fix for CVE-2014-3555

Package-Manager: portage-2.2.8-r1/cvs/Linux x86_64 Manifest-Sign-Key: 0x2471EB3E40AC5AC3
author: Matt Thode <prometheanfire@gentoo.org> 2014-07-17 09:18:03 +0000
committer: Matt Thode <prometheanfire@gentoo.org> 2014-07-17 09:18:03 +0000
commit: cbd07e4020fc8efe128c0886474c4a35d5f50bc5 (patch)
tree: 994bec1c521ebd7d367ea88036dc8ad5079d13e1 /sys-cluster/neutron
parent: Stable for amd64 wrt bug #507408 (diff)
download: historical-cbd07e4020fc8efe128c0886474c4a35d5f50bc5.tar.gz
historical-cbd07e4020fc8efe128c0886474c4a35d5f50bc5.tar.bz2
historical-cbd07e4020fc8efe128c0886474c4a35d5f50bc5.zip
4 files changed, 118 insertions, 10 deletions
diff --git a/sys-cluster/neutron/ChangeLog b/sys-cluster/neutron/ChangeLog
index 1bde83eca61b..9d27e155a193 100644
--- a/sys-cluster/neutron/ChangeLog
+++ b/sys-cluster/neutron/ChangeLog
@@ -1,6 +1,10 @@
 # ChangeLog for sys-cluster/neutron
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.35 2014/07/13 03:40:50 idella4 Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.36 2014/07/17 09:17:53 prometheanfire Exp $
+
+  17 Jul 2014; Matthew Thode <prometheanfire@gentoo.org>
+  +files/neutron-2014.1.1-CVE-2014-3555.patch, neutron-2014.1.1.ebuild:
+  fix for CVE-2014-3555
 
   13 Jul 2014; Ian Delaney <idella4@gentoo.org> neutron-2014.1.1.ebuild,
   neutron-2014.1.9999.ebuild, neutron-9999.ebuild:
diff --git a/sys-cluster/neutron/Manifest b/sys-cluster/neutron/Manifest
index 5b6488cd6ba3..7f1591010620 100644
--- a/sys-cluster/neutron/Manifest
+++ b/sys-cluster/neutron/Manifest
@@ -1,6 +1,7 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
+AUX neutron-2014.1.1-CVE-2014-3555.patch 4357 SHA256 8f1c456e7cf961047f15c991dfd70b69a249a3477ad9b320f45a094724d6173d SHA512 3ed07807f3f1e04af8240731e3b101ec591c8321ff9ae6c5790ab8559538f733158175df37c2531e43383c6e1f66fb530008c5b2ba21341d2b13548fe3aa23bc WHIRLPOOL 447ac22629053b6099e2295600776925ba96d802f690bc8a44d5d56c359bde05aa1193284a35b922230127f696c28cc3129c027b7e12cdd5b0ae33c46ac18b28
 AUX neutron-confd 75 SHA256 2e03d5dee96eb235d3d2742fb59b52376914dae1d8683144396d796dd35ea9f5 SHA512 fefe7dd1924fabed3cdddae2a407b254c62f39c49abeae238486896e9d26863caebfdfea6d52c5eef34d25452b163c373105929bd069b969c2af0f7d62d6c0e6 WHIRLPOOL 1ac7ed6b2287e66bc51be8b521e355a48e888e1e57371362bfd41fb831d63cc90aab542c1668b4acc1c087cb6bacd418a480e2732a7611b8df290bf63444c902
 AUX neutron-confd-2 75 SHA256 0fce0e6f6cec493b9b0bcb96fa3211ba47a6420b9ea675ef65979fd9505121c7 SHA512 e64116f6cab81a2ee56d797f8144dbc8b214fb627bc8d6c3045488b1fec694cee8e8f3f3fbd327fb28f704cdfae40ea468d8a212c819abd45e809a1fa56b9670 WHIRLPOOL fb027c386c99448c29b265adc234abbc4d23a8be015690fd024b1f39ccc18dd64a1ab57c6cc26a054d576a0bbbed797058b19db90abf0318ae79dddc4efd2056
