fix for CVE-2014-0167

Package-Manager: portage-2.2.8-r1/cvs/Linux x86_64 Manifest-Sign-Key: 0x2471EB3E40AC5AC3
author: Matt Thode <prometheanfire@gentoo.org> 2014-04-11 15:12:57 +0000
committer: Matt Thode <prometheanfire@gentoo.org> 2014-04-11 15:12:57 +0000
commit: bffb3a64724cd35cd2c4132868551efdf6c84ee3 (patch)
tree: b4cdb5609c3e1ae5d5798555350901d8004ef3a2 /sys-cluster
parent: Optionalize dev-libs/keybinder with USE="keybinder" (diff)
download: historical-bffb3a64724cd35cd2c4132868551efdf6c84ee3.tar.gz
historical-bffb3a64724cd35cd2c4132868551efdf6c84ee3.tar.bz2
historical-bffb3a64724cd35cd2c4132868551efdf6c84ee3.zip
4 files changed, 171 insertions, 17 deletions
diff --git a/sys-cluster/nova/ChangeLog b/sys-cluster/nova/ChangeLog
index fc37b78f545e..7999d793aded 100644
--- a/sys-cluster/nova/ChangeLog
+++ b/sys-cluster/nova/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-cluster/nova
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.58 2014/04/06 06:32:19 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.59 2014/04/11 15:12:49 prometheanfire Exp $
+
+*nova-2013.2.3-r1 (11 Apr 2014)
+
+  11 Apr 2014; Matthew Thode <prometheanfire@gentoo.org>
+  +files/CVE-2014-0167-2013.2.3.patch, +nova-2013.2.3-r1.ebuild,
+  -nova-2013.2.3.ebuild:
+  fix for CVE-2014-0167
 
 *nova-2013.2.3 (06 Apr 2014)
 
diff --git a/sys-cluster/nova/Manifest b/sys-cluster/nova/Manifest
index 9d63196ba617..d0e14be4f9c6 100644
--- a/sys-cluster/nova/Manifest
+++ b/sys-cluster/nova/Manifest
@@ -1,30 +1,31 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
+AUX CVE-2014-0167-2013.2.3.patch 5832 SHA256 b6ec01d6ea62424b0340c7004cef69b0bfeb22b667169776d9ded53435b01a99 SHA512 aa913a9eb482bd2f5d401ac76749543b51772fdd3ce9fec35026cabbedbf2846122df70383221e6dfa5e829f1d2f173ebc1aaf760c8adfc0b1ceac8e98a3f5f7 WHIRLPOOL 8f53c518ce1bfa91afc4bc2f715469a8b5573fb23298d1e9ae4b8f9f0d8086ece227bee6132da976ca2a04379e6fc5706e2db6f54f3edf97a404b5fb6d849e98
 AUX nova-confd 101 SHA256 d9013141618d1e8b8ba85297155747d9c8fc362238de7bba3108b9a2539c8c73 SHA512 4c7ec1d123f2cdaf394d1f4824df861bbe309b0b329db44080160d81746cd0fc9d4cc1b35da0f66ab075f1d4e835ababfb7bccaf4a2e931e60f2c0ac572a552e WHIRLPOOL 6a237357a3905d29a96b32c37f6d189e4f5cefc0986bb091e24a79295191332143741c604c2a9fd44484c75b3be89742a5570862cf0cd4ba225425f7f32b5348
 AUX nova-initd 1496 SHA256 5b5f928335ac345103492555c3bc57407f547915b099762d0087aef172e5edf8 SHA512 cca06baba484d505f3a96643d836204a08e9dde50197531cdab2d95188b992a95a375a386b9c54fcc8e0a4f6167babba975db7510db1087f044afa39effe4eec WHIRLPOOL 4c667a5cc469826063a65879c1beddc98371edf295a273c9b8f679627cabfe2260d8b3bbdf9550d3894fc1525d63b9f98d6e939406f90ac5f2f745daa59311c2
 AUX nova-sudoers 78 SHA256 9e88c2843fb74cc46802c0b103067ad12915ec50335d05e546a5dba76acb4a76 SHA512 22c0606c6335b2d1a03bd18a319a54f16f76f091b2e8416dbba05ce7c15890beff7f32f0322eb5ba3f2a5c750436cacbe0cee189b390b878e3f0c0df219ef984 WHIRLPOOL bc42ae1d12e9f900b263fd5c3d0f59062f46fbec1ff97c0bceb234082bea5943eb64795b4f5e102b8e2749c6868163e5924467088cad42df09345e3406e5f83c
