File fail2ban-0.8.4-CVE-2012-5642.patch of Package fail2ban.openSUSE_12.1_Update

From 83109bce144f443a48ef31165a5389b7b83f4e0e Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon, 8 Oct 2012 22:14:51 -0400
Subject: [PATCH] BF: escape the content of <matches> since its value could
 contain arbitrary symbols

---
 server/action.py | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff -ur fail2ban-0.8.4-orig/server/action.py fail2ban-0.8.4/server/action.py
--- fail2ban-0.8.4-orig/server/action.py	2008-04-08 00:25:17.000000000 +0200
+++ fail2ban-0.8.4/server/action.py	2013-03-26 08:48:17.925207509 +0100
@@ -223,7 +223,14 @@
 	def execActionStop(self):
 		stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
 		return Action.executeCmd(stopCmd)
-	
+
+	def escapeTag(tag):
+		for c in '\\#&;`|*?~<>^()[]{}$\n':
+			if c in tag:
+				tag = tag.replace(c, '\\' + c)
+		return tag
+	escapeTag = staticmethod(escapeTag)
+
 	##
 	# Replaces tags in query with property values in aInfo.
 	#
@@ -236,8 +243,13 @@
 		""" Replace tags in query
 		"""
 		string = query
-		for tag in aInfo:
-			string = string.replace('<' + tag + '>', str(aInfo[tag]))
+		for tag, value in aInfo.iteritems():
+			value = str(value)			  # assure string
+			if tag == 'matches':
+				# That one needs to be escaped since its content is
+				# out of our control
+				value = escapeTag(value)
+			string = string.replace('<' + tag + '>', value)
 		# New line
 		string = string.replace("<br>", '\n')
 		return string
Nur in fail2ban-0.8.4/server: action.py.orig.