denyhosts: security fix cve-2013-6890

2014-04-22 01:15:44 +10:00 · 2014-04-22 01:15:44 +10:00 · ec7cb6c098
commit ec7cb6c098
parent 85d8efa346
6 changed files with 144 additions and 2 deletions
--- a/denyhosts/.md5sum
+++ b/denyhosts/.md5sum
@ -1,2 +1,6 @@
 fc2365305a9402886a2b0173d1beb7df  DenyHosts-2.6.tar.gz
 a0abe102add4420e766cc90d0709f425  denyhosts-2.6-config.patch
+67e0d788356f9f7183c217a2eae71bf1  denyhosts-2.6-cve-2013-6890.patch
+79abdfcd7ce0859f2f3f134598a89209  denyhosts-2.6-log-injection-regex.patch
+6ed4e279640b8a5c0c04dd4193ac15e2  denyhosts-2.6-plugin_deny.patch
+dfd91828e48d97af2e77e009c67c4754  denyhosts-2.6-single_config_switch.patch
--- a/denyhosts/Pkgfile
+++ b/denyhosts/Pkgfile
@ -6,13 +6,23 @@

 name=denyhosts
 version=2.6
-release=1
+release=2
 source=(http://downloads.sourceforge.net/project/$name/$name/$version/DenyHosts-$version.tar.gz
-	denyhosts-$version-config.patch)
+	denyhosts-$version-config.patch
+	denyhosts-2.6-cve-2013-6890.patch
+	denyhosts-2.6-log-injection-regex.patch
+	denyhosts-2.6-single_config_switch.patch
+	denyhosts-2.6-plugin_deny.patch)

 build() {
 	cd DenyHosts-$version
+
 	patch -p0 -i $SRC/$name-$version-config.patch
+	patch -p1 -i $SRC/denyhosts-2.6-log-injection-regex.patch
+	patch -p1 -i $SRC/denyhosts-2.6-single_config_switch.patch
+	patch -p1 -i $SRC/denyhosts-2.6-plugin_deny.patch
+	patch -p1 -i $SRC/denyhosts-2.6-cve-2013-6890.patch
+
 	/usr/bin/python setup.py install --root=$PKG
 	