 AUX nova.initd 537 SHA256 523587620208419cc73ea150ad1cc04502a2945e51970c3cae18bbfb1d328ce0 SHA512 c1bce2214e10e41e23d17034126c666d63fca5f7709d5bf93608778aa40d0ec518397151fec029b9be3b9639be66213b619f5a2a30617442ba07aff8335192b7 WHIRLPOOL 600946df334247c381bbf1d87e039e39bf3e2962afd5129a63751cd56ea348c804af50014f62141807e6f0181d74b7313f268834e5146b451b125e60cdb61643
 DIST nova-2013.2.3.tar.gz 6888463 SHA256 02902cb65b5adb0419c69cdb03ea2a0cfdfe8f7df342be44f3760d66cdecb61e SHA512 fd525e6f3f13e9405d4e53faaf44e88a3a4afe8491d9241edb6b66b61b9d8ec279dd0aead70ee5e6d166caf6879927fc01e57230d1129a7b2e2a794e32054570 WHIRLPOOL d4551136683595fd5ab831d692ab90a1aea177df4266341399726923ce285b6b7852705c89a516c146f88903d9a7fc4b3879419f158a68581144453f0fa36e8b
-EBUILD nova-2013.2.3.ebuild 4496 SHA256 6f2d7a1897ec1593f204bc324b348e8effa32dee068c68498d72a6d321b737f1 SHA512 53a1aa6004253b79850c0c1702fc8c5ca382f6137504354ca096f11972657796010b17a8356b030d760b3dfc0711656bde6212d85369fcfa7a0d3740b7ac57e0 WHIRLPOOL 1f4a7cadd699496a72908ed0ef0a15bf7fcbd13dcab51cab61e95884442783994951064f8938fc81e9472e2d28bf3361331861bc381eaf6f2503f898ea073ce9
+EBUILD nova-2013.2.3-r1.ebuild 4544 SHA256 9c53e240ac79e2c77280b82d8146d8b371e6337ca627a6c4be38013718aa5bc8 SHA512 8ddbf49a5b71dae694be8b20e498adc64d85b415470dbb1218c835bb6cb41214b693e56bc4179dd4e68788dc45edb9f17b0372265c0251215386c651d775eaa5 WHIRLPOOL 63d8d1048410b08ef2e184357ba60a5cdf5be6a3be48c86b40940328a65741aad5686f5860d33b26088922c74bf3a0513962675aabc09ad8d0f041816353e13b
 EBUILD nova-2013.2.9999.ebuild 4518 SHA256 2967d09f391e940b6b7a698e84d769aa953c33138df8189fe901aabb8b1b151c SHA512 c92ce4b2f77d119a98d4634228a600bb93c902cb34dd2895377c70957f0f451128fc1079e451235ef6439358476377a0cb863a012e1a265995b57f174e866e66 WHIRLPOOL 0da414d998486d523f84f74b461e5f31dd5123b2dfe3fe5f3337e40b6dcdc78daade0d9af29d097e6ba38f671110e5f52f4bdd0635e4449f209cddf73c27b388
 EBUILD nova-9999.ebuild 5225 SHA256 8336956c0a15fd17e15f748c6445c3b144f2a9047dd8257ba3dda7a7b7f1ad01 SHA512 6d961e646096eb4df5814d31b06352f999291becefa5e8fdd88afd14e6ede54e583ba224e474e1122e90b114da4136782cd8336afb467c61fc5400a7dd3a05e8 WHIRLPOOL c4bad3d35be8adb4af48562507ef213185e6d722541226e7d8bedd02578265c035874b371f432db4d1db222fc2776cc74374a508ca562a30dae622a86e0bab10
-MISC ChangeLog 13761 SHA256 9d734c1d1246caf0d23d770ff5ed61669a2e883f1132464791b078aba50571bf SHA512 39c7d0b15648c0e903b5b89ebc8d74bca539174ccef875c5abcf51f11642cc13896f97562ae3dd01aeeef787c195eddcad8e86f46c4a26ae90f2a7e9e60c9203 WHIRLPOOL c9b9f461ca6451e24d60098816434e9b84bcbdca65ccd61827ea202c940779d5dfcdcbd7bd86933c1ac98181ee7dbdb044bfc2b18ecdd1a74b2dab58d6ab5a71
+MISC ChangeLog 13966 SHA256 bc5f8681a2e8e51bd2925177db30fa03e223d39fbea8efa801d3edd65346d634 SHA512 bffb5171f808750d367efa60d26b688220473505a2ef5a9f49bde5e931b9383926d42c0958e7abf929d5b3004e844d0d9c2c1db708365f9e554338a707dc9020 WHIRLPOOL 73d102fa7e209af73e6a46803ec20fa3e2827ae7630a8211f5e5a945349b1ac949e3a3a6c93e7cf8021ba82a87bb8cdffe9debc89e6eea1fb1f28c395d0c32f9