 AUX neutron-dhcp-agent.confd 75 SHA256 e36fe3d370ad2b4c82ccf1f4caac60882334d93e3abd7e0e6e268d23cb069d71 SHA512 94cf300c9a9d0275e4fcab4ffdb7e29ca26b73c120d6ff683b48ea0e9c21e46123289522aedd295e4d5d28307133b50084541a90a48db456802d675eed6c2d3e WHIRLPOOL 9e77fe1ef65fa8ef46f8272ddea7213a46e71c6f2884eab20f09eaddc977f5cc202c8529c1a75347132c667e4e2d39d5bdd3ab2c94812c4b1f95f398af75c38c
@@ -18,15 +19,25 @@ AUX neutron.sudoersd 117 SHA256 b40ea04a95deedbb66fe504df61b55905cbd746e5ba26321
 AUX nicira.patch 5757 SHA256 62484fa9d817feee1edc0a51ea1eeca068406f8f76e34c845b85ea51664e20d6 SHA512 f160a36f78d9a1186e19cdfb4f97b17e39e1a6f3e20bcaf84e76e71c632b0a6e8af89645d507f2c6f60a9f7d09a741302d476731c2fc798dfa999aaf38f1e273 WHIRLPOOL b7b5e0618caa8c6acc65f46c315d81b427810f3d6b1e89b48fc79567717c90a2e81e091d532ea192ac68ad432374fb9debe79d7b2c0a5a82d7d8cec8ca64f50e
 AUX sphinx_mapping.patch 835 SHA256 f4745338474c9191ba386f81705cc8c9a6effb09116c65664654eb733d081252 SHA512 988236676ef0550ca96cc05e606d43280969e89b31971244ece89d63cdcbcbcfd3ac595adca03a6308996ef58ebc4f75b0dfd65a938ad7c3fb67fb785e09f8c9 WHIRLPOOL 6154ee51ecd63040d9a6c2058f369a7243c719cbda3f73484d55ea9425a5c9982d3921d91d152aa27c61c5635d74f2afa57ff1b5aaa10b1be1e7c1475ff74e5f
 DIST neutron-2014.1.1.tar.gz 6404237 SHA256 4723713b124ec7be0ae5f280d30a53b00ab5bec8a27be6165bdc630b8f22c1b5 SHA512 8a586741c035700ed8f33089830278e9eee9745a8fa58ef4ec71638ffecbd7c8689387f1597d948ca18a7f7edbad1ff67aab6d5304b61069556d5418e55738c5 WHIRLPOOL 6b7d139f1265a719edf05dbe2648fb7a056f708984da3e2b7b89f17746694137b5201bc69587e0af1a9729710205538c5841c860180ea9d7e7f5f0a17ece43dc
-EBUILD neutron-2014.1.1.ebuild 6427 SHA256 855c841e78e438baeac8feccf11c93ed8e2915f8792c1f37972ecb898749677b SHA512 d27030dccb61f31d6f2545f107b4e50ced755c4384b10ea14154f460f406acbb1f2f14472a2af26b89ec98aab97757fa5e7e516ea8d5905a1d3910e12c3d4381 WHIRLPOOL 15eb752dfbab9ff546867599783c3d2a425ce007f8e58189a5d7d8d4ad136e0d0a93c194ff208486253e238cb710b4669cc9746252a45b48db9246478208b4c4
+EBUILD neutron-2014.1.1.ebuild 6494 SHA256 2f7ba9b1d1e68192b76514847f64b5f3bc4051f8687ceaac35bfd8ab48531955 SHA512 6e9b4ac7e9d9e290a1e9e926635bc90453f5b74bf2b0c2ebf8f575f4353d53bca5ddb8d4f732dd6182f43dd7ddb1ffb4a5b260e162dd34ec98a22315ca5f570b WHIRLPOOL 7d2aba3f1e66487aa41a4dd155ec1dc7bb1c7383a072e7ca5ae23c1e35b8d98d55d1aba9e32949298c29039e5005023022660646984d94eb219c2768259ca6a8
