removing the old badness fixes bug 512296 CVE-2014-2573

(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
author: Matthew Thode <prometheanfire@gentoo.org> 2014-06-15 04:31:29 +0000
committer: Matthew Thode <prometheanfire@gentoo.org> 2014-06-15 04:31:29 +0000
commit: 7ae4076888f5c4d2e9342d8de672f98380b38b3b (patch)
tree: a2fca3468601ca8c206808cc10e092dd9db9d4f4 /sys-cluster
parent: removing the old badness (diff)
download: gentoo-2-7ae4076888f5c4d2e9342d8de672f98380b38b3b.tar.gz
gentoo-2-7ae4076888f5c4d2e9342d8de672f98380b38b3b.tar.bz2
gentoo-2-7ae4076888f5c4d2e9342d8de672f98380b38b3b.zip
4 files changed, 6 insertions, 380 deletions
diff --git a/sys-cluster/nova/ChangeLog b/sys-cluster/nova/ChangeLog
index 2fde51567564..34298843f9ca 100644
--- a/sys-cluster/nova/ChangeLog
+++ b/sys-cluster/nova/ChangeLog
@@ -1,6 +1,11 @@
 # ChangeLog for sys-cluster/nova
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.65 2014/06/09 04:56:40 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.66 2014/06/15 04:31:28 prometheanfire Exp $
+
+  15 Jun 2014; Matthew Thode <prometheanfire@gentoo.org>
+  -files/CVE-2014-0167-2013.2.3.patch, -nova-2013.2.3-r1.ebuild,
+  -nova-2013.2.9999.ebuild:
+  removing the old badness fixes bug 512296 CVE-2014-2573
 
   09 Jun 2014; Matthew Thode <prometheanfire@gentoo.org>
   +files/2014.1-CVE-2014-2573-1.patch, +files/2014.1-CVE-2014-2573-2.patch,
diff --git a/sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch b/sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch
deleted file mode 100644
index a29c9bde6439..000000000000
--- a/sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From 5a1adb94e77f7be4885e4d86087140b94421c963 Mon Sep 17 00:00:00 2001
-From: Andrew Laski <andrew.laski@rackspace.com>
-Date: Thu, 3 Apr 2014 16:37:36 -0400
-Subject: [PATCH] Add RBAC policy for ec2 API security groups calls
-
-The revoke_security_group_ingress, revoke_security_group_ingress, and
-delete_security_group calls in the ec2 API were not restricted by policy
-checks.  This prevented a deployer from restricting their usage via
-roles or other checks.  Checks have been added for these calls.
-
-Change-Id: I4bf681bedd68ed2216b429d34db735823e0a6189
----
- nova/api/ec2/cloud.py            |   10 +++++++++
- nova/tests/api/ec2/test_cloud.py |   44 ++++++++++++++++++++++++++++++++++++++
- 2 files changed, 54 insertions(+)
-
-diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py
-index 94ff160..36c2f12 100644
---- a/nova/api/ec2/cloud.py
-+++ b/nova/api/ec2/cloud.py
-@@ -30,6 +30,7 @@ from oslo.config import cfg
- from nova.api.ec2 import ec2utils
- from nova.api.ec2 import inst_state
- from nova.api.metadata import password
-+from nova.api.openstack import extensions
- from nova.api import validator
- from nova import availability_zones
- from nova import block_device
-@@ -85,6 +86,9 @@ LOG = logging.getLogger(__name__)
- 
- QUOTAS = quota.QUOTAS
- 
-+security_group_authorizer = extensions.extension_authorizer('compute',
-+                                                            'security_groups')
-+
- 
- def validate_ec2_id(val):
-     if not validator.validate_str()(val):
-@@ -631,6 +635,8 @@ class CloudController(object):
-         security_group = self.security_group_api.get(context, group_name,
-                                                      group_id)
- 
-+        security_group_authorizer(context, security_group)
-+
-         prevalues = kwargs.get('ip_permissions', [kwargs])
- 
-         rule_ids = []
-@@ -665,6 +671,8 @@ class CloudController(object):
-         security_group = self.security_group_api.get(context, group_name,
-                                                      group_id)
- 
-+        security_group_authorizer(context, security_group)
-+
-         prevalues = kwargs.get('ip_permissions', [kwargs])
-         postvalues = []
-         for values in prevalues:
-@@ -737,6 +745,8 @@ class CloudController(object):
-         security_group = self.security_group_api.get(context, group_name,
-                                                      group_id)
