fixes for CVE-2013-6419

Package-Manager: portage-2.2.7/cvs/Linux x86_64 Manifest-Sign-Key: 0x2471EB3E40AC5AC3
author: Matt Thode <prometheanfire@gentoo.org> 2013-12-13 21:10:44 +0000
committer: Matt Thode <prometheanfire@gentoo.org> 2013-12-13 21:10:44 +0000
commit: 4506f456606e99bdfdc235e8fd940dd71025771f (patch)
tree: e5eeefca72520dc4062cac0a6d47374a03307fa8 /sys-cluster
parent: version bump (diff)
download: historical-4506f456606e99bdfdc235e8fd940dd71025771f.tar.gz
historical-4506f456606e99bdfdc235e8fd940dd71025771f.tar.bz2
historical-4506f456606e99bdfdc235e8fd940dd71025771f.zip
7 files changed, 349 insertions, 147 deletions
diff --git a/sys-cluster/nova/ChangeLog b/sys-cluster/nova/ChangeLog
index 0c335ad2f862..af13d2e11ea1 100644
--- a/sys-cluster/nova/ChangeLog
+++ b/sys-cluster/nova/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for sys-cluster/nova
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.43 2013/12/03 20:14:39 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.44 2013/12/13 21:10:35 prometheanfire Exp $
+
+*nova-2013.2-r3 (13 Dec 2013)
+*nova-2013.1.4-r2 (13 Dec 2013)
+
+  13 Dec 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/CVE-2013-6419_2013.1.4.patch, +files/CVE-2013-6419_2013.2.patch,
+  +nova-2013.1.4-r2.ebuild, +nova-2013.2-r3.ebuild, -nova-2013.1.4-r1.ebuild,
+  -nova-2013.2-r1.ebuild, -nova-2013.2-r2.ebuild:
+  fixes for CVE-2013-6419
 
   03 Dec 2013; Matthew Thode <prometheanfire@gentoo.org> -nova-2013.2.ebuild,
   nova-2013.2-r1.ebuild, nova-2013.2.9999.ebuild:
diff --git a/sys-cluster/nova/Manifest b/sys-cluster/nova/Manifest
index 7df1571104af..a8bddc325d59 100644
--- a/sys-cluster/nova/Manifest
+++ b/sys-cluster/nova/Manifest
@@ -5,33 +5,34 @@ AUX CVE-2013-4463_4469-grizzly.patch 19603 SHA256 72abd5f11fa8bf4c5900d4beef4111
 AUX CVE-2013-4463_4469-havana.patch 20808 SHA256 2407de89451cefb46a4b156516bdf71bd5f324962fc4ea0f63a96752846f8885 SHA512 18622589bd383e27162b97c5f4ab854957981a63b6bb6e74a44765ca5e014e3f3061fb04f08cd12288a01e88eee2ed346d594db8c04e7e078aaed93d9593bdd8 WHIRLPOOL 27cf1c5543e8d30a3a7d6769133a7a1bc001f0201d752adc2089ea28b4b73fb2590df3edcc1326f11c2a333063c397e4f3dc2546d457203a2110592fd238005b
 AUX CVE-2013-4497-grizzly-1.patch 4853 SHA256 b4477a17f45d505f0f09462888f6fdf59c2c5c89efbf38339a357f00e098c877 SHA512 9d9f4edbdcbffe9abe96526be454f68675543cf8601dac622943389350cc9d2ed28addb5e51fa61305142bd981e80d2f79f6f2b13d9bdc2ec76a1a5438d52798 WHIRLPOOL e30cd6d15c5fad7227c23a9b5a10b57cc7100b626d862a794108dd0ef3caa903bbafb1b497af2d18acbc3f371e59b924f848356134e43df323eef3db483b0c47