 MISC metadata.xml 1452 SHA256 29bf3efaab7a4e45f5e442b26a7606edaed3f47e4ffec3e8990f95aea6bf2450 SHA512 537664b6ff29f4afe09eb4635c2cb06d87a6c3c3101e8ef89d1ab9b5b802c79024e94a0cce5a44ec2fd5b1cc37a251dd42156a015b6a294f219b90daff17c9c1 WHIRLPOOL c6e44f9a48fea6ae2a323e9e03d8805301fb0d94bb5634b1946909715f6c05d45c49180204d00221aae1e6dc6748347b4273fae838216b5d5d07932bc473a851
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
-iQIcBAEBCAAGBQJTQPUuAAoJECRx6z5ArFrDkm0P+waMRudKtqarvFO2dqVyYwkC
-bO5xPp+SZs2Me3uGoWRWJqxf9sqJ4z149IU2Fzx9+OIvyiD3+tAh1TV0CrtiAAoh
-/caCTZkXv+8fHgqJHMpgNFHhSh3vtpylOMWprgOqlZAy52qq4GBZngwhbMaXjgHt
-359gqy9B1ipy/AEIJjT0LKXOAGtBzSioMG03wagHhFdVwfZs+mWbGQubGfw35hr1
-6dk5Fy85yB9QqRgamlXuL13L/gqfJCHwzKMUMhgcYDuXlWdnUTB3MouhxxueBq9j
-zNPFhf/S12U6Dc8pncnjHE0+uRpznEqUUbsYncAR9bV0qdQO/QfaQMMvOc6evCcS
-Q2mk35ugc077DN117Dlor/Qv6+jSRKmRjGGIU6Sd9SxVRmSTHElzmjox3jXOQ2fa
-syRQj8yn81um/VNurew0kFjC6+QL1JXthkw0vzC91gbg1BIJ4m/jZtKh8wBxvLHO
-FKO9IaVkkK9pq03G/pyU+XxrrnI+c0uylmHDILaV1RAMwoMKCEvnluKRNOzKafTK
-Bnu5qujZtgeKIw35qUi+018FCTH1QAEoK2Ll+jWVqaABrVSWxITUT71hK8TYg4uY
-wHDG5cHjIttthU7WSeMMk/rzzokKkKQMEuG/LGMbsUPrwRjSK65Py2HAYjIcizCb
-bH8dJYTvMIQkfkkFA6DS
-=ZOTO
+iQIcBAEBCAAGBQJTSAZ7AAoJECRx6z5ArFrDiFcP/igqkKRqbaHcIqjDoPvhvlL3
+n/5EVFaf6bFrChSPBYFtJBXuGPEJNu5Em1BqX0PmTjtT3AlrM0fjDDd3m6Z7ZKh4
+kjGaQn/AUAJ5m1T5gIBD0r/zYKHuEV/0vcGztJONcNiLkRlhWpTnW9ADHNG8hZPZ
+ykWS0yTvHzaeyuXF40BJ/I5VsfOLNI5K8J+WwJyFkE7iUVOLC6SGLQqg62ToVGGY
+f9Bv6aQfYShR9Xo/wa8HIofxu+YJLbNm1VZ7ZNIb2KAmxDaQsW4TGtvvmo/B2a8b
+iUBvL1heE1d+5FImyHvTP749+oOyVcGT9Li2301r4/swY/Cg5JwTUxU2sQe82BLW
+slCnlxWHKOR04hKzSiXAFzrXelWMbQbvXIacoIsds8aCoxf6dq0JT5ZKr1SD3N0E
+m/mB3usN2XyyBDgbUb0ab5Xw+ofw0scFHu+27D+xw+NuGLPpLpG0ZXeaDQriS9uv
+jajXj1AjvjLpC4ebqK8SMoVgjl+wZ2rmioe+BuW/h7nQ9ElFOKkVOMCzL3fMk7w5
+7139BMpidJKEjDYILr3W8F6wO62EXpupE+Y05JlKJSlUm0PKEVNm4N3ou3T9RVfl
+uLCrJqFcIw91/yPYiquKCvM7WxwWAocLv8xkGpazSJHVCRYC4XHqnuQMpIh7nqVS
+47RzgLRR0o7iojVl/GgD
+=CFDN
 -----END PGP SIGNATURE-----
diff --git a/sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch b/sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch
new file mode 100644
index 000000000000..a29c9bde6439
--- /dev/null
+++ b/sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch
@@ -0,0 +1,145 @@
+From 5a1adb94e77f7be4885e4d86087140b94421c963 Mon Sep 17 00:00:00 2001
+From: Andrew Laski <andrew.laski@rackspace.com>
+Date: Thu, 3 Apr 2014 16:37:36 -0400
+Subject: [PATCH] Add RBAC policy for ec2 API security groups calls
+
+The revoke_security_group_ingress, revoke_security_group_ingress, and
+delete_security_group calls in the ec2 API were not restricted by policy
+checks.  This prevented a deployer from restricting their usage via
+roles or other checks.  Checks have been added for these calls.
+
+Change-Id: I4bf681bedd68ed2216b429d34db735823e0a6189
+---
+ nova/api/ec2/cloud.py            |   10 +++++++++
+ nova/tests/api/ec2/test_cloud.py |   44 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+)
+
+diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py
+index 94ff160..36c2f12 100644
+--- a/nova/api/ec2/cloud.py
++++ b/nova/api/ec2/cloud.py
+@@ -30,6 +30,7 @@ from oslo.config import cfg
+ from nova.api.ec2 import ec2utils
