From 08b9eedc0a7ef0b26775482d6c7f1c173e13af42 Mon Sep 17 00:00:00 2001
From: athimm <athimm@fedoraproject.org>
Date: Sat, 14 Feb 2009 07:13:55 +0000
Subject: [PATCH] Fixes CVE-2009-0362

---
 ...choring-regex-for-IP-with-at-the-end.patch | 30 +++++++++++++++++++
 fail2ban.spec                                 |  7 ++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 0001-BF-anchoring-regex-for-IP-with-at-the-end.patch

diff --git a/0001-BF-anchoring-regex-for-IP-with-at-the-end.patch b/0001-BF-anchoring-regex-for-IP-with-at-the-end.patch
new file mode 100644
index 0000000..5097acb
--- /dev/null
+++ b/0001-BF-anchoring-regex-for-IP-with-at-the-end.patch
@@ -0,0 +1,30 @@
+From a8f963a2803acef984c66cd1910631eb06363ac1 Mon Sep 17 00:00:00 2001
+From: Yaroslav Halchenko <debian@onerussian.com>
+Date: Wed, 4 Feb 2009 15:38:11 -0500
+Subject: [PATCH] BF: anchoring regex for IP with " *$" at the end
+
+to forbid matching IP encoded in the hostname prior doing actual DNS
+lookup.
+
+It is quite important and actually security hazard: DoS is easy to
+perform...
+---
+ server/filter.py |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/server/filter.py b/server/filter.py
+index 457bb03..77042ad 100644
+--- a/server/filter.py
++++ b/server/filter.py
+@@ -492,7 +492,7 @@ import socket, struct
+ 
+ class DNSUtils:
+ 	
+-	IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}")
++	IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3} *$")
+ 	
+ 	#@staticmethod
+ 	def dnsToIp(dns):
+-- 
+1.5.6.5
+
diff --git a/fail2ban.spec b/fail2ban.spec
index 2297f7a..d0f950f 100644
--- a/fail2ban.spec
+++ b/fail2ban.spec
@@ -4,7 +4,7 @@
 Summary: Ban IPs that make too many password failures
 Name: fail2ban
 Version: 0.8.3
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: GPLv2+
 Group: System Environment/Daemons
 URL: http://fail2ban.sourceforge.net/
@@ -14,6 +14,7 @@ Patch0: fail2ban-0.8.3-init.patch
 Patch1: fail2ban-0.8.1-sshd.patch
 #Patch2: fail2ban-0.8.1-sock.patch
 Patch3: fail2ban-0.8.2-fd_cloexec.patch
+Patch4: 0001-BF-anchoring-regex-for-IP-with-at-the-end.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: python-devel >= 2.3
 BuildArch: noarch
@@ -33,6 +34,7 @@ failures. It updates firewall rules to reject the IP address.
 %patch1 -p1 -b .sshd
 #patch2 -p1 -b .sock
 %patch3 -p1 -b .fd_cloexec
+%patch4 -p1 -b .CVE-2009-0362
 
 %build
 python setup.py build
@@ -82,6 +84,9 @@ fi
 %dir %{_localstatedir}/run/fail2ban
 
 %changelog
+* Sat Feb 14 2009 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-18
+- Fix CVE-2009-0362 (Fedora bugs #485461, #485464, #485465, #485466).
+
 * Mon Dec 01 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 0.8.3-17
 - Rebuild for Python 2.6