 AUX CVE-2013-4497-grizzly-2.patch 1945 SHA256 8c4be7bc42b485afd64d5ec1dd61ecfb5540555640c370649afc5312a3ddcac1 SHA512 1153e89733d0e8cffe1c6cbcaf9b3cabf8ebbf797e578c8ab379df9b01bd88758606ca450f0d7741efdc92869c078f4e1229b29cbb4fa9b8107ef9b92935452a WHIRLPOOL 843758c9f16fa476f0c1e67c2f3596b8adaba26f6d4dfd7c7213294221fe048b22356ba504bd264dab7313a48ce2ca0a8d968767184fe1cdb7b8ac815269ee27
+AUX CVE-2013-6419_2013.1.4.patch 5711 SHA256 0af9859e7cd0373c3c69fbb7d2256976412599cd079e696344288a81d3422bcd SHA512 b6f2fd940278cf7fa7b0a1d54d6c069f73a5c3462c4adb536c03d611c197ba3509d4464a7ef7539213ba51d749efc5ecc85800a4f86998464cdc2beb42bafd7e WHIRLPOOL ba62d91c0135a8328ca3e4048223630d2c2c133a2231e80655dc4d7dd0b772d1f81402aafaf7ec8742a77ee7cc58e7cf03d915e2058669a105c4553ccc976b48
+AUX CVE-2013-6419_2013.2.patch 7791 SHA256 441a6d09d8c732c5ed93dded9348e54014ad9909c131cb3436f3a34bee55a7b5 SHA512 48419a04287b2c1f8f308e759460a1695c3e6be8e366a00a6d5bd613a3a8f0e84db0d6b749e4e8f07ce2b0ab3e2e13a6d9a886e0ee3388408c115f51cfc28766 WHIRLPOOL a7a3e6021a67cecf659106629e1adb608889b25a0a34688e5db7daae52701511d990ba8a0ab9c8a05df1a83a660913a88ff2e38ee06bce6a7aec4b1115af4ce4
 AUX nova-confd 101 SHA256 d9013141618d1e8b8ba85297155747d9c8fc362238de7bba3108b9a2539c8c73 SHA512 4c7ec1d123f2cdaf394d1f4824df861bbe309b0b329db44080160d81746cd0fc9d4cc1b35da0f66ab075f1d4e835ababfb7bccaf4a2e931e60f2c0ac572a552e WHIRLPOOL 6a237357a3905d29a96b32c37f6d189e4f5cefc0986bb091e24a79295191332143741c604c2a9fd44484c75b3be89742a5570862cf0cd4ba225425f7f32b5348
 AUX nova-initd 1496 SHA256 5b5f928335ac345103492555c3bc57407f547915b099762d0087aef172e5edf8 SHA512 cca06baba484d505f3a96643d836204a08e9dde50197531cdab2d95188b992a95a375a386b9c54fcc8e0a4f6167babba975db7510db1087f044afa39effe4eec WHIRLPOOL 4c667a5cc469826063a65879c1beddc98371edf295a273c9b8f679627cabfe2260d8b3bbdf9550d3894fc1525d63b9f98d6e939406f90ac5f2f745daa59311c2
 AUX nova-sudoers 78 SHA256 9e88c2843fb74cc46802c0b103067ad12915ec50335d05e546a5dba76acb4a76 SHA512 22c0606c6335b2d1a03bd18a319a54f16f76f091b2e8416dbba05ce7c15890beff7f32f0322eb5ba3f2a5c750436cacbe0cee189b390b878e3f0c0df219ef984 WHIRLPOOL bc42ae1d12e9f900b263fd5c3d0f59062f46fbec1ff97c0bceb234082bea5943eb64795b4f5e102b8e2749c6868163e5924467088cad42df09345e3406e5f83c
 DIST nova-2013.1.4.tar.gz 5801779 SHA256 0491ec81552b9c407021941ea1c477d5bcd93ec1dcc66d5fc0c1cef594dac760 SHA512 de1addcbc4577c4a376d8762e44d6f7c455bd63ba0be9d8a6a7176ef7a24e85f2bf9014e31d1180e42e48308ee6a17dcf039da2739388501a5fedbad8e5a7f0c WHIRLPOOL 08898e55b7380bd1852c00dcd8e03d4eb06c8c888688d66ba717842929973235eb9d6d34dda4be2700f208a7ff9e088de2690a74acd97f5cb6b81bcce743ece3