 EBUILD neutron-2014.1.9999.ebuild 5558 SHA256 d26700b8ffe0ab4f2455e6cb6ce804361e1234ac6d4a34448362764c40acca2c SHA512 7b51e8eaead425f5be5bfaf756efe0380896f312ee4021fc629eea69bdc65ff4781e19d4b72f408632ef9f53710e1d7f559e56d08879214ad27df80e887546fb WHIRLPOOL 80d73490ce4b1136605450a2d3e33a419026b4c97ce7e3f33d0beb25a61dcac73dbe886c90beaee21325fb2d21bc86ca705b60785151bea4eefabdad9481affe
 EBUILD neutron-9999.ebuild 4468 SHA256 45f19f7a7781de2de1e11be0ff605fe431fb85c45b0a003346afccc59499f0ce SHA512 6089911ea9c1e7f3a6a345b88ca51fee49ee8a28438f29c737978c8f9332e9f09b08d986f74480b5dd168907c88f6638179f89e907217c1a153889270739fca2 WHIRLPOOL 12078942281843cd07b85930c6bb869b651ad4020e7de7e3d90df87f46d8245b36072ead11d4eeb5439f6e8be5c69bed42a7d2f8e0ff3246518bae80888735a6
-MISC ChangeLog 11985 SHA256 e4b4c6b474ae1502c65f1455d1786a22533da9a1a4d71c093ba8f63eab5fbe0a SHA512 6b0d6faddfa4c1f095cbc17709baa47c3ef9f542a0c23e8d6fa5e6a1e7e354d8915673d6e755d9c03b55052c4c1694d791d181ef5ee8fd49ba52b5125e10f490 WHIRLPOOL 5276b69b28d26cdd12ee370866259f6ef27c87411c325a0c481a023eb4f9a7a9f7dff5380fb1a1c2026d7d1dae1bef52ce01c15b175d698cac4bb4f7ddf3c6d4
+MISC ChangeLog 12146 SHA256 da241c2271342c1df9edd2a02825c537e41c6127efdac0f926922d9ba7d1837f SHA512 abbb73aab0adcc5f0fee3614632af5c75073be39b78a7156942fdf4e8de180da746457691e44928f508695541a88f47faa2edda2989d7ed61dc111018b61f94b WHIRLPOOL cce1f4bf98aa523fdd6f999b86ca4080ff9b6d8beb9395dc0114dd9c27e81f5626328b506273667affd63cc3461dc97e48941123a116a1e9ae4485e00ac54e1d
 MISC metadata.xml 1296 SHA256 7d6de6c9dc0602e7ea1147c40e8798aa61e01a891eade2b291628850d52889ab SHA512 e49d4872a6fefdb93f20665cf1a176744a1eaa3c068617dbb41e2591d084776d55334997c8046d725e84f5a7280481392f3fccf42f6cb02bbf1751d43076c49d WHIRLPOOL 0b3e08407b951bffdaa54e646d35c000e5b1df43381132386b77056e26773d6344ec7ace4b7a87ae14f29090fcdd490f05730ece3597b8e7a2d4389dfe816312
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.22 (GNU/Linux)
+Version: GnuPG v2
 
-iEYEAREIAAYFAlPB/coACgkQso7CE7gHKw17OQCfTeGi3pPb1JSv4kkKNDcaAFoe
-OVQAoIM9NyyOpTkZ/1PFxjs7bMN+Y9dh
-=cZUL
+iQIcBAEBCAAGBQJTx5TZAAoJECRx6z5ArFrD3eYP/1V3Nw5FQMOEr4Sv1ROVVgqm
+cNtpg5iDRupShKkjqDMBF5T3zy2uaQ5MDpRzi6UpFiE+6oAcs2o9k1IXNQ4lWUG2
+zNmXiTwxv8Dm55g9NVCoCo4oHbeEFHeAvV9BZPAIchjSKgewgOhEjnakomSoocCH
+Yfo5E2t0p8fB09AZ8JnJwRqDcKHi4zmBJhJUDi+RFNkY7rZVmCxu5ILsftcIJRzp
+t9iaE7H51lCTja2dP3JD0BFH/GsHCqAI1T32OoNpwgLUp0/LdfNeWYk0Jr2mP6WL
+7PaSd3q4oX26CounDqc7vtDu1rB3bXHRvG+jqzZvya/CebUKvBXh9eFQwuo5vUk9
+YyP+8mRhf8rRjnuLdj1GqZ1jnAhhWqlw1+Qrz2DKY1blN83JSWsfRQkq+4xQ5hVM
+4FgQkSeYcKFptv8UtT+0x83iGXlPDtjP38ZXpiQm2X20YzWsMY7gAY1MgNOwnhLv
+ufvd2nl2ihivozIEd8AD/m7BWEdS8jgGHVg7ciT7mvB+qRdqB7+mhPbmqsZW2kNu
+yglDJsBuEvEfLZRU+wxQgGs46enj/T9m/REjgFcg5W8LToxQQx3wAPj5MlQ0SPUT
