revbumps; add security patches XSA-68-70/72, remove old ebuilds

(Portage version: 2.2.0/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)

7 files changed, 236 insertions, 5 deletions

diff --git a/app-emulation/xen-tools/ChangeLog b/app-emulation/xen-tools/ChangeLog
index 7f92e62848b3..0dbc59e7589d 100644
--- a/app-emulation/xen-tools/ChangeLog
+++ b/app-emulation/xen-tools/ChangeLog
@@ -1,6 +1,18 @@
 # ChangeLog for app-emulation/xen-tools
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/ChangeLog,v 1.198 2013/11/04 16:12:31 idella4 Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/ChangeLog,v 1.199 2013/11/07 00:46:42 idella4 Exp $
+
+*xen-tools-4.3.0-r3 (07 Nov 2013)
+*xen-tools-4.2.2-r5 (07 Nov 2013)
+
+  07 Nov 2013; Ian Delaney <idella4@gentoo.org>
+  +files/xen-tools-4-CVE-2013-4369-XSA-68.patch,
+  +files/xen-tools-4-CVE-2013-4370-XSA-69.patch,
+  +files/xen-tools-4-CVE-2013-4371-XSA-70.patch,
+  +files/xen-tools-4-CVE-2013-4416-XSA-72.patch, +xen-tools-4.2.2-r5.ebuild,
+  +xen-tools-4.3.0-r3.ebuild, -xen-tools-4.2.2-r4.ebuild,
+  -xen-tools-4.3.0-r2.ebuild:
+  revbumps; add security patches XSA-68-70/72, remove old ebuilds
 
 *xen-tools-4.3.0-r2 (04 Nov 2013)
 