 DIST nova-2013.2.tar.gz 8909222 SHA256 55a51f8d8b6c7b0ba6f8ff9c48604bb82a90bdc3f21460ed325d1cee2dfea95a SHA512 655d6f5a4ab9ddfb741a920417061808bf22521c967d324f0fa1856c801795969df6f4982362bce26836975c09e7f41e25575309cde5c6788ed32e69304381ea WHIRLPOOL d88272c8101426ed4930a924b254d045a5c965f867573039b72b51f7aa5ba2daa47f54332f63e09e781dd22ca55c142acdb432dc92ad366e13b56138ff8f3186
-EBUILD nova-2013.1.4-r1.ebuild 5300 SHA256 64114c54b4cea0841591d365e611dd4212312ed693b364d20747e62f09cd63ed SHA512 19aaabacbbc61e0c1b1432aa3c00946798bc0a9ee282da0c9319424c8e1cf27cf592addd0971fc60b5481332b9c5252f70d0bb904cab55dfd0b2631749b73358 WHIRLPOOL 46231efc19340eed3d3182391e16282a682a43bdf6967885edabf4003ca288a64e6aee95fefeceaa8d67db18cc7d1fed6022c3029988fea89b9b37502b52d8ab
+EBUILD nova-2013.1.4-r2.ebuild 5370 SHA256 6727132e94a6c7331788a849b9f1ee1713de695655b5b48f95d271c2186272b0 SHA512 d02ad60d18972a485e2d5b3e047efb2546826522f644ab6e9270e6aef8aa9a0199728d8aa4d5a14d2464313824988bb4fb803e9d7e980833a03e051c231ce298 WHIRLPOOL b16ad90f3ae370149072880cdb793800d5a4755ea6e19fee17060662d3d8623c4f862aec64e10e13ca97c3aaa1b1444007d168e10815501d3d52d253a638748d
 EBUILD nova-2013.1.9999.ebuild 5073 SHA256 cd1b26465d4bbdbf9daa606fb4787e075461e45acf624eee0753424c2facdb44 SHA512 2d2f40807775654e9e277a8c6910555686dc7d481f75c18d710bb0c12442e92ab852b2243dfd9236ef327aec91899fcacbed55b5429bf158f3714c866b47a453 WHIRLPOOL bbe37fe1d3f294b9d871433b303c4c3265f7e6095263e10954ccd30796d57236dde2aa742bd134ff762de27d4ee3866e1da232d99b6aef68269e66bd52dc632f
-EBUILD nova-2013.2-r1.ebuild 5080 SHA256 842c6144e76e24c54b26f0c6ba14cb2153223c0e72b97dbe8c47e93f2ec0b450 SHA512 09e9e014774f2e8fb50351b716b8e3d52ccd75811f3086df0fa6bf38d9fffaacfb5e751d885cfaa2efc643ca0c3a7d1e2040ac414438ec95cc0e9f891ce19093 WHIRLPOOL e7f7b65df424958c5313e31e8f7869a5a46ce0e05f7eb1beb96fb541d11c4746314b0418fa8842f2b217faf059ff8c80d45903e59b02e6e42643bb44039b7c8b
-EBUILD nova-2013.2-r2.ebuild 5119 SHA256 9d9a631b9d1bdbe8ccb4221293dfea2892eba67f47541082602ebf70aa100d39 SHA512 4b84819292b3c789f9547a82ad6384f87fe8b2ef3a5746431ef94bf639f9ed66af0557e32342403daf267d5d2372d02858d291df3b79ada15bac580227f17101 WHIRLPOOL 91316be0ea9cfbc597eb201ced69c7be00a05f91bc50ae578c32247dc149d08f3efa0557c042d2cd52a6927c282c5f30cd7462017c1ebb0df98c30ca54630247
+EBUILD nova-2013.2-r3.ebuild 5172 SHA256 a05a48b973ef7533cb505dfaf4b4fd13a0aa1b2978d72c1e1610300cd25198f9 SHA512 91249672afa1b797f652f6cf82173c334544a1a154752c92c787b38de2e5ad753f0aeb94f1aca626941b9d3c8a07aa5b2c43a099e6eb021eb5f397709009511d WHIRLPOOL 2912ddaec0179af7cb882c6b179256d4431a7e47be0249f1d00671f8a363b2300947fe2d389fbca5bebc59389694f3c0d5c18ca996db3332d40eb4b4c1898fc4
 EBUILD nova-2013.2.9999.ebuild 5090 SHA256 8097dba32e82f125532690b9343beca86b5d1d75a1778d11086e1ed0e0217dd8 SHA512 aa5b4910ade2caa6be5c5ccaa3bdbd5d94ccb689885f0993bf785a1617a0e8f3bf4da5a1416fa458b09e0d5f1dcdd3ad75c81ed5b5463f55714ee8a2ad3f76c2 WHIRLPOOL 2b7693f568e01ba40dc45dbfa2d7539d7f761d2b1245b4b5dda0079f404a5161fa052f3ac99fbcf4082a7d6fbc931dbdd5ef696b54821c03321bafe11f89ef72