+ from nova.api.ec2 import inst_state
+ from nova.api.metadata import password
++from nova.api.openstack import extensions
+ from nova.api import validator
+ from nova import availability_zones
+ from nova import block_device
+@@ -85,6 +86,9 @@ LOG = logging.getLogger(__name__)
+ 
+ QUOTAS = quota.QUOTAS
+ 
++security_group_authorizer = extensions.extension_authorizer('compute',
++                                                            'security_groups')
++
+ 
+ def validate_ec2_id(val):
+     if not validator.validate_str()(val):
+@@ -631,6 +635,8 @@ class CloudController(object):
+         security_group = self.security_group_api.get(context, group_name,
+                                                      group_id)
+ 
++        security_group_authorizer(context, security_group)
++
+         prevalues = kwargs.get('ip_permissions', [kwargs])
+ 
+         rule_ids = []
+@@ -665,6 +671,8 @@ class CloudController(object):
+         security_group = self.security_group_api.get(context, group_name,
+                                                      group_id)
+ 
++        security_group_authorizer(context, security_group)
++
+         prevalues = kwargs.get('ip_permissions', [kwargs])
+         postvalues = []
+         for values in prevalues:
+@@ -737,6 +745,8 @@ class CloudController(object):
+         security_group = self.security_group_api.get(context, group_name,
+                                                      group_id)
+ 
++        security_group_authorizer(context, security_group)
++
+         self.security_group_api.destroy(context, security_group)
+ 
+         return True
+diff --git a/nova/tests/api/ec2/test_cloud.py b/nova/tests/api/ec2/test_cloud.py
+index 269a738..b28d194 100644
+--- a/nova/tests/api/ec2/test_cloud.py
++++ b/nova/tests/api/ec2/test_cloud.py
+@@ -23,6 +23,7 @@ import copy
+ import datetime
+ import functools
+ import iso8601
++import mock
+ import os
+ import string
+ import tempfile
+@@ -47,6 +48,7 @@ from nova.image import s3
+ from nova.network import api as network_api
+ from nova.network import neutronv2
+ from nova.openstack.common import log as logging
++from nova.openstack.common import policy as common_policy
+ from nova.openstack.common import timeutils
+ from nova import test
+ from nova.tests.api.openstack.compute.contrib import (
+@@ -471,6 +473,34 @@ class CloudTestCase(test.TestCase):
+         delete = self.cloud.delete_security_group
+         self.assertRaises(exception.MissingParameter, delete, self.context)
+ 
++    def test_delete_security_group_policy_not_allowed(self):
++        rules = common_policy.Rules(
++                {'compute_extension:security_groups':
++                    common_policy.parse_rule('project_id:%(project_id)s')})
++        common_policy.set_rules(rules)
++
++        with mock.patch.object(self.cloud.security_group_api,
++                'get') as get:
++            get.return_value = {'project_id': 'invalid'}
++
++            self.assertRaises(exception.PolicyNotAuthorized,
++                    self.cloud.delete_security_group, self.context,