diff --git a/app-emulation/xen-tools/files/xen-tools-4-CVE-2013-4369-XSA-68.patch b/app-emulation/xen-tools/files/xen-tools-4-CVE-2013-4369-XSA-68.patch
new file mode 100644
index 000000000000..cad655be258e
--- /dev/null
+++ b/app-emulation/xen-tools/files/xen-tools-4-CVE-2013-4369-XSA-68.patch
@@ -0,0 +1,69 @@
+libxl: fix vif rate parsing
+
+strtok can return NULL here. We don't need to use strtok anyway, so just
+use a simple strchr method.
+
+Coverity-ID: 1055642
+
+This is CVE-2013-4369 / XSA-68
+
+Signed-off-by: Matthew Daley <mattjd@gmail.com>
+
+Fix type. Add test case
+
+Signed-off-by: Ian Campbell <Ian.campbell@citrix.com>
+
+diff --git a/tools/libxl/check-xl-vif-parse b/tools/libxl/check-xl-vif-parse
+index 0473182..02c6dba 100755
+--- a/tools/libxl/check-xl-vif-parse
++++ b/tools/libxl/check-xl-vif-parse
+@@ -206,4 +206,8 @@ expected </dev/null
+ one $e rate=4294967295GB/s@5us
+ one $e rate=4296MB/s@4294s
+ 
++# test include of single '@'
++expected </dev/null
++one $e rate=@
++
+ complete
+diff --git a/tools/libxl/libxlu_vif.c b/tools/libxl/libxlu_vif.c
+index 3b3de0f..0665e62 100644
+--- a/tools/libxl/libxlu_vif.c
++++ b/tools/libxl/libxlu_vif.c
+@@ -95,23 +95,30 @@ int xlu_vif_parse_rate(XLU_Config *cfg, const char *rate, libxl_device_nic *nic)
+     uint64_t bytes_per_sec = 0;
+     uint64_t bytes_per_interval = 0;
+     uint32_t interval_usecs = 50000UL; /* Default to 50ms */
+-    char *ratetok, *tmprate;
++    char *p, *tmprate;
+     int rc = 0;
+ 
+     tmprate = strdup(rate);
++    if (tmprate == NULL) {
++        rc = ENOMEM;
++        goto out;
++    }
++
++    p = strchr(tmprate, '@');
++    if (p != NULL)
++        *p++ = 0;
++
+     if (!strcmp(tmprate,"")) {
+         xlu__vif_err(cfg, "no rate specified", rate);
+         rc = EINVAL;
+         goto out;
+     }
+ 
+-    ratetok = strtok(tmprate, "@");
+-    rc = vif_parse_rate_bytes_per_sec(cfg, ratetok, &bytes_per_sec);
++    rc = vif_parse_rate_bytes_per_sec(cfg, tmprate, &bytes_per_sec);
+     if (rc) goto out;
+ 
+-    ratetok = strtok(NULL, "@");
+-    if (ratetok != NULL) {
+-        rc = vif_parse_rate_interval_usecs(cfg, ratetok, &interval_usecs);
++    if (p != NULL) {
++        rc = vif_parse_rate_interval_usecs(cfg, p, &interval_usecs);
+         if (rc) goto out;
+     }
+ 
diff --git a/app-emulation/xen-tools/files/xen-tools-4-CVE-2013-4370-XSA-69.patch b/app-emulation/xen-tools/files/xen-tools-4-CVE-2013-4370-XSA-69.patch
new file mode 100644
index 000000000000..ede124b2258f
--- /dev/null
+++ b/app-emulation/xen-tools/files/xen-tools-4-CVE-2013-4370-XSA-69.patch
@@ -0,0 +1,34 @@
+From 067c122873c67bd1d9620f8340f9c9c209135388 Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattjd@gmail.com>
+Date: Tue, 10 Sep 2013 23:12:45 +1200
+Subject: [PATCH] tools/ocaml: fix erroneous free of cpumap in
+ stub_xc_vcpu_getaffinity
+
+Not sure how it got there...
+
+Coverity-ID: 1056196
+
+This is CVE-2013-4370 / XSA-69
+
+Signed-off-by: Matthew Daley <mattjd@gmail.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+---
+ tools/ocaml/libs/xc/xenctrl_stubs.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c
+index df756ad..f5cf0ed 100644
+--- a/tools/ocaml/libs/xc/xenctrl_stubs.c
++++ b/tools/ocaml/libs/xc/xenctrl_stubs.c
+@@ -461,8 +461,6 @@ CAMLprim value stub_xc_vcpu_getaffinity(value xch, value domid,
+ 
+ 	retval = xc_vcpu_getaffinity(_H(xch), _D(domid),
+ 	                             Int_val(vcpu), c_cpumap);
+-	free(c_cpumap);
+-
+ 	if (retval < 0) {
+ 		free(c_cpumap);
+ 		failwith_xc(_H(xch));
+-- 
+1.7.10.4
+
diff --git a/app-emulation/xen-tools/files/xen-tools-4-CVE-2013-4371-XSA-70.patch b/app-emulation/xen-tools/files/xen-tools-4-CVE-2013-4371-XSA-70.patch
new file mode 100644
index 000000000000..f19dd96ed966
--- /dev/null
+++ b/app-emulation/xen-tools/files/xen-tools-4-CVE-2013-4371-XSA-70.patch
@@ -0,0 +1,34 @@
+From 94db3e1cb356a0d2de1753888ceb0eb767404ec4 Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattjd@gmail.com>
+Date: Tue, 10 Sep 2013 22:18:46 +1200
+Subject: [PATCH] libxl: fix out-of-memory error handling in
+ libxl_list_cpupool
+
+...otherwise it will return freed memory. All the current users of this
+function check already for a NULL return, so use that.
+
+Coverity-ID: 1056194
+
+This is CVE-2013-4371 / XSA-70
+
+Signed-off-by: Matthew Daley <mattjd@gmail.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+---
+ tools/libxl/libxl.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
+index 0879f23..17653ef 100644
+--- a/tools/libxl/libxl.c
++++ b/tools/libxl/libxl.c
+@@ -651,6 +651,7 @@ libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool_out)
+         if (!tmp) {
+             LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info");
+             libxl_cpupoolinfo_list_free(ptr, i);
++            ptr = NULL;
+             goto out;
+         }
+         ptr = tmp;
+-- 
+1.7.10.4
+
diff --git a/app-emulation/xen-tools/files/xen-tools-4-CVE-2013-4416-XSA-72.patch b/app-emulation/xen-tools/files/xen-tools-4-CVE-2013-4416-XSA-72.patch
new file mode 100644
index 000000000000..f170b4e505b4
--- /dev/null
+++ b/app-emulation/xen-tools/files/xen-tools-4-CVE-2013-4416-XSA-72.patch
@@ -0,0 +1,74 @@
+tools: xenstored: if the reply is too big then send E2BIG error
+
+This fixes the issue for both C and ocaml xenstored, however only the ocaml
+xenstored is vulnerable in its default configuration.
+
+Adding a new error appears to be safe, since bit libxenstore and the Linux
+driver at least treat an unknown error code as EINVAL.
+
+This is XSA-72
+
+Original ocaml patch by Jerome Maloberti <jerome.maloberti@citrix.com>
+Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
+Signed-off-by: Thomas Sanders <thomas.sanders@citrix.com>
+
+diff --git a/tools/ocaml/xenstored/connection.ml b/tools/ocaml/xenstored/connection.ml
+index 273fe4d..47695f8 100644
+--- a/tools/ocaml/xenstored/connection.ml
++++ b/tools/ocaml/xenstored/connection.ml
+@@ -18,6 +18,8 @@ exception End_of_file
+ 
+ open Stdext
+ 
++let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *)
++
+ type watch = {
+ 	con: t;
+ 	token: string;
+@@ -112,8 +114,15 @@ let restrict con domid =
+ let set_target con target_domid =
+ 	con.perm <- Perms.Connection.set_target (get_perm con) ~perms:[Perms.READ; Perms.WRITE] target_domid
+ 
++let is_backend_mmap con = match con.xb.Xenbus.Xb.backend with
++	| Xenbus.Xb.Xenmmap _ -> true
++	| _ -> false
++
+ let send_reply con tid rid ty data =
+-	Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid ty data)
++	if (String.length data) > xenstore_payload_max && (is_backend_mmap con) then
++		Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid Xenbus.Xb.Op.Error "E2BIG\000")
++	else
++		Xenbus.Xb.queue con.xb (Xenbus.Xb.Packet.create tid rid ty data)
+ 
+ let send_error con tid rid err = send_reply con tid rid Xenbus.Xb.Op.Error (err ^ "\000")
+ let send_ack con tid rid ty = send_reply con tid rid ty "OK\000"
+diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
+index 0f8ba64..ccfdaa3 100644
+--- a/tools/xenstore/xenstored_core.c
++++ b/tools/xenstore/xenstored_core.c
+@@ -629,6 +629,11 @@ void send_reply(struct connection *conn, enum xsd_sockmsg_type type,
+ {
+ 	struct buffered_data *bdata;
+ 
++	if ( len > XENSTORE_PAYLOAD_MAX ) {
++		send_error(conn, E2BIG);
++		return;
++	}
++
+ 	/* Message is a child of the connection context for auto-cleanup. */
+ 	bdata = new_buffer(conn);
+ 	bdata->buffer = talloc_array(bdata, char, len);
+diff --git a/xen/include/public/io/xs_wire.h b/xen/include/public/io/xs_wire.h
+index 99d24e3..585f0c8 100644
+--- a/xen/include/public/io/xs_wire.h
++++ b/xen/include/public/io/xs_wire.h
+@@ -83,7 +83,8 @@ __attribute__((unused))
+     XSD_ERROR(EROFS),
+     XSD_ERROR(EBUSY),
+     XSD_ERROR(EAGAIN),
+-    XSD_ERROR(EISCONN)
++    XSD_ERROR(EISCONN),
++    XSD_ERROR(E2BIG)
+ };
+ #endif
+ 
diff --git a/app-emulation/xen-tools/xen-tools-4.2.2-r4.ebuild b/app-emulation/xen-tools/xen-tools-4.2.2-r5.ebuild
index 3824166adf3c..9fb25769b771 100644
--- a/app-emulation/xen-tools/xen-tools-4.2.2-r4.ebuild
+++ b/app-emulation/xen-tools/xen-tools-4.2.2-r5.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/xen-tools-4.2.2-r4.ebuild,v 1.8 2013/11/04 12:58:47 idella4 Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/xen-tools-4.2.2-r5.ebuild,v 1.1 2013/11/07 00:46:42 idella4 Exp $
 