 EBUILD nova-9999.ebuild 5221 SHA256 96934150733f53305da5cbfd377e4608fb5b43932e5f98b74017fb1174f7f144 SHA512 fe2f7aa7eb89883edabe37008e1fc02f5b54ab9f0487d636765832e728c42bd447bc1490375c1d99a3677f1bf1e5e60af89eee90efcb49be046f94c95d923a0e WHIRLPOOL fac835027124b39f8f434199e1b4eaa9240b361c037d6961f6d02584e2b2a204eb9ed0ce89c39b7989b22d8d1dcf08c5c1a8437e3b39604f999979634d7c68ff
-MISC ChangeLog 10160 SHA256 1153b81c5841bea2d1ebc7915b71ce270590820bc8e60776ccaa1d46eed60e9d SHA512 c974c452a1e255afb17ca119da11d07d4fafb9bd9f67774deab74c05fc7cacec1095a0856cb5ff872495c760888ca5b8e01bd00f1e6f87cf9565633138806515 WHIRLPOOL 0eb79026342605594804a24fcc9bbcebee7b6ed2ac23ac9fca4fef3ac1de1c0e95543772ab04a7b5eb6d71eb885311bb683dd0aebb147394d2ecaff38e425287
+MISC ChangeLog 10509 SHA256 e0e3f5332d1fd5d62c26068445202ba71a7ef8071f648da3404c357c00077054 SHA512 24a629bf039d032f41b6d68567ad3292b2d86fbe29e4bf223db3f5debbdb02ec21a2c72e9dd0b26ff2c850a41e82699219a9e4af0c4dd49545b02c67244633ef WHIRLPOOL f2737f8f9a6bff34c31c304d85117d0d81c204c1b4752a73f8da344c32f5b4fd93ba12e58d3f2d2d3fcf6aaacb20169b7c9de93880d91127a79e74759954728e
 MISC metadata.xml 1452 SHA256 29bf3efaab7a4e45f5e442b26a7606edaed3f47e4ffec3e8990f95aea6bf2450 SHA512 537664b6ff29f4afe09eb4635c2cb06d87a6c3c3101e8ef89d1ab9b5b802c79024e94a0cce5a44ec2fd5b1cc37a251dd42156a015b6a294f219b90daff17c9c1 WHIRLPOOL c6e44f9a48fea6ae2a323e9e03d8805301fb0d94bb5634b1946909715f6c05d45c49180204d00221aae1e6dc6748347b4273fae838216b5d5d07932bc473a851
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
-iQIcBAEBCAAGBQJSnjxdAAoJECRx6z5ArFrD1skP/1U11YXH3FAMqAjIwk1Sw3+t
-vFoq5ihKvNZp2L2CVNejQ0FZVO4ou8rSWxDNShR4XxqifhWRNVtA0mLVNoOBf8M4
-IQYwtWiWP96rUQkOvkWGVHurP8bddFNQ0h2uouoHKu4vFBQ2MOJzShEtf9OKvcEs
-JAgN16YAoeB0/vdrKoYep7Wr1Z846A6cmmfQbfYvv6PBA6Nucch3nCZRpUgHbGTg
-e2qwjZENcry9gFu5xGS58hjzcxea9NnqVg9hHjio7UAOLYcUsO9uv5bINlygjm5O
-nBdzVbslCWukcqHXbW5xF3erJTCI2C6T4KpXup4vTDmsJd8WCCK8xlTpHp5fGtEv
-L6fQBq1G6GTaX/7EtSiqiWcVfVJbRCOClrETFLmmJxjnWB1xd8jCq4UO5U3Xyd2n
-UHkpRAzx1Ha7tKLTmfhfgw3oGt04F05V6UdnUHUyODCtxl49kKJP8e+lCHGCJ8qK
-hyvdx8eNkdta2gUGNEpg8FNHUXMOfIO9abwTlPL1IMYckWvyigQcLhCbg0oMP+6p
-SY3830SIRH6vjZusDXkFu/KUJb4mkgRFGseb1GzNwPO2UK3II0AZe6VVdq9EqHSG
-DtBC3X9TGhYw8dBIveHrxJzMv9OiwzRV+zYFNyKIBqhnpm9fKQe2yIpcdzQjmtLu
-7j2U5GiKHM/MPFCO8Iai
-=3hGm
+iQIcBAEBCAAGBQJSq3fVAAoJECRx6z5ArFrD75QP/2f4luwbEqaOX1QOB6CvjSsD
+U1w8UqnV1+10hRSJb4XUbOZMwzbdevaVlwo3WmybwrAnyLorTlHmB26cZkfYoHVC
+pYUZgnrof14vdtpK3Bg5RqqjC4Oz6d+jLpf5REHfGDrJ3gRDWFCFXrHzra78VYnm
+CY7x/Tm16e3TQS+cGbXah7+kYovYykS4hsCAqfYO3sorqxSIatCSWsETJ0IYaTu7