- 
-+        security_group_authorizer(context, security_group)
-+
-         self.security_group_api.destroy(context, security_group)
- 
-         return True
-diff --git a/nova/tests/api/ec2/test_cloud.py b/nova/tests/api/ec2/test_cloud.py
-index 269a738..b28d194 100644
---- a/nova/tests/api/ec2/test_cloud.py
-+++ b/nova/tests/api/ec2/test_cloud.py
-@@ -23,6 +23,7 @@ import copy
- import datetime
- import functools
- import iso8601
-+import mock
- import os
- import string
- import tempfile
-@@ -47,6 +48,7 @@ from nova.image import s3
- from nova.network import api as network_api
- from nova.network import neutronv2
- from nova.openstack.common import log as logging
-+from nova.openstack.common import policy as common_policy
- from nova.openstack.common import timeutils
- from nova import test
- from nova.tests.api.openstack.compute.contrib import (
-@@ -471,6 +473,34 @@ class CloudTestCase(test.TestCase):
-         delete = self.cloud.delete_security_group
-         self.assertRaises(exception.MissingParameter, delete, self.context)
- 
-+    def test_delete_security_group_policy_not_allowed(self):
-+        rules = common_policy.Rules(
-+                {'compute_extension:security_groups':
-+                    common_policy.parse_rule('project_id:%(project_id)s')})
-+        common_policy.set_rules(rules)
-+
-+        with mock.patch.object(self.cloud.security_group_api,
-+                'get') as get:
-+            get.return_value = {'project_id': 'invalid'}
-+
-+            self.assertRaises(exception.PolicyNotAuthorized,
-+                    self.cloud.delete_security_group, self.context,
-+                    'fake-name', 'fake-id')
-+
-+    def test_authorize_security_group_ingress_policy_not_allowed(self):
-+        rules = common_policy.Rules(
-+                {'compute_extension:security_groups':
-+                    common_policy.parse_rule('project_id:%(project_id)s')})
-+        common_policy.set_rules(rules)
-+
-+        with mock.patch.object(self.cloud.security_group_api,
-+                'get') as get:
-+            get.return_value = {'project_id': 'invalid'}
-+
-+            self.assertRaises(exception.PolicyNotAuthorized,
-+                    self.cloud.authorize_security_group_ingress, self.context,
-+                    'fake-name', 'fake-id')
-+
-     def test_authorize_security_group_ingress(self):
-         kwargs = {'project_id': self.context.project_id, 'name': 'test'}
-         sec = db.security_group_create(self.context, kwargs)
-@@ -575,6 +605,20 @@ class CloudTestCase(test.TestCase):
-         db.security_group_destroy(self.context, sec2['id'])
-         db.security_group_destroy(self.context, sec1['id'])
- 
-+    def test_revoke_security_group_ingress_policy_not_allowed(self):
-+        rules = common_policy.Rules(
-+                {'compute_extension:security_groups':
-+                    common_policy.parse_rule('project_id:%(project_id)s')})
-+        common_policy.set_rules(rules)
-+
-+        with mock.patch.object(self.cloud.security_group_api,
-+                'get') as get:
-+            get.return_value = {'project_id': 'invalid'}
-+
-+            self.assertRaises(exception.PolicyNotAuthorized,
-+                    self.cloud.revoke_security_group_ingress, self.context,
-+                    'fake-name', 'fake-id')
-+
-     def test_revoke_security_group_ingress(self):
-         kwargs = {'project_id': self.context.project_id, 'name': 'test'}
-         sec = db.security_group_create(self.context, kwargs)
--- 
-1.7.9.5
-
-
diff --git a/sys-cluster/nova/nova-2013.2.3-r1.ebuild b/sys-cluster/nova/nova-2013.2.3-r1.ebuild
deleted file mode 100644
index df210a182a5e..000000000000
--- a/sys-cluster/nova/nova-2013.2.3-r1.ebuild
+++ /dev/null
@@ -1,117 +0,0 @@
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2.3-r1.ebuild,v 1.1 2014/04/11 15:12:49 prometheanfire Exp $
-
-EAPI=5
-PYTHON_COMPAT=( python2_7 )
-
-inherit distutils-r1 eutils multilib user
-
-DESCRIPTION="A cloud computing fabric controller (main part of an IaaS system) written in Python."