 EAPI=5
 
@@ -224,7 +224,11 @@ src_prepare() {
 		"${FILESDIR}"/xen-4.2-CVE-2013-18to19-XSA-55.patch \
 		"${FILESDIR}"/xen-4.2-CVE-2013-20to23-XSA-55.patch \
 		"${FILESDIR}"/xen-4-CVE-2013-2072-XSA-56.patch \
-		"${FILESDIR}"/xen-4.2-CVE-XSA-57.patch
+		"${FILESDIR}"/xen-4.2-CVE-XSA-57.patch \
+		"${FILESDIR}"/${PN}-4-CVE-2013-4369-XSA-68.patch \
+		"${FILESDIR}"/${PN}-4-CVE-2013-4370-XSA-69.patch \
+                "${FILESDIR}"/${PN}-4-CVE-2013-4371-XSA-70.patch \
+                "${FILESDIR}"/${PN}-4-CVE-2013-4416-XSA-72.patch
 
 	# Bug 472438
 	sed -e 's:^BASH_COMPLETION_DIR ?= $(CONFIG_DIR)/bash_completion.d:BASH_COMPLETION_DIR ?= $(SHARE_DIR)/bash-completion:' \
diff --git a/app-emulation/xen-tools/xen-tools-4.3.0-r2.ebuild b/app-emulation/xen-tools/xen-tools-4.3.0-r3.ebuild
index b6984bed7560..777ffe32dd0d 100644
--- a/app-emulation/xen-tools/xen-tools-4.3.0-r2.ebuild
+++ b/app-emulation/xen-tools/xen-tools-4.3.0-r3.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/xen-tools-4.3.0-r2.ebuild,v 1.1 2013/11/04 16:12:31 idella4 Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen-tools/xen-tools-4.3.0-r3.ebuild,v 1.1 2013/11/07 00:46:42 idella4 Exp $
 
 EAPI=5
 
@@ -205,7 +205,11 @@ src_prepare() {
 
 	#Security patches, currently valid
 	epatch "${FILESDIR}"/xen-4-CVE-2012-6075-XSA-41.patch \
-		"${FILESDIR}"/xen-4-CVE-2013-1922-XSA-48.patch
+		"${FILESDIR}"/xen-4-CVE-2013-1922-XSA-48.patch \
+		"${FILESDIR}"/${PN}-4-CVE-2013-4369-XSA-68.patch \
+		"${FILESDIR}"/${PN}-4-CVE-2013-4370-XSA-69.patch \
+		"${FILESDIR}"/${PN}-4-CVE-2013-4371-XSA-70.patch \
+		"${FILESDIR}"/${PN}-4-CVE-2013-4416-XSA-72.patch
 
 	# Bug 472438
 	sed -e 's:^BASH_COMPLETION_DIR ?= $(CONFIG_DIR)/bash_completion.d:BASH_COMPLETION_DIR ?= $(SHARE_DIR)/bash-completion:' \