summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Thode <prometheanfire@gentoo.org>2014-04-11 15:12:49 +0000
committerMatthew Thode <prometheanfire@gentoo.org>2014-04-11 15:12:49 +0000
commit9877a951ce95729db92b9f984bf011151b48bf95 (patch)
tree53f700d6ff86b78597308e6957c396e50723a186 /sys-cluster/nova
parentOptionalize dev-libs/keybinder with USE="keybinder" (diff)
downloadgentoo-2-9877a951ce95729db92b9f984bf011151b48bf95.tar.gz
gentoo-2-9877a951ce95729db92b9f984bf011151b48bf95.tar.bz2
gentoo-2-9877a951ce95729db92b9f984bf011151b48bf95.zip
fix for CVE-2014-0167
(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
Diffstat (limited to 'sys-cluster/nova')
-rw-r--r--sys-cluster/nova/ChangeLog9
-rw-r--r--sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch145
-rw-r--r--sys-cluster/nova/nova-2013.2.3-r1.ebuild (renamed from sys-cluster/nova/nova-2013.2.3.ebuild)3
3 files changed, 155 insertions, 2 deletions
diff --git a/sys-cluster/nova/ChangeLog b/sys-cluster/nova/ChangeLog
index fc37b78f545e..7999d793aded 100644
--- a/sys-cluster/nova/ChangeLog
+++ b/sys-cluster/nova/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for sys-cluster/nova
# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.58 2014/04/06 06:32:19 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.59 2014/04/11 15:12:49 prometheanfire Exp $
+
+*nova-2013.2.3-r1 (11 Apr 2014)
+
+ 11 Apr 2014; Matthew Thode <prometheanfire@gentoo.org>
+ +files/CVE-2014-0167-2013.2.3.patch, +nova-2013.2.3-r1.ebuild,
+ -nova-2013.2.3.ebuild:
+ fix for CVE-2014-0167
*nova-2013.2.3 (06 Apr 2014)
diff --git a/sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch b/sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch
new file mode 100644
index 000000000000..a29c9bde6439
--- /dev/null
+++ b/sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch
@@ -0,0 +1,145 @@
+From 5a1adb94e77f7be4885e4d86087140b94421c963 Mon Sep 17 00:00:00 2001
+From: Andrew Laski <andrew.laski@rackspace.com>
+Date: Thu, 3 Apr 2014 16:37:36 -0400
+Subject: [PATCH] Add RBAC policy for ec2 API security groups calls
+
+The revoke_security_group_ingress, revoke_security_group_ingress, and
+delete_security_group calls in the ec2 API were not restricted by policy
+checks. This prevented a deployer from restricting their usage via
+roles or other checks. Checks have been added for these calls.
+
+Change-Id: I4bf681bedd68ed2216b429d34db735823e0a6189
+---
+ nova/api/ec2/cloud.py | 10 +++++++++
+ nova/tests/api/ec2/test_cloud.py | 44 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+)
+
+diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py
+index 94ff160..36c2f12 100644
+--- a/nova/api/ec2/cloud.py
++++ b/nova/api/ec2/cloud.py
+@@ -30,6 +30,7 @@ from oslo.config import cfg
+ from nova.api.ec2 import ec2utils
+ from nova.api.ec2 import inst_state
+ from nova.api.metadata import password
++from nova.api.openstack import extensions
+ from nova.api import validator
+ from nova import availability_zones
+ from nova import block_device
+@@ -85,6 +86,9 @@ LOG = logging.getLogger(__name__)
+
+ QUOTAS = quota.QUOTAS
+
++security_group_authorizer = extensions.extension_authorizer('compute',
++ 'security_groups')
++
+
+ def validate_ec2_id(val):
+ if not validator.validate_str()(val):
+@@ -631,6 +635,8 @@ class CloudController(object):
+ security_group = self.security_group_api.get(context, group_name,
+ group_id)
+
++ security_group_authorizer(context, security_group)
++
+ prevalues = kwargs.get('ip_permissions', [kwargs])
+
+ rule_ids = []
+@@ -665,6 +671,8 @@ class CloudController(object):
+ security_group = self.security_group_api.get(context, group_name,
+ group_id)
+
++ security_group_authorizer(context, security_group)
++
+ prevalues = kwargs.get('ip_permissions', [kwargs])
+ postvalues = []
+ for values in prevalues:
+@@ -737,6 +745,8 @@ class CloudController(object):
+ security_group = self.security_group_api.get(context, group_name,
+ group_id)
+
++ security_group_authorizer(context, security_group)
++
+ self.security_group_api.destroy(context, security_group)
+
+ return True
+diff --git a/nova/tests/api/ec2/test_cloud.py b/nova/tests/api/ec2/test_cloud.py
+index 269a738..b28d194 100644
+--- a/nova/tests/api/ec2/test_cloud.py
++++ b/nova/tests/api/ec2/test_cloud.py
+@@ -23,6 +23,7 @@ import copy
+ import datetime
+ import functools
+ import iso8601
++import mock
+ import os
+ import string
+ import tempfile
+@@ -47,6 +48,7 @@ from nova.image import s3
+ from nova.network import api as network_api
+ from nova.network import neutronv2
+ from nova.openstack.common import log as logging
++from nova.openstack.common import policy as common_policy
+ from nova.openstack.common import timeutils
+ from nova import test
+ from nova.tests.api.openstack.compute.contrib import (
+@@ -471,6 +473,34 @@ class CloudTestCase(test.TestCase):
+ delete = self.cloud.delete_security_group
+ self.assertRaises(exception.MissingParameter, delete, self.context)
+
++ def test_delete_security_group_policy_not_allowed(self):
++ rules = common_policy.Rules(
++ {'compute_extension:security_groups':
++ common_policy.parse_rule('project_id:%(project_id)s')})
++ common_policy.set_rules(rules)
++
++ with mock.patch.object(self.cloud.security_group_api,
++ 'get') as get:
++ get.return_value = {'project_id': 'invalid'}
++
++ self.assertRaises(exception.PolicyNotAuthorized,
++ self.cloud.delete_security_group, self.context,
++ 'fake-name', 'fake-id')
++
++ def test_authorize_security_group_ingress_policy_not_allowed(self):
++ rules = common_policy.Rules(
++ {'compute_extension:security_groups':
++ common_policy.parse_rule('project_id:%(project_id)s')})
++ common_policy.set_rules(rules)
++
++ with mock.patch.object(self.cloud.security_group_api,
++ 'get') as get:
++ get.return_value = {'project_id': 'invalid'}
++
++ self.assertRaises(exception.PolicyNotAuthorized,
++ self.cloud.authorize_security_group_ingress, self.context,
++ 'fake-name', 'fake-id')
++
+ def test_authorize_security_group_ingress(self):
+ kwargs = {'project_id': self.context.project_id, 'name': 'test'}
+ sec = db.security_group_create(self.context, kwargs)
+@@ -575,6 +605,20 @@ class CloudTestCase(test.TestCase):
+ db.security_group_destroy(self.context, sec2['id'])
+ db.security_group_destroy(self.context, sec1['id'])
+
++ def test_revoke_security_group_ingress_policy_not_allowed(self):
++ rules = common_policy.Rules(
++ {'compute_extension:security_groups':
++ common_policy.parse_rule('project_id:%(project_id)s')})
++ common_policy.set_rules(rules)
++
++ with mock.patch.object(self.cloud.security_group_api,
++ 'get') as get:
++ get.return_value = {'project_id': 'invalid'}
++
++ self.assertRaises(exception.PolicyNotAuthorized,
++ self.cloud.revoke_security_group_ingress, self.context,
++ 'fake-name', 'fake-id')
++
+ def test_revoke_security_group_ingress(self):
+ kwargs = {'project_id': self.context.project_id, 'name': 'test'}
+ sec = db.security_group_create(self.context, kwargs)
+--
+1.7.9.5
+
+
diff --git a/sys-cluster/nova/nova-2013.2.3.ebuild b/sys-cluster/nova/nova-2013.2.3-r1.ebuild
index 2571904f99ba..df210a182a5e 100644
--- a/sys-cluster/nova/nova-2013.2.3.ebuild
+++ b/sys-cluster/nova/nova-2013.2.3-r1.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2.3.ebuild,v 1.1 2014/04/06 06:32:19 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2.3-r1.ebuild,v 1.1 2014/04/11 15:12:49 prometheanfire Exp $
EAPI=5
PYTHON_COMPAT=( python2_7 )
@@ -72,6 +72,7 @@ RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
app-emulation/xen-tools )"
PATCHES=(
+ "${FILESDIR}/CVE-2014-0167-2013.2.3.patch"
)
pkg_setup() {