+5YqOdnVcpOQr7H++W4K2hZridPPldctKAhSC9BZP5LYgVHLb6GhxNpSvqG03OTtR
+X7EElq+CSMOdQ2nVyFowbMvqh5nL9xWumELGhnW3Oc9hi42qWLYCWkltcGMiNiJ8
+dG43X4j1eiofDR0ftawAW02MTvnLf0Uop0DdnU+Yd0IzQnipWMDr2c7H/t+Mq7KH
+iKXCsfZBaRrU1zEMLSod2DGgj3KGsuQIuzPt5kfWEmWpXH0V8x/+6yPAt0m9LiZ9
+gjvr6iaMfwzKT8BB+zeDREn7y7JI/E+88dB+9tkfE+gNTtqu6QCMXQb3wcOPUz/4
+VjGC8geM7QaanftMS9Vh3ake9Ww0NaAlChtnGske40GnY/vnvHTESUUYIXsfAE24
+qXHVbbloJ3HZl0titsZNiTcfmTk57tWgHaOP/9Q8mTTDINHKCJlzGR1MvbVFFBg+
+O9jf+kLxm7jb3yOjefAW
+=StfQ
 -----END PGP SIGNATURE-----
diff --git a/sys-cluster/nova/files/CVE-2013-6419_2013.1.4.patch b/sys-cluster/nova/files/CVE-2013-6419_2013.1.4.patch
new file mode 100644
index 000000000000..541b794899d0
--- /dev/null
+++ b/sys-cluster/nova/files/CVE-2013-6419_2013.1.4.patch
@@ -0,0 +1,129 @@
+commit d4155b806f52f2168742ceb37988fc7f405b44cd
+Author: Aaron Rosen <arosen@nicira.com>
+Date:   Mon Oct 7 13:33:31 2013 -0700
+
+    Prevent spoofing instance_id from neturon to nova
+    
+    Previously, one could update a port's device_id in neutron to be that
+    of another tenant's instance_id and then be able to retrieve that instance's
+    metadata. This patch prevents this from occuring by checking that X-Tenant-ID
+    received from the metadata request matches the tenant_id in the nova database.
+    
+    DocImpact - This patch is dependent on another patch in neutron which adds
+                X-Tenant-ID to the request. Therefore to minimize downtime one
+                should upgrade Neutron first (then restart neutron-metadata-agent)
+                and lastly update nova.
+    
+    Fixes bug: 1235450
+
+diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py
+index bbaeba5..2b7f659 100644
+--- a/nova/api/metadata/handler.py
++++ b/nova/api/metadata/handler.py
+@@ -144,6 +144,7 @@ class MetadataRequestHandler(wsgi.Application):
+ 
+     def _handle_instance_id_request(self, req):
+         instance_id = req.headers.get('X-Instance-ID')
++        tenant_id = req.headers.get('X-Tenant-ID')
+         signature = req.headers.get('X-Instance-ID-Signature')
+         remote_address = req.headers.get('X-Forwarded-For')
+ 
+@@ -151,8 +152,12 @@ class MetadataRequestHandler(wsgi.Application):
+ 
+         if instance_id is None:
+             msg = _('X-Instance-ID header is missing from request.')
++        elif tenant_id is None:
++            msg = _('X-Tenant-ID header is missing from request.')
+         elif not isinstance(instance_id, basestring):
+             msg = _('Multiple X-Instance-ID headers found within request.')
++        elif not isinstance(tenant_id, basestring):
++            msg = _('Multiple X-Tenant-ID headers found within request.')
