diff -Nru libiptables-parse-perl-1.5/Changes libiptables-parse-perl-1.6/Changes --- libiptables-parse-perl-1.5/Changes 2015-09-07 21:54:26.000000000 +0000 +++ libiptables-parse-perl-1.6/Changes 2015-11-01 22:20:05.000000000 +0000 @@ -1,5 +1,17 @@ Revision history for Perl extension IPTables::Parse. +1.6 Sat Nov 07 08:45:15 2015 + - (Miloslav Trmač) Fixed a vulnerability to not use predictable names for + temporary files. This vulnerability would allow an attacker on a multi- + user system to set up symlinks to overwrite any file the current user has + write access to. If a user manually overrides the temporary file + locations with the 'iptout' and 'ipterr' hash keys, it is recommended to + not use predictable names either. + - Updated to use the '-w' argument on the iptables command line (a test is + performed to see if it is supported). This acquires an exclusive lock on + iptables command execution. This can be disable by the user if necessary + by setting the new lockless_ipt_exec hash key. + 1.5 Mon Sep 07 20:18:16 2015 - Bug fix to support additional characters in iptables chain names such as dashes and special characters. Stuart Schneider reported this bug and diff -Nru libiptables-parse-perl-1.5/debian/changelog libiptables-parse-perl-1.6/debian/changelog --- libiptables-parse-perl-1.5/debian/changelog 2015-10-09 21:11:09.000000000 +0000 +++ libiptables-parse-perl-1.6/debian/changelog 2015-11-08 17:28:58.000000000 +0000 @@ -1,3 +1,11 @@ +libiptables-parse-perl (1.6-1) unstable; urgency=medium + + * Team upload. + * Import upstream version 1.6. + * Add patch to fix POD encoding. + + -- gregor herrmann Sun, 08 Nov 2015 18:28:48 +0100 + libiptables-parse-perl (1.5-1) unstable; urgency=low * Team upload diff -Nru libiptables-parse-perl-1.5/debian/control libiptables-parse-perl-1.6/debian/control --- libiptables-parse-perl-1.5/debian/control 2015-10-09 21:09:30.000000000 +0000 +++ libiptables-parse-perl-1.6/debian/control 2015-11-08 17:28:58.000000000 +0000 @@ -1,19 +1,21 @@ Source: libiptables-parse-perl +Maintainer: Debian Perl Group +Uploaders: Franck Joncourt , + Fabrizio Regalli Section: perl +Testsuite: autopkgtest-pkg-perl Priority: optional Build-Depends: debhelper (>= 9) Build-Depends-Indep: perl -Maintainer: Debian Perl Group -Uploaders: Franck Joncourt , Fabrizio Regalli Standards-Version: 3.9.6 -Homepage: https://metacpan.org/release/IPTables-Parse -Vcs-Git: git://anonscm.debian.org/pkg-perl/packages/libiptables-parse-perl.git Vcs-Browser: https://anonscm.debian.org/cgit/pkg-perl/packages/libiptables-parse-perl.git -Testsuite: autopkgtest-pkg-perl +Vcs-Git: git://anonscm.debian.org/pkg-perl/packages/libiptables-parse-perl.git +Homepage: https://metacpan.org/release/IPTables-Parse Package: libiptables-parse-perl Architecture: all -Depends: ${perl:Depends}, ${misc:Depends} +Depends: ${perl:Depends}, + ${misc:Depends} Description: Perl extension for parsing iptables firewall rulesets The IPTables::Parse package provides an interface to parse iptables rules on Linux systems through the direct execution of iptables commands, or diff -Nru libiptables-parse-perl-1.5/debian/patches/pod-encoding.patch libiptables-parse-perl-1.6/debian/patches/pod-encoding.patch --- libiptables-parse-perl-1.5/debian/patches/pod-encoding.patch 