-HOMEPAGE="https://launchpad.net/nova"
-SRC_URI="http://launchpad.net/${PN}/havana/${PV}/+download/${P}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="~amd64 ~x86"
-IUSE="+compute +kvm +network +novncproxy sqlite mysql postgres xen"
-REQUIRED_USE="|| ( mysql postgres sqlite )
-			  || ( kvm xen )"
-
-DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
-		>=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
-		<dev-python/pbr-1.0[${PYTHON_USEDEP}]
-		app-admin/sudo"
-
-RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
-	          <dev-python/sqlalchemy-0.7.99[sqlite,${PYTHON_USEDEP}] )
-		mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql,${PYTHON_USEDEP}]
-	         <dev-python/sqlalchemy-0.7.99[mysql,${PYTHON_USEDEP}] )
-		postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres,${PYTHON_USEDEP}]
-	            <dev-python/sqlalchemy-0.7.99[postgres,${PYTHON_USEDEP}] )
-		>=dev-python/amqplib-0.6.1[${PYTHON_USEDEP}]
-		>=dev-python/anyjson-0.3.3[${PYTHON_USEDEP}]
-		virtual/python-argparse[${PYTHON_USEDEP}]
-		>=dev-python/boto-2.4.0[${PYTHON_USEDEP}]
-		!~dev-python/boto-2.13.0[${PYTHON_USEDEP}]
-		>=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}]
-		dev-python/jinja[${PYTHON_USEDEP}]
-		>=dev-python/kombu-2.4.8[${PYTHON_USEDEP}]
-		>=dev-python/lxml-2.3[${PYTHON_USEDEP}]
-		>=dev-python/routes-1.12.3-r1[${PYTHON_USEDEP}]
-		>=dev-python/webob-1.2.3[${PYTHON_USEDEP}]
-		<dev-python/webob-1.3[${PYTHON_USEDEP}]
-		>=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
-		>=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}]
-		dev-python/paste[${PYTHON_USEDEP}]
-		>=dev-python/sqlalchemy-migrate-0.7.2[${PYTHON_USEDEP}]
-		dev-python/netaddr[${PYTHON_USEDEP}]
-		>=dev-python/suds-0.4[${PYTHON_USEDEP}]
-		>=dev-python/paramiko-1.8.0[${PYTHON_USEDEP}]
-		dev-python/pyasn1[${PYTHON_USEDEP}]
-		>=dev-python/Babel-1.3[${PYTHON_USEDEP}]
-		>=dev-python/iso8601-0.1.8[${PYTHON_USEDEP}]
-		>=dev-python/python-cinderclient-1.0.5[${PYTHON_USEDEP}]
-		>=dev-python/python-neutronclient-2.3.0[${PYTHON_USEDEP}]
-		<=dev-python/python-neutronclient-3.0.0[${PYTHON_USEDEP}]
-		>=dev-python/python-glanceclient-0.9.0[${PYTHON_USEDEP}]
-		>=dev-python/python-keystoneclient-0.3.2[${PYTHON_USEDEP}]
-		>=dev-python/stevedore-0.10[${PYTHON_USEDEP}]
-		>=dev-python/websockify-0.5.1[${PYTHON_USEDEP}]
-		<dev-python/websockify-0.6[${PYTHON_USEDEP}]
-		>=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
-		dev-python/libvirt-python[${PYTHON_USEDEP}]
-		novncproxy? ( www-apps/novnc )
-		sys-apps/iproute2
-		net-misc/openvswitch
-		net-misc/rabbitmq-server
-		sys-fs/sysfsutils
-		sys-fs/multipath-tools
-		kvm? ( app-emulation/qemu )
-		xen? ( app-emulation/xen
-			   app-emulation/xen-tools )"
-
-PATCHES=(
-		"${FILESDIR}/CVE-2014-0167-2013.2.3.patch"
-)
-
-pkg_setup() {
-	enewgroup nova
-	enewuser nova -1 -1 /var/lib/nova nova
-}
-
-python_install() {
-	distutils-r1_python_install
-
-	for svc in api cert compute conductor consoleauth network scheduler spicehtml5proxy xvpvncproxy; do
-		newinitd "${FILESDIR}/nova.initd" "nova-${svc}"
-	done
-	use compute && newinitd "${FILESDIR}/nova.initd" "nova-compute"