+         else:
+             msg = None
+ 
+@@ -188,4 +193,12 @@ class MetadataRequestHandler(wsgi.Application):
+             LOG.error(_('Failed to get metadata for instance id: %s'),
+                       instance_id)
+ 
++        if meta_data.instance['project_id'] != tenant_id:
++            LOG.warning(_("Tenant_id %(tenant_id)s does not match tenant_id "
++                          "of instance %(instance_id)s."),
++                        {'tenant_id': tenant_id,
++                         'instance_id': instance_id})
++            # causes a 404 to be raised
++            meta_data = None
++
+         return meta_data
+diff --git a/nova/tests/test_metadata.py b/nova/tests/test_metadata.py
+index 01f274f..51b6f72 100644
+--- a/nova/tests/test_metadata.py
++++ b/nova/tests/test_metadata.py
+@@ -510,6 +510,7 @@ class MetadataHandlerTestCase(test.TestCase):
+             relpath="/2009-04-04/user-data",
+             address="192.192.192.2",
+             headers={'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+         self.assertEqual(response.status_int, 200)
+ 
+@@ -522,6 +523,7 @@ class MetadataHandlerTestCase(test.TestCase):
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+ 
+         self.assertEqual(response.status_int, 200)
+@@ -536,10 +538,36 @@ class MetadataHandlerTestCase(test.TestCase):
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': ''})
+ 
+         self.assertEqual(response.status_int, 403)
+ 
++        # missing X-Tenant-ID from request
++        response = fake_request(
++            self.stubs, self.mdinst,
++            relpath="/2009-04-04/user-data",
++            address="192.192.192.2",
++            fake_get_metadata_by_instance_id=fake_get_metadata,
++            headers={'X-Forwarded-For': '192.192.192.2',
++                     'X-Instance-ID': 'a-b-c-d',
++                     'X-Instance-ID-Signature': signed})
++
++        self.assertEqual(response.status_int, 400)
++
++        # mismatched X-Tenant-ID
++        response = fake_request(
++            self.stubs, self.mdinst,
++            relpath="/2009-04-04/user-data",
++            address="192.192.192.2",
++            fake_get_metadata_by_instance_id=fake_get_metadata,
++            headers={'X-Forwarded-For': '192.192.192.2',
++                     'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'FAKE',
++                     'X-Instance-ID-Signature': signed})
++
++        self.assertEqual(response.status_int, 404)
++
+         # without X-Forwarded-For
+         response = fake_request(
+             self.stubs, self.mdinst,
+@@ -547,6 +575,7 @@ class MetadataHandlerTestCase(test.TestCase):
+             address="192.192.192.2",
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+ 
+         self.assertEqual(response.status_int, 500)
+@@ -564,6 +593,7 @@ class MetadataHandlerTestCase(test.TestCase):
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'z-z-z-z',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+         self.assertEqual(response.status_int, 500)
+ 
diff --git a/sys-cluster/nova/files/CVE-2013-6419_2013.2.patch b/sys-cluster/nova/files/CVE-2013-6419_2013.2.patch
new file mode 100644
index 000000000000..1dcfe1b9b68f
--- /dev/null
+++ b/sys-cluster/nova/files/CVE-2013-6419_2013.2.patch
@@ -0,0 +1,186 @@
+commit 2a95eee992b66cd65e401e31785c080f811476cf
+Author: Aaron Rosen <arosen@nicira.com>
+Date:   Mon Oct 7 13:33:31 2013 -0700
+
+    Prevent spoofing instance_id from neturon to nova
+    
+    Previously, one could update a port's device_id in neutron to be that
+    of another tenant's instance_id and then be able to retrieve that instance's
+    metadata. This patch prevents this from occuring by checking that X-Tenant-ID
+    received from the metadata request matches the tenant_id in the nova database.
+    
+    DocImpact - This patch is dependent on another patch in neutron which adds
+                X-Tenant-ID to the request. Therefore to minimize downtime one
+                should upgrade Neutron first (then restart neutron-metadata-agent)
+                and lastly update nova.
+    
+    Fixes bug: 1235450
+
+diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py
+index 27f4d4e..7ac9023 100644
+--- a/nova/api/metadata/handler.py
++++ b/nova/api/metadata/handler.py
+@@ -140,29 +140,34 @@ class MetadataRequestHandler(wsgi.Application):
+                     'Please try your request again.')
