.assertTrue(time.time() >= stime + 2 and time.time() <= stime + 3)
+-		self.assertTrue(self._is_logged('sleep 60 -- timed out after 2 seconds') 
+		self.assertTrue(self._is_logged('sleep 60 -- timed out after 2 seconds')
+ 			or self._is_logged('sleep 60 -- timed out after 3 seconds'))
+ 		self.assertTrue(self._is_logged('sleep 60 -- killed with SIGTERM'))
+ 
+@@ -222,17 +221,16 @@
+ 				return int(f.read())
+ 
+ 		# First test if can kill the bastard
+-		self.assertRaises(
+-			RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1)
+		self.assertFalse(CommandAction.executeCmd(
+		                 'bash %s' % tmpFilename, timeout=.1))
+ 		# Verify that the proccess itself got killed
+ 		self.assertFalse(pid_exists(getnastypid()))  # process should have been killed
+ 		self.assertTrue(self._is_logged('timed out'))
+ 		self.assertTrue(self._is_logged('killed with SIGTERM'))
+ 
+ 		# A bit evolved case even though, previous test already tests killing children processes
+-		self.assertRaises(
+-			RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename,
+-			timeout=.2)
+		self.assertFalse(CommandAction.executeCmd(
+			'out=`bash %s`; echo ALRIGHT' % tmpFilename, timeout=.2))
+ 		# Verify that the proccess itself got killed
+ 		self.assertFalse(pid_exists(getnastypid()))
+ 		self.assertTrue(self._is_logged('timed out'))
--- a/fail2ban.changes
+++ b/fail2ban.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Sep 23 10:10:17 UTC 2015 - jweberhofer@weberhofer.at
+
+- Added fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
+  to fix the former failing test and removed
+  fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
+
+- Do not longer create test-package. Developers should not use the packaged
+  version of fail2ban.
+
 -------------------------------------------------------------------
 Mon Sep  7 09:45:56 UTC 2015 - jweberhofer@weberhofer.at

--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -37,8 +37,8 @@ Source200:      %{name}-rpmlintrc
 Patch100:       fail2ban-opensuse-locations.patch
 # PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file
 Patch101:       fail2ban-opensuse-service.patch
-# PATCH-FIX-OPENSUSE fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch jweberhofer@weberhofer.at -- disable test which currently fails on some systems
-Patch102:       fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
+# PATCH-FIX-UPSTREAM fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch jweberhofer@weberhofer.at -- fix failing test
+Patch102:       fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
 # PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
 Patch200:       fail2ban-disable-iptables-w-option.patch
 # PATCH-FIX-OPENSUSE fail2ban-exclude-dev-log-tests.patch jweberhofer@weberhofer.at -- remove tests that can't work on opensuse < 13.3
@ -82,13 +82,6 @@ reject the IP address, can send e-mails, or set host.deny entries.  These rules
 can be defined by the user. Fail2Ban can read multiple log files such as sshd
 or Apache web server ones.

-%package tests
-Summary:        Test-cases for fail2ban
-Group:          System/Monitoring
-
-%description tests
-This package contains fail2ban's testcases
-
 %package -n SuSEfirewall2-fail2ban
 Summary:        Files for integrating fail2ban into SuSEfirewall2 via systemd
 Group:          Productivity/Networking/Security
@ -265,6 +258,10 @@ systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf
 %{_mandir}/man5/*
 %doc README.md TODO ChangeLog COPYING doc/*.txt

+# do not include tests as they are executed during the build process
+%exclude %{_bindir}/fail2ban-testcases
+%exclude %{python_sitelib}/%{name}/tests
+
 %if 0%{?_unitdir:1}
 %files -n SuSEfirewall2-fail2ban
 %defattr(-,root,root)
@ -272,11 +269,6 @@ systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf
 %{_unitdir}/fail2ban.service.d
 %endif

-%files tests
-%defattr(-,root,root)
-%{_bindir}/fail2ban-testcases
-%{python_sitelib}/%{name}/tests
-
 %files -n nagios-plugins-fail2ban
 %defattr(-,root,root)
 %doc files/nagios/README COPYING