-	use novncproxy && newinitd "${FILESDIR}/nova.initd" "nova-novncproxy"
-
-	diropts -m 0750 -o nova -g nova
-	dodir /var/log/nova /var/lib/nova/instances
-
-	insinto /etc/nova
-	insopts -m 0640 -o nova -g nova
-	newins "etc/nova/nova.conf.sample" "nova.conf"
-	doins "etc/nova/api-paste.ini"
-	doins "etc/nova/logging_sample.conf"
-	doins "etc/nova/policy.json"
-	doins "etc/nova/rootwrap.conf"
-	#rootwrap filters
-	insinto /etc/nova/rootwrap.d
-	doins "etc/nova/rootwrap.d/api-metadata.filters"
-	doins "etc/nova/rootwrap.d/compute.filters"
-	doins "etc/nova/rootwrap.d/network.filters"
-	#copy migration conf file (not coppied on install via setup.py script)
-	insinto /usr/$(get_libdir)/python2.7/site-packages/nova/db/sqlalchemy/migrate_repo/
-	doins "nova/db/sqlalchemy/migrate_repo/migrate.cfg"
-	#copy the CA cert dir (not coppied on install via setup.py script)
-	cp -R "${S}/nova/CA" "${D}/usr/$(get_libdir)/python2.7/site-packages/nova/" || die "installing CA files failed"
-
-	#add sudoers definitions for user nova
-	insinto /etc/sudoers.d/
-	insopts -m 0600 -o root -g root
-	doins "${FILESDIR}/nova-sudoers"
-}
diff --git a/sys-cluster/nova/nova-2013.2.9999.ebuild b/sys-cluster/nova/nova-2013.2.9999.ebuild
deleted file mode 100644
index 71685f993c32..000000000000
--- a/sys-cluster/nova/nova-2013.2.9999.ebuild
+++ /dev/null
@@ -1,117 +0,0 @@
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2.9999.ebuild,v 1.13 2014/04/06 06:32:19 prometheanfire Exp $
-
-EAPI=5
-PYTHON_COMPAT=( python2_7 )
-
-inherit distutils-r1 eutils git-2 multilib user
-
-DESCRIPTION="A cloud computing fabric controller (main part of an IaaS system) written in Python."
-HOMEPAGE="https://launchpad.net/nova"
-EGIT_REPO_URI="https://github.com/openstack/nova.git"
-EGIT_BRANCH="stable/havana"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS=""
-IUSE="+compute +kvm +network +novncproxy sqlite mysql postgres xen"
-REQUIRED_USE="|| ( mysql postgres sqlite )
-			  compute? ( || ( kvm xen ) )"
-
-DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
-		>=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
-		<dev-python/pbr-1.0[${PYTHON_USEDEP}]
-		app-admin/sudo"
-
-RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
-	          <dev-python/sqlalchemy-0.7.99[sqlite,${PYTHON_USEDEP}] )
-		mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql,${PYTHON_USEDEP}]
-	         <dev-python/sqlalchemy-0.7.99[mysql,${PYTHON_USEDEP}] )
-		postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres,${PYTHON_USEDEP}]
-	            <dev-python/sqlalchemy-0.7.99[postgres,${PYTHON_USEDEP}] )
-		>=dev-python/amqplib-0.6.1[${PYTHON_USEDEP}]
-		>=dev-python/anyjson-0.3.3[${PYTHON_USEDEP}]
-		virtual/python-argparse[${PYTHON_USEDEP}]
-		>=dev-python/boto-2.4.0[${PYTHON_USEDEP}]
-		!~dev-python/boto-2.13.0[${PYTHON_USEDEP}]
-		>=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}]
-		dev-python/jinja[${PYTHON_USEDEP}]
-		>=dev-python/kombu-2.4.8[${PYTHON_USEDEP}]
-		>=dev-python/lxml-2.3[${PYTHON_USEDEP}]
-		>=dev-python/routes-1.12.3-r1[${PYTHON_USEDEP}]
-		>=dev-python/webob-1.2.3[${PYTHON_USEDEP}]
-		<dev-python/webob-1.3[${PYTHON_USEDEP}]
-		>=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