+             raise webob.exc.HTTPInternalServerError(explanation=unicode(msg))
+ 
+         if meta_data is None:
+             LOG.error(_('Failed to get metadata for ip: %s'), remote_address)
+ 
+         return meta_data
+ 
+     def _handle_instance_id_request(self, req):
+         instance_id = req.headers.get('X-Instance-ID')
++        tenant_id = req.headers.get('X-Tenant-ID')
+         signature = req.headers.get('X-Instance-ID-Signature')
+         remote_address = req.headers.get('X-Forwarded-For')
+ 
+         # Ensure that only one header was passed
+ 
+         if instance_id is None:
+             msg = _('X-Instance-ID header is missing from request.')
++        elif tenant_id is None:
++            msg = _('X-Tenant-ID header is missing from request.')
+         elif not isinstance(instance_id, basestring):
+             msg = _('Multiple X-Instance-ID headers found within request.')
++        elif not isinstance(tenant_id, basestring):
++            msg = _('Multiple X-Tenant-ID headers found within request.')
+         else:
+             msg = None
+ 
+         if msg:
+             raise webob.exc.HTTPBadRequest(explanation=msg)
+ 
+         expected_signature = hmac.new(
+             CONF.neutron_metadata_proxy_shared_secret,
+             instance_id,
+             hashlib.sha256).hexdigest()
+@@ -188,11 +193,19 @@ class MetadataRequestHandler(wsgi.Application):
+             LOG.exception(_('Failed to get metadata for instance id: %s'),
+                           instance_id)
+             msg = _('An unknown error has occurred. '
+                     'Please try your request again.')
+             raise webob.exc.HTTPInternalServerError(explanation=unicode(msg))
+ 
+         if meta_data is None:
+             LOG.error(_('Failed to get metadata for instance id: %s'),
+                       instance_id)
+ 
++        if meta_data.instance['project_id'] != tenant_id:
++            LOG.warning(_("Tenant_id %(tenant_id)s does not match tenant_id "
++                          "of instance %(instance_id)s."),
++                        {'tenant_id': tenant_id,
++                         'instance_id': instance_id})
++            # causes a 404 to be raised
++            meta_data = None
++
+         return meta_data
+diff --git a/nova/tests/test_metadata.py b/nova/tests/test_metadata.py
+index 50f0d07..e75b51f 100644
+--- a/nova/tests/test_metadata.py
++++ b/nova/tests/test_metadata.py
+@@ -594,74 +594,104 @@ class MetadataHandlerTestCase(test.TestCase):
+             CONF.neutron_metadata_proxy_shared_secret,
+             expected_instance_id,
+             hashlib.sha256).hexdigest()
+ 
+         # try a request with service disabled
+         response = fake_request(
+             self.stubs, self.mdinst,
+             relpath="/2009-04-04/user-data",
+             address="192.192.192.2",
+             headers={'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+         self.assertEqual(response.status_int, 200)
+ 
+         # now enable the service
+         self.flags(service_neutron_metadata_proxy=True)
+         response = fake_request(
+             self.stubs, self.mdinst,
+             relpath="/2009-04-04/user-data",
+             address="192.192.192.2",
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+ 
+         self.assertEqual(response.status_int, 200)
+         self.assertEqual(response.body,
+                          base64.b64decode(self.instance['user_data']))
+ 
+         # mismatched signature
+         response = fake_request(
+             self.stubs, self.mdinst,
+             relpath="/2009-04-04/user-data",
+             address="192.192.192.2",
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': ''})
+ 
+         self.assertEqual(response.status_int, 403)
+ 
++        # missing X-Tenant-ID from request
++        response = fake_request(
++            self.stubs, self.mdinst,
++            relpath="/2009-04-04/user-data",
++            address="192.192.192.2",
++            fake_get_metadata_by_instance_id=fake_get_metadata,
++            headers={'X-Forwarded-For': '192.192.192.2',
++                     'X-Instance-ID': 'a-b-c-d',