1970-01-01 00:00:00.000000000 +0000 +++ libiptables-parse-perl-1.6/debian/patches/pod-encoding.patch 2015-11-08 17:28:58.000000000 +0000 @@ -0,0 +1,21 @@ +Description: add encoding directive to POD + Otherwise we get a POD ERROR: + Around line 1209: + Non-ASCII character seen before =encoding in 'Trmač'. Assuming UTF-8 +Origin: vendor +Author: gregor herrmann +Last-Update: 2015-11-08 +Forwarded: https://rt.cpan.org/Ticket/Display.html?id=108589 +Bug: https://rt.cpan.org/Ticket/Display.html?id=108589 + +--- a/lib/IPTables/Parse.pm ++++ b/lib/IPTables/Parse.pm +@@ -995,6 +995,8 @@ + 1; + __END__ + ++=encoding UTF-8 ++ + =head1 NAME + + IPTables::Parse - Perl extension for parsing iptables and ip6tables policies diff -Nru libiptables-parse-perl-1.5/debian/patches/series libiptables-parse-perl-1.6/debian/patches/series --- libiptables-parse-perl-1.5/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ libiptables-parse-perl-1.6/debian/patches/series 2015-11-08 17:28:58.000000000 +0000 @@ -0,0 +1 @@ +pod-encoding.patch diff -Nru libiptables-parse-perl-1.5/lib/IPTables/Parse.pm libiptables-parse-perl-1.6/lib/IPTables/Parse.pm --- libiptables-parse-perl-1.5/lib/IPTables/Parse.pm 2015-09-07 21:54:26.000000000 +0000 +++ libiptables-parse-perl-1.6/lib/IPTables/Parse.pm 2015-11-01 22:20:05.000000000 +0000 @@ -7,7 +7,7 @@ # # Author: Michael Rash (mbr@cipherdyne.org) # -# Version: 1.5 +# Version: 1.6 # ################################################################## # @@ -17,11 +17,12 @@ use 5.006; use POSIX ":sys_wait_h"; use Carp; +use File::Temp; use strict; use warnings; use vars qw($VERSION); -$VERSION = '1.5'; +$VERSION = '1.6'; sub new() { my $class = shift; @@ -36,8 +37,8 @@ _firewall_cmd => $args{'firewall-cmd'} || '', _fwd_args => $args{'fwd_args'} || '--direct --passthrough ipv4', _ipv6 => $args{'use_ipv6'} || 0, - _iptout => $args{'iptout'} || '/tmp/ipt.out' . $$, - _ipterr => $args{'ipterr'} || '/tmp/ipt.err' . $$, + _iptout => $args{'iptout'} || mktemp('/tmp/ipt.out.XXXXXX'), + _ipterr => $args{'ipterr'} || mktemp('/tmp/ipt.err.XXXXXX'), _ipt_alarm => $args{'ipt_alarm'} || 30, _debug => $args{'debug'} || 0, _verbose => $args{'verbose'} || 0, @@ -45,7 +46,8 @@ _ipt_exec_style => $args{'ipt_exec_style'} || 'waitpid', _ipt_exec_sleep => $args{'ipt_exec_sleep'} || 0, _sigchld_handler => $args{'sigchld_handler'} || \&REAPER, - _skip_ipt_exec_check => $args{'skip_ipt_exec_check'} || 0 + _skip_ipt_exec_check => $args{'skip_ipt_exec_check'} || 0, + _lockless_ipt_exec => $args{'lockless_ipt_exec'} || 0, }; if ($self->{'_skip_ipt_exec_check'}) { @@ -126,6 +128,16 @@ $self->{'_cmd'} = "$self->{'_firewall_cmd'} $self->{'_fwd_args'}"; } + unless ($self->{'_skip_ipt_exec_check'}) { + unless ($self->{'_lockless_ipt_exec'}) { + ### now that we have the iptables command defined, see whether + ### it supports -w to acquire an exclusive lock + my ($rv, $out_ar, $err_ar) = &exec_iptables($self, + "$self->{'_cmd'} -w -t filter -n -L INPUT"); + $self->{'_cmd'} .= ' -w' if $rv; + } + } + $self->{'parse_keys'} = &parse_keys(); bless $self, $class; @@ -329,6 +341,9 @@ my $found_chain = 0; my @ipt_lines = (); + my $fh = *STDERR; + $fh = *STDOUT if $self->{'_verbose'}; + ### only used for IPv4 + NAT my $ip_re = qr|(?:[0-2]?