+ZxSvrTM2QOcNwirHldIzR4n0PeilVKwXaBV4/NYh5L2MnAu09qz+CEkWFkSHJVCL
+20GnPLtOFQfqszy5nmbB
+=bdE3
 -----END PGP SIGNATURE-----
diff --git a/sys-cluster/neutron/files/neutron-2014.1.1-CVE-2014-3555.patch b/sys-cluster/neutron/files/neutron-2014.1.1-CVE-2014-3555.patch
new file mode 100644
index 000000000000..14f05f5af75a
--- /dev/null
+++ b/sys-cluster/neutron/files/neutron-2014.1.1-CVE-2014-3555.patch
@@ -0,0 +1,92 @@
+diff --git a/neutron/extensions/allowedaddresspairs.py b/neutron/extensions/allowedaddresspairs.py
+index 96512f3..1283da4 100644
+--- a/neutron/extensions/allowedaddresspairs.py
++++ b/neutron/extensions/allowedaddresspairs.py
+@@ -16,6 +16,15 @@ import webob.exc
+ 
+ from neutron.api.v2 import attributes as attr
+ from neutron.common import exceptions as nexception
++from oslo.config import cfg
++
++allowed_address_pair_opts = [
++    #TODO(limao): use quota framework when it support quota for attributes
++    cfg.IntOpt('max_allowed_address_pair', default=10,
++               help=_("Maximum number of allowed address pairs")),
++]
++
++cfg.CONF.register_opts(allowed_address_pair_opts)
+ 
+ 
+ class AllowedAddressPairsMissingIP(nexception.InvalidInput):
+@@ -36,8 +45,17 @@ class AddressPairMatchesPortFixedIPAndMac(nexception.InvalidInput):
+     message = _("Port's Fixed IP and Mac Address match an address pair entry.")
+ 
+ 
++class AllowedAddressPairExhausted(nexception.BadRequest):
++    message = _("The number of allowed address pair "
++                "exceeds the maximum %(quota)s.")
++
++
+ def _validate_allowed_address_pairs(address_pairs, valid_values=None):
+     unique_check = {}
++    if len(address_pairs) > cfg.CONF.max_allowed_address_pair:
++        raise AllowedAddressPairExhausted(
++            quota=cfg.CONF.max_allowed_address_pair)
++
+     for address_pair in address_pairs:
+         # mac_address is optional, if not set we use the mac on the port
+         if 'mac_address' in address_pair:
+diff --git a/neutron/tests/unit/test_extension_allowedaddresspairs.py b/neutron/tests/unit/test_extension_allowedaddresspairs.py
+index 826768f..70eb1e3 100644
+--- a/neutron/tests/unit/test_extension_allowedaddresspairs.py
++++ b/neutron/tests/unit/test_extension_allowedaddresspairs.py
+@@ -22,6 +22,7 @@ from neutron.extensions import allowedaddresspairs as addr_pair
+ from neutron.extensions import portsecurity as psec
+ from neutron.manager import NeutronManager
+ from neutron.tests.unit import test_db_plugin
++from oslo.config import cfg
+ 
+ DB_PLUGIN_KLASS = ('neutron.tests.unit.test_extension_allowedaddresspairs.'
