diff options
author | Matthew Thode <prometheanfire@gentoo.org> | 2015-07-02 05:43:05 +0000 |
---|---|---|
committer | Matthew Thode <prometheanfire@gentoo.org> | 2015-07-02 05:43:05 +0000 |
commit | b8e2168938aefd28fc141d2227e877aa179c0e47 (patch) | |
tree | 24ad8856db44c9f6140b666a5763f7e1986e48aa /sys-cluster/neutron | |
parent | Version bump. (diff) | |
download | gentoo-2-b8e2168938aefd28fc141d2227e877aa179c0e47.tar.gz gentoo-2-b8e2168938aefd28fc141d2227e877aa179c0e47.tar.bz2 gentoo-2-b8e2168938aefd28fc141d2227e877aa179c0e47.zip |
fixing CVE-2015-3221 no badness remaining
(Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 0x33ED3FD25AFC78BA)
Diffstat (limited to 'sys-cluster/neutron')
-rw-r--r-- | sys-cluster/neutron/ChangeLog | 12 | ||||
-rw-r--r-- | sys-cluster/neutron/files/cve-2015-3221_2014.2.3.ebuild | 151 | ||||
-rw-r--r-- | sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch | 127 | ||||
-rw-r--r-- | sys-cluster/neutron/neutron-2014.2.3-r1.ebuild (renamed from sys-cluster/neutron/neutron-2014.2.3.ebuild) | 3 | ||||
-rw-r--r-- | sys-cluster/neutron/neutron-2015.1.0-r2.ebuild (renamed from sys-cluster/neutron/neutron-2015.1.0-r1.ebuild) | 3 |
5 files changed, 293 insertions, 3 deletions
diff --git a/sys-cluster/neutron/ChangeLog b/sys-cluster/neutron/ChangeLog index a06d9a4a01fc..a04b6b542d15 100644 --- a/sys-cluster/neutron/ChangeLog +++ b/sys-cluster/neutron/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for sys-cluster/neutron # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.64 2015/05/17 23:25:00 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.65 2015/07/02 05:43:05 prometheanfire Exp $ + +*neutron-2014.2.3-r1 (02 Jul 2015) +*neutron-2015.1.0-r2 (02 Jul 2015) +*cve-2015-3221_2014.2.3 (02 Jul 2015) + + 02 Jul 2015; Matthew Thode <prometheanfire@gentoo.org> + +files/cve-2015-3221_2014.2.3.ebuild, +files/cve-2015-3221_2015.1.0.patch, + +neutron-2014.2.3-r1.ebuild, +neutron-2015.1.0-r2.ebuild, + -neutron-2014.2.3.ebuild, -neutron-2015.1.0-r1.ebuild: + fixing CVE-2015-3221 no badness remaining *neutron-2015.1.0-r1 (17 May 2015) diff --git a/sys-cluster/neutron/files/cve-2015-3221_2014.2.3.ebuild b/sys-cluster/neutron/files/cve-2015-3221_2014.2.3.ebuild new file mode 100644 index 000000000000..18cf37d92d40 --- /dev/null +++ b/sys-cluster/neutron/files/cve-2015-3221_2014.2.3.ebuild @@ -0,0 +1,151 @@ +From ac8fb28a920c7a6284d41f7cce054ea1b2e73cb1 Mon Sep 17 00:00:00 2001 +From: Aaron Rosen <aaronorosen@gmail.com> +Date: Thu, 11 Jun 2015 13:58:16 -0700 +Subject: [PATCH] Disable allowed_address_pair ip 0.0.0.0/0 ::/0 for ipset + +Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if +these addresses were inputted as allowed address pairs. This causes +ipset to raise an error as it does not work with zero prefix sizes. +To solve this problem we use two ipset rules to represent this. + +This was correctly fixed in a backport to kilo though we did not have the +cycles to backport this exact fix to juno as in juno additional work needs to +be done because the iptable and ipset code are interleaved together. This +patch fixes this issue by disabling one from creating an address pair of +zero lenght. This patch also provides a small tool which one should run: +tools/fix_zero_length_ip_prefix.py which changes all zero length address_pair +rules into two address pair rules of: + +Ipv4: 0.0.0.0/1 and 128.0.0.1/1 +IPv6: ::/1' and '8000::/1 + +to avoid the problem. +After this patch is merged into juno it will be easier for us to apply +a better change to allow /0 addresses again in juno. + +Closes-bug: 