 	rm $PKG/usr/share/denyhosts/*.txt
--- a/denyhosts/denyhosts-2.6-cve-2013-6890.patch
+++ b/denyhosts/denyhosts-2.6-cve-2013-6890.patch
@ -0,0 +1,60 @@
+Subject: address remote denial of service CVE-2013-6890
+From: Helmut Grohne <helmut () subdivi de>
+
+ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21
+
+results in a log lines
+
+sshd[123]: Invalid user Invalid user root from 123.123.123.123 from 21.21.21.21
+sshd[123]: input_userauth_request: invalid user Invalid user root from 123.123.123.123 [preauth]
+sshd[123]: Connection closed by 21.21.21.21 [preauth]
+
+and causes denyhosts to block both ips 21.21.21.21 and 123.123.123.123.
+
+This patch tightens the regular expressions used to avoid these and similar
+injections.
+
+Index: denyhosts-2.6/DenyHosts/regex.py
+===================================================================
+--- denyhosts-2.6.orig/DenyHosts/regex.py	2013-12-22 11:54:42.000000000 +0100
+++ denyhosts-2.6/DenyHosts/regex.py	2013-12-22 11:55:05.000000000 +0100
+@@ -6,22 +6,22 @@
+ 
+ #DATE_FORMAT_REGEX = re.compile(r"""(?P<month>[A-z]{3,3})\s*(?P<day>\d+)""")
+ 
+-SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P<message>.*)""")
+SSHD_FORMAT_REGEX = re.compile(r""".*? (sshd.*?:|\[sshd\]) (?P<message>.*)""")
+ #SSHD_FORMAT_REGEX = re.compile(r""".* sshd.*: (?P<message>.*)""")
+ 
+-FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
+ 
+-FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
+ 
+-FAILED_ENTRY_REGEX3 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+FAILED_ENTRY_REGEX3 = None
+ 
+-FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
+FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) from (::ffff:)?(?P<host>\S+)$""")
+ 
+-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""")
+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because none of user's groups are listed in AllowGroups$""")
+ 
+-FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
+ 
+-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""")
+FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because not listed in AllowUsers$""")
+ 
+ 
+ # these are reserved for future versions
+@@ -42,7 +42,7 @@
+     FAILED_ENTRY_REGEX_MAP[i] = rx
+ 
+ 
+-SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>.*) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>\S+) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
+ 
+ TIME_SPEC_REGEX = re.compile(r"""(?P<units>\d*)\s*(?P<period>[smhdwy])?""")
+ 
--- a/denyhosts/denyhosts-2.6-log-injection-regex.patch
+++ b/denyhosts/denyhosts-2.6-log-injection-regex.patch
@ -0,0 +1,21 @@
+Address Log injection reported at
+
+http://bugs.gentoo.org/show_bug.cgi?id=181213
+
+diff -ur a/DenyHosts/regex.py b/DenyHosts/regex.py
+--- a/DenyHosts/regex.py	2006-12-07 13:47:04.000000000 -0600
+++ b/DenyHosts/regex.py	2007-06-19 18:51:54.000000000 -0500
+@@ -17,11 +17,11 @@
+ 
+ FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
+ 
+-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""")
+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""")
+ 
+ FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+ 
+-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not listed in AllowUsers""")
+FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""")
+ 
+ 
+ # these are reserved for future versions
--- a/denyhosts/denyhosts-2.6-plugin_deny.patch
+++ b/denyhosts/denyhosts-2.6-plugin_deny.patch
@ -0,0 +1,23 @@
+From: Marco Bertorello <marco@bertorello.ns0.it>
+Date: Thu, 14 Apr 2011 00:11:35 +0200
+Subject: 09_plugin_deny
+
+Correct the upstream bug http://sourceforge.net/tracker/index.php?func=detail&aid=1734736&group_id=131204&atid=720419
+---
+ DenyHosts/deny_hosts.py |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/DenyHosts/deny_hosts.py b/DenyHosts/deny_hosts.py
+index f308264..0f5f48d 100644
+--- a/DenyHosts/deny_hosts.py
+++ b/DenyHosts/deny_hosts.py
+@@ -443,7 +443,7 @@ allowed based on your %s file"""  % (self.__prefs.get("HOSTS_DENY"),
+             self.__report.add_section(msg, new_denied_hosts)
+             if self.__sync_server: self.sync_add_hosts(new_denied_hosts)
+             plugin_deny = self.__prefs.get('PLUGIN_DENY')
+-            if plugin_deny: plugin.execute(plugin_deny, deny_hosts)
+            if plugin_deny: plugin.execute(plugin_deny, new_denied_hosts)
+         
+         new_suspicious_logins = login_attempt.get_new_suspicious_logins()
+         if new_suspicious_logins:
+-- 
--- a/denyhosts/denyhosts-2.6-single_config_switch.patch
+++ b/denyhosts/denyhosts-2.6-single_config_switch.patch
@ -0,0 +1,24 @@
+From: Marco Bertorello <marco@bertorello.ns0.it>
+Date: Thu, 14 Apr 2011 00:11:35 +0200
+Subject: 11_single_config_switch
+
+A patch to prevent denyhosts running with a double --config switch
+---
+ daemon-control-dist |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/daemon-control-dist b/daemon-control-dist
+index 9f42b60..14d0f70 100755
+--- a/daemon-control-dist
+++ b/daemon-control-dist
+@@ -144,7 +144,8 @@ if __name__ == '__main__':
+ 
+     try:
+         if option in ('start', 'restart', 'condrestart'):
+-            if '--config' not in args and '-c' not in args:
+            anystartswith = lambda prefix, xs: any(map(lambda x: x.startswith(prefix), xs))
+            if not anystartswith('--config', args) and '-c' not in args:
+                 args.append("--config=%s" % DENYHOSTS_CFG)
+ 
+         cmd = cases[option]
+--