+                    'AllowedAddressPairTestPlugin')
+@@ -163,6 +164,28 @@ class TestAllowedAddressPairs(AllowedAddressPairDBTestCase):
+                           'ip_address': '10.0.0.1'}]
+         self._create_port_with_address_pairs(address_pairs, 400)
+ 
++    def test_more_than_max_allowed_address_pair(self):
++        cfg.CONF.set_default('max_allowed_address_pair', 3)
++        address_pairs = [{'mac_address': '00:00:00:00:00:01',
++                          'ip_address': '10.0.0.1'},
++                         {'mac_address': '00:00:00:00:00:02',
++                          'ip_address': '10.0.0.2'},
++                         {'mac_address': '00:00:00:00:00:03',
++                          'ip_address': '10.0.0.3'},
++                         {'mac_address': '00:00:00:00:00:04',
++                          'ip_address': '10.0.0.4'}]
++        self._create_port_with_address_pairs(address_pairs, 400)
++
++    def test_equal_to_max_allowed_address_pair(self):
++        cfg.CONF.set_default('max_allowed_address_pair', 3)
++        address_pairs = [{'mac_address': '00:00:00:00:00:01',
++                          'ip_address': '10.0.0.1'},
++                         {'mac_address': '00:00:00:00:00:02',
++                          'ip_address': '10.0.0.2'},
++                         {'mac_address': '00:00:00:00:00:03',
++                          'ip_address': '10.0.0.3'}]
++        self._create_port_with_address_pairs(address_pairs, 201)
++
+     def test_create_port_extra_args(self):
+         address_pairs = [{'mac_address': '00:00:00:00:00:01',
+                           'ip_address': '10.0.0.1',
+@@ -174,8 +197,10 @@ class TestAllowedAddressPairs(AllowedAddressPairDBTestCase):
+             res = self._create_port(self.fmt, net['network']['id'],
+                                     arg_list=(addr_pair.ADDRESS_PAIRS,),
+                                     allowed_address_pairs=address_pairs)
+-            self.deserialize(self.fmt, res)
++            port = self.deserialize(self.fmt, res)
+             self.assertEqual(res.status_int, ret_code)
++            if ret_code == 201:
++                self._delete('ports', port['port']['id'])
+ 
+     def test_update_add_address_pairs(self):
+         with self.network() as net:
+
diff --git a/sys-cluster/neutron/neutron-2014.1.1.ebuild b/sys-cluster/neutron/neutron-2014.1.1.ebuild
index e95f06f9a702..79284d28d3d5 100644
--- a/sys-cluster/neutron/neutron-2014.1.1.ebuild
+++ b/sys-cluster/neutron/neutron-2014.1.1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.1.1.ebuild,v 1.3 2014/07/13 03:40:50 idella4 Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.1.1.ebuild,v 1.4 2014/07/17 09:17:53 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -54,7 +54,8 @@ RDEPEND="dev-python/paste[${PYTHON_USEDEP}]
 		>=dev-python/python-neutronclient-2.3.4[${PYTHON_USEDEP}]
 		<=dev-python/python-neutronclient-3.0.0[${PYTHON_USEDEP}]
 		>=dev-python/sqlalchemy-0.7.8[${PYTHON_USEDEP}]
-		<=dev-python/sqlalchemy-0.7.99[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-0.9.5[${PYTHON_USEDEP}]
+		<=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
 		mysql? ( dev-python/mysql-python[${PYTHON_USEDEP}] )
 		postgres? ( >=dev-python/psycopg-2[${PYTHON_USEDEP}] )
 		sqlite? ( dev-db/sqlite )
@@ -73,7 +74,7 @@ RDEPEND="dev-python/paste[${PYTHON_USEDEP}]
 
 PATCHES=(
 	"${FILESDIR}/sphinx_mapping.patch"
-	"${FILESDIR}/"2014.1-CVE-2014-4167.patch
+	"${FILESDIR}/neutron-2014.1.1-CVE-2014-3555.patch"
 )
 
 pkg_setup() {
author	Matt Thode <prometheanfire@gentoo.org>	2014-07-17 09:18:03 +0000
committer	Matt Thode <prometheanfire@gentoo.org>	2014-07-17 09:18:03 +0000
commit	cbd07e4020fc8efe128c0886474c4a35d5f50bc5 (patch)
tree	994bec1c521ebd7d367ea88036dc8ad5079d13e1 /sys-cluster/neutron
parent	Stable for amd64 wrt bug #507408 (diff)
download	historical-cbd07e4020fc8efe128c0886474c4a35d5f50bc5.tar.gz historical-cbd07e4020fc8efe128c0886474c4a35d5f50bc5.tar.bz2 historical-cbd07e4020fc8efe128c0886474c4a35d5f50bc5.zip