- Use /var/run/fail2ban instead of /tmp for temp files in

actions: see bugs.debian.org/544232, bnc#690853, CVE-2009-5023 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=11
2011-09-01 14:09:21 +00:00 · 2011-09-01 14:09:21 +00:00 · f2a704eb1b
commit f2a704eb1b
parent c313144d04
3 changed files with 71 additions and 2 deletions
--- a/fail2ban.changes
+++ b/fail2ban.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Sep  1 14:07:28 UTC 2011 - coolo@suse.com
+
+- Use /var/run/fail2ban instead of /tmp for temp files in 
+  actions: see bugs.debian.org/544232, bnc#690853,
+  CVE-2009-5023
+
 -------------------------------------------------------------------
 Thu Jan  6 16:56:30 UTC 2011 - lchiquitto@novell.com

--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -1,7 +1,7 @@
 #
 # spec file for package fail2ban (Version 0.8.4)
 #
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -26,7 +26,7 @@ BuildRequires:  python-devel
 PreReq:         %fillup_prereq
 AutoReqProv:    on
 Version:        0.8.4
-Release:        7
+Release:        8
 Url:            http://www.fail2ban.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
@ -35,6 +35,7 @@ Source0:        http://download.sourceforge.net/sourceforge/fail2ban/%{name}-%{v
 Source1:        %{name}.init
 Source2:        %{name}.sysconfig
 Patch:          fail2ban-0.8.2-fd_cloexec.patch
+Patch1:         fix-tmp-usage.diff

 %description
 Fail2ban scans log files like /var/log/messages and bans IP addresses
@ -53,6 +54,7 @@ Authors:
 %setup
 perl -pi -e 's;/usr/local/;/usr/;g' files/suse-initd
 %patch -p1
+%patch1 -p1

 %build
 export CFLAGS="$RPM_OPT_FLAGS"
--- a/fix-tmp-usage.diff
+++ b/fix-tmp-usage.diff
@ -0,0 +1,60 @@
+From: yarikoptic <yarikoptic@a942ae1a-1317-0410-a47c-b1dcaea8d605>
+Date: Wed, 23 Mar 2011 20:35:56 +0000 (+0000)
+Subject: BF: Use /var/run/fail2ban instead of /tmp for temp files in actions: see http://bugs... 
+X-Git-Tag: upstream/0.8.4+svn20110323^2~8
+X-Git-Url: http://git.onerussian.com/?p=deb%2Ffail2ban.git;a=commitdiff_plain;h=ea7d352616b1e2232fcaa99b11807a86ce29ed8b
+
+BF: Use /var/run/fail2ban instead of /tmp for temp files in actions: see bugs.debian.org/544232
+
+It should be robust since /var/run/fail2ban is guaranteed to exist to carry the
+socket file, and it will be owned by root (or some other dedicated fail2ban
+user) thus avoiding possibility for the exploit
+
+git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@767 a942ae1a-1317-0410-a47c-b1dcaea8d605
+---
+
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index b80698b..8549a55 100644
+--- a/config/action.d/dshield.conf
+++ b/config/action.d/dshield.conf
+@@ -206,5 +206,5 @@ dest = reports@dshield.org
+ # Notes.:  Base name of temporary files used for buffering
+ # Values:  [ STRING ]  Default: /tmp/fail2ban-dshield
+ #
+-tmpfile = /tmp/fail2ban-dshield
+tmpfile = /var/run/fail2ban/tmp-dshield
+ 
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 8a33d0e..6fd51d2 100644
+--- a/config/action.d/mail-buffered.conf
+++ b/config/action.d/mail-buffered.conf
+@@ -81,7 +81,7 @@ lines = 5
+ 
+ # Default temporary file
+ #
+-tmpfile = /tmp/fail2ban-mail.txt
+tmpfile = /var/run/fail2ban/tmp-mail.txt
+ 
+ # Destination/Addressee of the mail
+ #
+diff --git a/config/action.d/mynetwatchman.conf b/config/action.d/mynetwatchman.conf
+index 15b91b1..f0e5515 100644
+--- a/config/action.d/mynetwatchman.conf
+++ b/config/action.d/mynetwatchman.conf
+@@ -141,4 +141,4 @@ mnwurl = http://mynetwatchman.com/insertwebreport.asp
+ # Notes.:  Base name of temporary files
+ # Values:  [ STRING ]  Default: /tmp/fail2ban-mynetwatchman
+ #
+-tmpfile = /tmp/fail2ban-mynetwatchman
+tmpfile = /var/run/fail2ban/tmp-mynetwatchman
+diff --git a/config/action.d/sendmail-buffered.conf b/config/action.d/sendmail-buffered.conf
+index de8166a..25a23b7 100644
+--- a/config/action.d/sendmail-buffered.conf
+++ b/config/action.d/sendmail-buffered.conf
+@@ -101,5 +101,5 @@ lines = 5
+ 
+ # Default temporary file
+ #
+-tmpfile = /tmp/fail2ban-mail.txt
+tmpfile = /var/run/fail2ban/tmp-mail.txt
+