1461054 +Co-Authored-by: Darragh O'Reilly <darragh.oreilly@hp.com> +--- + neutron/extensions/allowedaddresspairs.py | 9 +++- + .../unit/test_extension_allowedaddresspairs.py | 5 ++ + tools/fix_zero_length_ip_prefix.py | 59 ++++++++++++++++++++++ + 3 files changed, 72 insertions(+), 1 deletion(-) + create mode 100755 tools/fix_zero_length_ip_prefix.py + +diff --git a/neutron/extensions/allowedaddresspairs.py b/neutron/extensions/allowedaddresspairs.py +index 6588d5f..a773a17 100644 +--- a/neutron/extensions/allowedaddresspairs.py ++++ b/neutron/extensions/allowedaddresspairs.py +@@ -12,6 +12,7 @@ + # License for the specific language governing permissions and limitations + # under the License. + ++import netaddr + import webob.exc + + from neutron.api.v2 import attributes as attr +@@ -46,6 +47,10 @@ class AllowedAddressPairExhausted(nexception.BadRequest): + "exceeds the maximum %(quota)s.") + + ++class AllowedAddressPairsZeroPrefixNotAllowed(nexception.InvalidInput): ++ message = _("AllowedAddressPair CIDR cannot have prefix length zero") ++ ++ + def _validate_allowed_address_pairs(address_pairs, valid_values=None): + unique_check = {} + if len(address_pairs) > cfg.CONF.max_allowed_address_pair: +@@ -77,7 +82,9 @@ def _validate_allowed_address_pairs(address_pairs, valid_values=None): + set(['mac_address', 'ip_address']))) + raise webob.exc.HTTPBadRequest(msg) + +- if '/' in ip_address: ++ if (netaddr.IPNetwork(ip_address).prefixlen == 0): ++ raise AllowedAddressPairsZeroPrefixNotAllowed() ++ elif '/' in ip_address: + msg = attr._validate_subnet(ip_address) + else: + msg = attr._validate_ip_address(ip_address) +diff --git a/neutron/tests/unit/test_extension_allowedaddresspairs.py b/neutron/tests/unit/test_extension_allowedaddresspairs.py +index bcaa11b..f15c402 100644 +--- a/neutron/tests/unit/test_extension_allowedaddresspairs.py ++++ b/neutron/tests/unit/test_extension_allowedaddresspairs.py +@@ -140,6 +140,11 @@ class TestAllowedAddressPairs(AllowedAddressPairDBTestCase): + self.deserialize(self.fmt, res) + self.assertEqual(res.status_int, 409) + ++ def test_create_port_zero_prefix_ip(self): ++ address_pairs = [{'mac_address': 'invalid_mac', ++ 'ip_address': '0.0.0.0/0'}] ++ self._create_port_with_address_pairs(address_pairs, 400) ++ + def test_create_port_bad_mac(self): + address_pairs = [{'mac_address': 'invalid_mac', + 'ip_address': '10.0.0.1'}] +diff --git a/tools/fix_zero_length_ip_prefix.py b/tools/fix_zero_length_ip_prefix.py +new file mode 100755 +index 0000000..dbbafb5 +--- /dev/null ++++ b/tools/fix_zero_length_ip_prefix.py +@@ -0,0 +1,59 @@ ++""" ++This script is needed to convert addresses that are zero prefix to be two ++address of one prefix to avoid a bug that exists in juno where the ipset ++manager isn't able to handle zero prefix lenght addresses. ++""" ++ ++import os ++import sys ++ ++import netaddr ++from neutronclient.v2_0 import client ++ ++ ++def main(): ++ try: ++ username = os.environ['OS_USERNAME'] ++ tenant_name = os.environ['OS_TENANT_NAME'] ++ password = os.environ['OS_PASSWORD'] ++ auth_url = os.environ['OS_AUTH_URL'] ++ except KeyError: ++ print("You need to source your openstack creds file first!") ++ sys.exit(1) ++ ++ neutron = client.Client(username=username, ++ tenant_name=tenant_name, ++ password=password, ++ auth_url=auth_url) ++ ++ ports = neutron.list_ports() ++ for port in ports['ports']: ++ new_address_pairs = [] ++ needs_update = False ++ allowed_address_pairs = port.get('allowed_address_pairs') ++ if allowed_address_pairs: ++ for address_pair in allowed_address_pairs: ++ ip = address_pair['ip_address'] ++ mac = address_pair['mac_address'] ++ if(netaddr.IPNetwork(ip).prefixlen == 0): ++ needs_update = True ++ if(netaddr.IPNetwork(ip).version == 4): ++ new_address_pairs.append({'ip_address': '0.0.0.0/1', ++ 'mac_address': mac}) ++ new_address_pairs.append({'ip_address': '128.0.0.0/1', ++ 'mac_address': mac}) ++ elif(netaddr.IPNetwork(ip).version == 6): ++ new_address_pairs.append({'ip_address': '::/1', ++ 'mac_address': mac}) ++ new_address_pairs.append({'ip_address': '8000::/1', ++ 'mac_address': mac}) ++ else: ++ new_address_pairs.append(address_pair) ++ if needs_update: ++ print ("Updating port %s with new address_pairs %s" % ++ (port['id'], new_address_pairs)) ++ neutron.update_port( ++ port['id'], ++ {'port': {'allowed_address_pairs': new_address_pairs}}) ++ ++main() +-- +1.9.1 diff --git a/sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch b/sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch new file mode 100644 index 000000000000..c6c2230c9bd3 --- /dev/null +++ b/sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch @@ -0,0 +1,127 @@ +From e0c8cbc5dd610b4c580935ea56436495a6d4eb26 Mon Sep 17 00:00:00 2001 +From: Aaron Rosen <aaronorosen@gmail.com> +Date: Wed, 3 Jun 2015 16:19:39 -0700 +Subject: [PATCH] Provide work around for 0.0.0.0/0 ::/0 for ipset + +Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if +these addresses were inputted as allowed address pairs. This causes +ipset to raise an error as it does not work with zero prefix sizes. +To solve this problem we use two ipset rules to represent this: + +Ipv4: 0.0.0.0/1 and 128.0.0.1/1 +IPv6: ::/1' and '8000::/1 + +All of this logic is handled via _sanitize_addresses() in the ipset_manager +which is called to convert the input. + +Closes-bug: 1461054 + +Conflicts: + neutron/agent/linux/ipset_manager.py + neutron/tests/unit/agent/linux/test_ipset_manager.py + +(cherry picked from commit 80a0fc3ba063e036b76e05e89b0cc54fc2d47c81) +--- + neutron/agent/linux/ipset_manager.py | 23 ++++++++++++++++++++++ + .../tests/unit/agent/linux/test_ipset_manager.py | 19 +++++++++++++++--- + 2 files changed, 39 insertions(+), 3 deletions(-) + +diff --git a/neutron/agent/linux/ipset_manager.py b/neutron/agent/linux/ipset_manager.py +index 0f76418..af59f1f 100644 +--- a/neutron/agent/linux/ipset_manager.py ++++ b/neutron/agent/linux/ipset_manager.py +@@ -11,6 +11,8 @@ + # See the License for the specific language governing permissions and + # limitations under the License. + ++import netaddr ++ + from neutron.agent.linux import utils as linux_utils + from neutron.common import utils + +@@ -31,6 +33,26 @@ class IpsetManager(object): + self.namespace = namespace + self.ipset_sets = {} + ++ def _sanitize_addresses(self, addresses): ++ """This method converts any address to ipset format. ++ ++ If an address has a mask of /0 we need to cover to it to a mask of ++ /1 as ipset does not support /0 length addresses. Instead we use two ++ /1's to represent the /0. ++ """ ++ sanitized_addresses = [] ++ for ip in addresses: ++ if (netaddr.IPNetwork(ip).prefixlen == 0): ++ if(netaddr.IPNetwork(ip).version == 4): ++ sanitized_addresses.append('0.0.0.0/1') ++ sanitized_addresses.append('128.0.0.0/1') ++ elif (netaddr.IPNetwork(ip).version == 6): ++ sanitized_addresses.append('::/1') ++ sanitized_addresses.append('8000::/1') ++ else: ++ sanitized_addresses.append(ip) ++ return sanitized_addresses ++ + @staticmethod + def get_name(id, ethertype): + """Returns the given ipset name for an id+ethertype pair. +@@ -51,6 +73,7 @@ class IpsetManager(object): + add / remove new members, or swapped atomically if + that's faster. + """ ++ member_ips = self._sanitize_addresses(member_ips) + set_name = self.get_name(id, ethertype) + if not self.set_exists(id, ethertype): + # The initial creation is handled with create/refresh to +diff --git a/neutron/tests/unit/agent/linux/test_ipset_manager.py b/neutron/tests/unit/agent/linux/test_ipset_manager.py +index 4484008..a1c6dc5 100644 +--- a/neutron/tests/unit/agent/linux/test_ipset_manager.py ++++ b/neutron/tests/unit/agent/linux/test_ipset_manager.py +@@ -38,7 +38,7 @@ class BaseIpsetManagerTest(base.BaseTestCase): + def expect_set(self, addresses): + temp_input = ['create NETIPv4fake_sgid-new hash:net family inet'] + temp_input.extend('add NETIPv4fake_sgid-new %s' % ip +- for ip in addresses) ++ for ip in self.ipset._sanitize_addresses(addresses)) + input = '\n'.join(temp_input) + self.expected_calls.extend([ + mock.call(['ipset', 'restore', '-exist'], +@@ -55,13 +55,16 @@ class BaseIpsetManagerTest(base.BaseTestCase): + self.expected_calls.extend( + mock.call(['ipset', 'add', '-exist', TEST_SET_NAME, ip], + process_input=None, +- run_as_root=True) for ip in addresses) ++ run_as_root=True) ++ for ip in self.ipset._sanitize_addresses(addresses)) + + def expect_del(self, addresses): ++ + self.expected_calls.extend( + mock.call(['ipset', 'del', TEST_SET_NAME, ip], + process_input=None, +- run_as_root=True) for ip in addresses) ++ run_as_root=True) ++ for ip in self.ipset._sanitize_addresses(addresses)) + + def expect_create(self): + self.expected_calls.append( +@@ -113,6 +116,16 @@ class IpsetManagerTestCase(BaseIpsetManagerTest): + self.ipset.set_members(TEST_SET_ID, ETHERTYPE, FAKE_IPS) + self.verify_mock_calls() + ++ def test_set_members_adding_all_zero_ipv4(self): ++ self.expect_set(['0.0.0.0/0']) ++ self.ipset.set_members(TEST_SET_ID, ETHERTYPE, ['0.0.0.0/0']) ++ self.verify_mock_calls() ++ ++ def test_set_members_adding_all_zero_ipv6(self): ++ self.expect_set(['::/0']) ++ self.ipset.set_members(TEST_SET_ID, ETHERTYPE, ['::/0']) ++ self.verify_mock_calls() ++ + def test_destroy(self): + self.add_first_ip() + self.expect_destroy() +-- +1.9.1 diff --git a/sys-cluster/neutron/neutron-2014.2.3.ebuild b/sys-cluster/neutron/neutron-2014.2.3-r1.ebuild index ceceadae2b73..eeb68995909e 100644 --- a/sys-cluster/neutron/neutron-2014.2.3.ebuild +++ b/sys-cluster/neutron/neutron-2014.2.3-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.2.3.ebuild,v 1.1 2015/04/13 03:27:20 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.2.3-r1.ebuild,v 1.1 2015/07/02 05:43:05 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -102,6 +102,7 @@ PATCHES=( "${FILESDIR}/0001-Fixes-bug-in-interface-handling-of-ip_lib.py.patch" "${FILESDIR}/0002-moving-vxlan-module-check-to-sanity-checks-and-makin.patch" "${FILESDIR}/0003-fixes-error-logging-to-use-the-right-exception-paren.patch" + "${FILESDIR}/cve-2015-3221_2014.2.3.ebuild" ) pkg_setup() { diff --git a/sys-cluster/neutron/neutron-2015.1.0-r1.ebuild b/sys-cluster/neutron/neutron-2015.1.0-r2.ebuild index 0a7a4c2e2da8..18d1a9ee18e9 100644 --- a/sys-cluster/neutron/neutron-2015.1.0-r1.ebuild +++ b/sys-cluster/neutron/neutron-2015.1.0-r2.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2015.1.0-r1.ebuild,v 1.1 2015/05/17 23:25:00 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2015.1.0-r2.ebuild,v 1.1 2015/07/02 05:43:05 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -129,6 +129,7 @@ RDEPEND=" dhcp? ( net-dns/dnsmasq[dhcp-tools] )" PATCHES=( + "${FILESDIR}/cve-2015-3221_2015.1.0.patch" ) pkg_setup() { |