++                    'fake-name', 'fake-id')
++
++    def test_authorize_security_group_ingress_policy_not_allowed(self):
++        rules = common_policy.Rules(
++                {'compute_extension:security_groups':
++                    common_policy.parse_rule('project_id:%(project_id)s')})
++        common_policy.set_rules(rules)
++
++        with mock.patch.object(self.cloud.security_group_api,
++                'get') as get:
++            get.return_value = {'project_id': 'invalid'}
++
++            self.assertRaises(exception.PolicyNotAuthorized,
++                    self.cloud.authorize_security_group_ingress, self.context,
++                    'fake-name', 'fake-id')
++
+     def test_authorize_security_group_ingress(self):
+         kwargs = {'project_id': self.context.project_id, 'name': 'test'}
+         sec = db.security_group_create(self.context, kwargs)
+@@ -575,6 +605,20 @@ class CloudTestCase(test.TestCase):
+         db.security_group_destroy(self.context, sec2['id'])
+         db.security_group_destroy(self.context, sec1['id'])
+ 
++    def test_revoke_security_group_ingress_policy_not_allowed(self):
++        rules = common_policy.Rules(
++                {'compute_extension:security_groups':
++                    common_policy.parse_rule('project_id:%(project_id)s')})
++        common_policy.set_rules(rules)
++
++        with mock.patch.object(self.cloud.security_group_api,
++                'get') as get:
++            get.return_value = {'project_id': 'invalid'}
++
++            self.assertRaises(exception.PolicyNotAuthorized,
++                    self.cloud.revoke_security_group_ingress, self.context,
++                    'fake-name', 'fake-id')
++
+     def test_revoke_security_group_ingress(self):
+         kwargs = {'project_id': self.context.project_id, 'name': 'test'}
+         sec = db.security_group_create(self.context, kwargs)
+-- 
+1.7.9.5
+
+
diff --git a/sys-cluster/nova/nova-2013.2.3.ebuild b/sys-cluster/nova/nova-2013.2.3-r1.ebuild
index 2571904f99ba..df210a182a5e 100644
--- a/sys-cluster/nova/nova-2013.2.3.ebuild
+++ b/sys-cluster/nova/nova-2013.2.3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2.3.ebuild,v 1.1 2014/04/06 06:32:19 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2.3-r1.ebuild,v 1.1 2014/04/11 15:12:49 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -72,6 +72,7 @@ RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
 			   app-emulation/xen-tools )"
 
 PATCHES=(
+		"${FILESDIR}/CVE-2014-0167-2013.2.3.patch"
 )
 
 pkg_setup() {
author	Matt Thode <prometheanfire@gentoo.org>	2014-04-11 15:12:57 +0000
committer	Matt Thode <prometheanfire@gentoo.org>	2014-04-11 15:12:57 +0000
commit	bffb3a64724cd35cd2c4132868551efdf6c84ee3 (patch)
tree	b4cdb5609c3e1ae5d5798555350901d8004ef3a2 /sys-cluster
parent	Optionalize dev-libs/keybinder with USE="keybinder" (diff)
download	historical-bffb3a64724cd35cd2c4132868551efdf6c84ee3.tar.gz historical-bffb3a64724cd35cd2c4132868551efdf6c84ee3.tar.bz2 historical-bffb3a64724cd35cd2c4132868551efdf6c84ee3.zip