-		>=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}]
-		dev-python/paste[${PYTHON_USEDEP}]
-		>=dev-python/sqlalchemy-migrate-0.7.2[${PYTHON_USEDEP}]
-		dev-python/netaddr[${PYTHON_USEDEP}]
-		>=dev-python/suds-0.4[${PYTHON_USEDEP}]
-		>=dev-python/paramiko-1.8.0[${PYTHON_USEDEP}]
-		dev-python/pyasn1[${PYTHON_USEDEP}]
-		>=dev-python/Babel-1.3[${PYTHON_USEDEP}]
-		>=dev-python/iso8601-0.1.8[${PYTHON_USEDEP}]
-		>=dev-python/python-cinderclient-1.0.5[${PYTHON_USEDEP}]
-		>=dev-python/python-neutronclient-2.3.0[${PYTHON_USEDEP}]
-		<=dev-python/python-neutronclient-3.0.0[${PYTHON_USEDEP}]
-		>=dev-python/python-glanceclient-0.9.0[${PYTHON_USEDEP}]
-		>=dev-python/python-keystoneclient-0.3.2[${PYTHON_USEDEP}]
-		>=dev-python/stevedore-0.10[${PYTHON_USEDEP}]
-		>=dev-python/websockify-0.5.1[${PYTHON_USEDEP}]
-		<dev-python/websockify-0.6[${PYTHON_USEDEP}]
-		>=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
-		dev-python/libvirt-python[${PYTHON_USEDEP}]
-		novncproxy? ( www-apps/novnc )
-		sys-apps/iproute2
-		net-misc/openvswitch
-		net-misc/rabbitmq-server
-		sys-fs/sysfsutils
-		sys-fs/multipath-tools
-		kvm? ( app-emulation/qemu )
-		xen? ( app-emulation/xen
-			   app-emulation/xen-tools )"
-
-PATCHES=(
-)
-
-pkg_setup() {
-	enewgroup nova
-	enewuser nova -1 -1 /var/lib/nova nova
-}
-
-python_install() {
-	distutils-r1_python_install
-
-	for svc in api cert compute conductor consoleauth network scheduler spicehtml5proxy xvpvncproxy; do
-		newinitd "${FILESDIR}/nova.initd" "nova-${svc}"
-	done
-	use compute && newinitd "${FILESDIR}/nova.initd" "nova-compute"
-	use novncproxy && newinitd "${FILESDIR}/nova.initd" "nova-novncproxy"
-
-	diropts -m 0750 -o nova -g nova
-	dodir /var/log/nova /var/lib/nova/instances
-
-	insinto /etc/nova
-	insopts -m 0640 -o nova -g nova
-	newins "etc/nova/nova.conf.sample" "nova.conf"
-	doins "etc/nova/api-paste.ini"
-	doins "etc/nova/logging_sample.conf"
-	doins "etc/nova/policy.json"
-	doins "etc/nova/rootwrap.conf"
-	#rootwrap filters
-	insinto /etc/nova/rootwrap.d
-	doins "etc/nova/rootwrap.d/api-metadata.filters"
-	doins "etc/nova/rootwrap.d/compute.filters"
-	doins "etc/nova/rootwrap.d/network.filters"
-	#copy migration conf file (not coppied on install via setup.py script)
-	insinto /usr/$(get_libdir)/python2.7/site-packages/nova/db/sqlalchemy/migrate_repo/
-	doins "nova/db/sqlalchemy/migrate_repo/migrate.cfg"
-	#copy the CA cert dir (not coppied on install via setup.py script)
-	cp -R "${S}/nova/CA" "${D}/usr/$(get_libdir)/python2.7/site-packages/nova/" || die "installing CA files failed"
-
-	#add sudoers definitions for user nova
-	insinto /etc/sudoers.d/
-	insopts -m 0600 -o root -g root
-	doins "${FILESDIR}/nova-sudoers"
-}
author	Matthew Thode <prometheanfire@gentoo.org>	2014-06-15 04:31:29 +0000
committer	Matthew Thode <prometheanfire@gentoo.org>	2014-06-15 04:31:29 +0000
commit	7ae4076888f5c4d2e9342d8de672f98380b38b3b (patch)
tree	a2fca3468601ca8c206808cc10e092dd9db9d4f4 /sys-cluster
parent	removing the old badness (diff)
download	gentoo-2-7ae4076888f5c4d2e9342d8de672f98380b38b3b.tar.gz gentoo-2-7ae4076888f5c4d2e9342d8de672f98380b38b3b.tar.bz2 gentoo-2-7ae4076888f5c4d2e9342d8de672f98380b38b3b.zip