Date: Sun, 17 Jun 2007 17:33:05 +0200 (CEST)
From: Henrik Brix Andersen <henrik@brixandersen.dk>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc: Mij <mij@bitchx.it>
Subject: ports/113800: [patch] security/sshguard{, -ipfw, -pf} doesn't recognize all IPv6 addresses
Message-ID: <20070617153305.DEC481141F@lothlorien.brixandersen.dk>
Resent-Message-ID: <200706171540.l5HFe3mF023786@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 113800
>Category: ports
>Synopsis: [patch] security/sshguard{,-ipfw,-pf} doesn't recognize all IPv6 addresses
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jun 17 15:40:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Henrik Brix Andersen
>Release: FreeBSD 7.0-CURRENT i386
>Organization:
pil.dk
>Environment:
System: FreeBSD lothlorien.brixandersen.dk 7.0-CURRENT FreeBSD 7.0-CURRENT #44: Wed Jun 13 13:26:40 CEST 2007 root@lothlorien.brixandersen.dk:/usr/obj/usr/src/sys/LOTHLORIEN i386
>Description:
The regex used to recognize IPv6 addresses in
security/sshguard{,-ipfw,-pf} doesn't catch all IPv6 addresses. The
author (and port maintainer) is aware of this issue and supplied the
following patch, which fixes the issue. The patch will be part of
sshguard-1.1, which is due soonish.
He OK'ed that I submit the patch for inclusion in FreeBSD ports.
>How-To-Repeat:
>Fix:
--- sshguard.diff begins here ---
diff -urpN /usr/ports/security/sshguard/Makefile security/sshguard/Makefile
--- /usr/ports/security/sshguard/Makefile Wed Jun 13 00:13:32 2007
+++ security/sshguard/Makefile Sun Jun 17 17:25:16 2007
@@ -7,6 +7,7 @@
PORTNAME= sshguard
DISTVERSION= 1.0
+PORTREVISION= 1
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
diff -urpN /usr/ports/security/sshguard/files/patch-attack_scanner.l security/sshguard/files/patch-attack_scanner.l
--- /usr/ports/security/sshguard/files/patch-attack_scanner.l Thu Jan 1 01:00:00 1970
+++ security/sshguard/files/patch-attack_scanner.l Sun Jun 17 17:22:37 2007
@@ -0,0 +1,11 @@
+--- src/attack_scanner.l.orig Wed May 23 20:53:53 2007
++++ src/attack_scanner.l Sat Jun 16 17:45:43 2007
+@@ -46,7 +46,7 @@ NUMBER [1-9][0-9]*
+ /* an IPv4 address */
+ (25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?)(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?|0)){3} { yylval.str = yytext; return IPv4; }
+ /* an IPv6 address */
+-((([a-fA-F0-9]{1,4}:){2}(:[a-fA-F0-9]{1,4}){1,5})|(:(:[a-fA-F0-9]{1,4}){1,6}|([a-fA-F0-9]{1,4}:)(:[a-fA-F0-9]{1,4}){1,6}|([a-fA-F0-9]{1,4}:){2}(:[a-fA-F0-9]{1,4}){1,5}|([a-fA-F0-9]{1,4}:){3}(:[a-fA-F0-9]{1,4}){1,4}|([a-fA-F0-9]{1,4}:){4}(:[a-fA-F0-9]{1,4}){1,3}|([a-fA-F0-9]{1,4}:){5}(:[a-fA-F0-9]{1,4}){1,2}|([a-fA-F0-9]{1,4}:){6}:[a-fA-F0-9]{1,4})) { yylval.str = yytext; return IPv6; }
++(([a-fA-F0-9]{1,4}(:[a-fA-F0-9]{1,4}){7})|(([a-fA-F0-9]{1,4}:){2}(:[a-fA-F0-9]{1,4}){1,5})|(:(:[a-fA-F0-9]{1,4}){1,6}|([a-fA-F0-9]{1,4}:)(:[a-fA-F0-9]{1,4}){1,6}|([a-fA-F0-9]{1,4}:){2}(:[a-fA-F0-9]{1,4}){1,5}|([a-fA-F0-9]{1,4}:){3}(:[a-fA-F0-9]{1,4}){1,4}|([a-fA-F0-9]{1,4}:){4}(:[a-fA-F0-9]{1,4}){1,3}|([a-fA-F0-9]{1,4}:){5}(:[a-fA-F0-9]{1,4}){1,2}|([a-fA-F0-9]{1,4}:){6}:[a-fA-F0-9]{1,4})) { yylval.str = yytext; return IPv6; }
+
+ /* an host address (PTR) */
+ localhost|([-a-zA-Z0-9]+\.)+[a-zA-Z]+ { yylval.str = yytext; return HOSTADDR; }
--- sshguard.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070617153305.DEC481141F>