\d{1,2}\.){3}[0-2]?\d{1,2}|; @@ -408,14 +423,14 @@ if ($ipt_verbose) { if ($has_line_numbers) { - if ($line =~ /^\s*(\d+)\s+(\d+)\s+(\d+)\s+(.*)/) { + if ($line =~ /^\s*(\d+)\s+(\S+)\s+(\S+)\s+(.*)/) { $rnum = $1; $packets = $2; $bytes = $3; $rule_body = $4; } } else { - if ($line =~ /^\s*(\d+)\s+(\d+)\s+(.*)/) { + if ($line =~ /^\s*(\S+)\s+(\S+)\s+(.*)/) { $packets = $1; $bytes = $2; $rule_body = $3; @@ -423,10 +438,14 @@ } } else { if ($has_line_numbers) { - if ($line =~ /^\s*(\d+)\s+(\d+)\s+(.*)/) { + if ($line =~ /^\s*(\d+)\s+(.*)/) { $rnum = $1; $rule_body = $2; } + } else { + $rule_body = $line; + $rnum = $rule_num; + $rnum = $rule_num; } } @@ -471,6 +490,10 @@ $rule{'extended'} = $7 || ''; &parse_rule_extended(\%rule, $self->{'parse_keys'}->{'extended'}); + } else { + if ($self->{'_debug'}) { + print $fh localtime() . " -v Did not match parse regex: $line\n"; + } } } else { @@ -509,6 +532,10 @@ $rule{'extended'} = $5 || ''; &parse_rule_extended(\%rule, $self->{'parse_keys'}->{'extended'}); + } else { + if ($self->{'_debug'}) { + print $fh localtime() . " Did not match parse regex: $line\n"; + } } } push @chain, \%rule; @@ -980,8 +1007,6 @@ 'use_ipv6' => 0, # can set to 1 to force ip6tables usage 'ipt_rules_file' => '', # optional file path from # which to read iptables rules - 'iptout' => '/tmp/iptables.out', - 'ipterr' => '/tmp/iptables.err', 'debug' => 0, 'verbose' => 0 ); @@ -1064,11 +1089,12 @@ iptables binary. In summary, in addition to the hash keys mentioned above, optional keys that -can be passed to new() include '_iptables' (set path to iptables binary), -'_firewall_cmd' (set path to 'firewall-cmd' binary for systems with -'firewalld'), '_fwd_args' (set 'firewall-cmd' usage args; defaults to -'--direct --passthrough ipv4'), '_ipv6' (set IPv6 mode for ip6tables), -'_debug' and '_verbose'. +can be passed to new() include 'iptables' (set path to iptables binary), +'firewall_cmd' (set path to 'firewall-cmd' binary for systems with +'firewalld'), 'fwd_args' (set 'firewall-cmd' usage args; defaults to +'--direct --passthrough ipv4'), 'ipv6' (set IPv6 mode for ip6tables), +'debug', 'verbose', and 'lockless_ipt_exec' (disable usage of the iptables +'-w' argument that acquires an exclusive lock on command execution). =head1 FUNCTIONS @@ -1180,6 +1206,7 @@ Stuart Schneider Grant Ferley Fabien Mazieres + Miloslav Trmač =head1 AUTHOR @@ -1189,7 +1216,7 @@ =head1 VERSION -Version 1.5 (Septebmer, 2015) +Version 1.6 (November, 2015) =head1 COPYRIGHT AND LICENSE diff -Nru libiptables-parse-perl-1.5/MANIFEST libiptables-parse-perl-1.6/MANIFEST --- libiptables-parse-perl-1.5/MANIFEST 2015-09-07 21:54:26.000000000 +0000 +++ libiptables-parse-perl-1.6/MANIFEST 2015-11-01 22:20:05.000000000 +0000 @@ -4,4 +4,5 @@ README t/IPTables-Parse.t t/basic_tests.pl +t/basic_ipv4.rules lib/IPTables/Parse.pm diff -Nru libiptables-parse-perl-1.5/META.json libiptables-parse-perl-1.6/META.json --- libiptables-parse-perl-1.5/META.json 2015-09-07 21:54:26.000000000 +0000 +++ libiptables-parse-perl-1.6/META.json 2015-11-01 22:20:05.000000000 +0000 @@ -35,5 +35,5 @@ } }, "release_status" : "stable", - "version" : "1.5" + "version" : "1.6" } diff -Nru libiptables-parse-perl-1.5/META.yml libiptables-parse-perl-1.6/META.yml --- libiptables-parse-perl-1.5/META.yml 2015-09-07 21:54:26.000000000 +0000 +++ libiptables-parse-perl-1.6/META.yml 2015-11-01 22:20:05.000000000 +0000 @@ -1,6 +1,6 @@ --- #YAML:1.1 name: IPTables-Parse -version: 1.5 +version: 1.6 abstract: Perl extension for parsing iptables and ip6tables firewall rulesets author: - Michael Rash diff -Nru libiptables-parse-perl-1.5/README libiptables-parse-perl-1.6/README --- libiptables-parse-perl-1.5/README 2015-09-07 21:54:26.000000000 +0000 +++ libiptables-parse-perl-1.6/README 2015-11-01 22:20:05.000000000 +0000 @@ -1,4 +1,4 @@ -IPTables-Parse version 1.3 +IPTables-Parse version 1.6 =========================== The README is used to introduce the module and provide instructions on diff -Nru libiptables-parse-perl-1.5/t/basic_ipv4.rules libiptables-parse-perl-1.6/t/basic_ipv4.rules --- libiptables-parse-perl-1.5/t/basic_ipv4.rules 1970-01-01 00:00:00.000000000 +0000 +++ libiptables-parse-perl-1.6/t/basic_ipv4.rules 2015-11-01 22:20:05.000000000 +0000 @@ -0,0 +1,6 @@ +Chain INPUT (policy DROP 0 packets, 0 bytes) +num pkts bytes target prot opt in out source destination +1 429 141K LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x17/0x02 LOG flags 0 level 4 prefix "(NEW w/o SYN) INPUT:DROP " +2 429 141K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x17/0x02 +3 2055 179K SUBNET all -- eth1 * 0.0.0.0/0 3.4.5.6 +4 2481 119K REJECT all -- * * 123.1.1.2 0.0.0.0/0 reject-with icmp-port-unreachable diff -Nru libiptables-parse-perl-1.5/t/basic_tests.pl libiptables-parse-perl-1.6/t/basic_tests.pl --- libiptables-parse-perl-1.5/t/basic_tests.pl 2015-09-07 21:54:26.000000000 +0000 +++ libiptables-parse-perl-1.6/t/basic_tests.pl 2015-11-01 22:20:05.000000000 +0000 @@ -15,6 +15,7 @@ my $logfile = 'test.log'; my $ipt_rules_file = 'ipt_rules.tmp'; +my $basic_ipv4_rules_file = 'basic_ipv4.rules'; my $PRINT_LEN = 68; #================== end config =================== @@ -63,7 +64,7 @@ my $passed = 0; my $failed = 0; -my $executed = 0; +my $executed = 1; my $SKIP_IPT_EXEC_CHECK = 1; my $IPT_EXEC_CHECK = 0; @@ -71,6 +72,7 @@ &init(); ### main testing routines +&parse_basic_ipv4_policy(); &iptables_tests('', $IPT_EXEC_CHECK); &iptables_tests($ipt_rules_file, $IPT_EXEC_CHECK); &iptables_tests($ipt_rules_file, $SKIP_IPT_EXEC_CHECK); @@ -221,6 +223,32 @@ return; } + +sub parse_basic_ipv4_policy() { + + $ipt_opts{'ipt_rules_file'} = $basic_ipv4_rules_file; + + &logr("\n[+] Running basic IPv4 chain_rules() parse test...\n"); + &dots_print("parse $basic_ipv4_rules_file via chain_rules()"); + + my $ipt_obj = IPTables::Parse->new(%ipt_opts) + or die "[*] Could not acquire IPTables::Parse object"; + + my $rules_ar = $ipt_obj->chain_rules('filter', 'INPUT'); + + if ($#$rules_ar > -1) { + &logr("pass ($executed)\n"); + $passed++; + } else { + &logr("fail ($executed)\n"); + $failed++; + } + $executed++; + + $ipt_opts{'ipt_rules_file'} = ''; + + return; +} sub chain_rules_tests() { my ($ipt_obj, $tables_chains_hr) = @_; diff -Nru libiptables-parse-perl-1.5/VERSION libiptables-parse-perl-1.6/VERSION --- libiptables-parse-perl-1.5/VERSION 2015-09-07 21:54:26.000000000 +0000 +++ libiptables-parse-perl-1.6/VERSION 2015-11-01 22:20:05.000000000 +0000 @@ -1 +1 @@ -1.5 +1.6