++                     'X-Instance-ID-Signature': signed})
++
++        self.assertEqual(response.status_int, 400)
++
++        # mismatched X-Tenant-ID
++        response = fake_request(
++            self.stubs, self.mdinst,
++            relpath="/2009-04-04/user-data",
++            address="192.192.192.2",
++            fake_get_metadata_by_instance_id=fake_get_metadata,
++            headers={'X-Forwarded-For': '192.192.192.2',
++                     'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'FAKE',
++                     'X-Instance-ID-Signature': signed})
++
++        self.assertEqual(response.status_int, 404)
++
+         # without X-Forwarded-For
+         response = fake_request(
+             self.stubs, self.mdinst,
+             relpath="/2009-04-04/user-data",
+             address="192.192.192.2",
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Instance-ID': 'a-b-c-d',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+ 
+         self.assertEqual(response.status_int, 500)
+ 
+         # unexpected Instance-ID
+         signed = hmac.new(
+             CONF.neutron_metadata_proxy_shared_secret,
+            'z-z-z-z',
+            hashlib.sha256).hexdigest()
+ 
+         response = fake_request(
+             self.stubs, self.mdinst,
+             relpath="/2009-04-04/user-data",
+             address="192.192.192.2",
+             fake_get_metadata_by_instance_id=fake_get_metadata,
+             headers={'X-Forwarded-For': '192.192.192.2',
+                      'X-Instance-ID': 'z-z-z-z',
++                     'X-Tenant-ID': 'test',
+                      'X-Instance-ID-Signature': signed})
+         self.assertEqual(response.status_int, 500)
+ 
+ 
+ class MetadataPasswordTestCase(test.TestCase):
+     def setUp(self):
+         super(MetadataPasswordTestCase, self).setUp()
+         fake_network.stub_out_nw_api_get_instance_nw_info(self.stubs)
+         self.instance = copy.copy(INSTANCES[0])
+         self.instance['system_metadata'] = get_default_sys_meta()
diff --git a/sys-cluster/nova/nova-2013.1.4-r1.ebuild b/sys-cluster/nova/nova-2013.1.4-r2.ebuild
index e2a1d44941e4..f9b1429d40ae 100644
--- a/sys-cluster/nova/nova-2013.1.4-r1.ebuild
+++ b/sys-cluster/nova/nova-2013.1.4-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.1.4-r1.ebuild,v 1.1 2013/11/17 22:35:55 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.1.4-r2.ebuild,v 1.1 2013/12/13 21:10:35 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -73,6 +73,7 @@ PATCHES=(
 	"${FILESDIR}/CVE-2013-4463_4469-grizzly.patch"
 	"${FILESDIR}/CVE-2013-4497-grizzly-1.patch"
 	"${FILESDIR}/CVE-2013-4497-grizzly-2.patch"
+	"${FILESDIR}/CVE-2013-6419_2013.1.4.patch"
 )
 
 pkg_setup() {
@@ -82,6 +83,7 @@ pkg_setup() {
 
 src_prepare() {
 	sed -i 's/setuptools_git>=0.4//g' "${S}/setup.py"
+	distutils-r1_src_prepare
 }
 
 #python_test() {
diff --git a/sys-cluster/nova/nova-2013.2-r1.ebuild b/sys-cluster/nova/nova-2013.2-r1.ebuild
deleted file mode 100644
index 7e5ed6f3a653..000000000000
--- a/sys-cluster/nova/nova-2013.2-r1.ebuild
+++ /dev/null
@@ -1,126 +0,0 @@
-# Copyright 1999-2013 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2-r1.ebuild,v 1.5 2013/12/03 20:14:39 prometheanfire Exp $
-
-EAPI=5
-PYTHON_COMPAT=( python2_7 )
-
-inherit distutils-r1 eutils multilib
-
-DESCRIPTION="Nova is a cloud computing fabric controller (main part of an
-IaaS system). It is written in Python."
-HOMEPAGE="https://launchpad.net/nova"
-SRC_URI="http://launchpad.net/${PN}/havana/${PV}/+download/${P}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="~amd64 ~x86"
-IUSE="+api +cert +compute +conductor +consoleauth +kvm +network +novncproxy +scheduler +spicehtml5proxy +xvpvncproxy sqlite mysql postgres xen"
-REQUIRED_USE="|| ( mysql postgres sqlite )
-			  || ( kvm xen )"
-
-DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
-		>=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
-		<dev-python/pbr-1.0[${PYTHON_USEDEP}]
-		app-admin/sudo"
-RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
-	          <dev-python/sqlalchemy-0.7.99[sqlite,${PYTHON_USEDEP}] )
-		mysql? ( >=dev-python/sqlalchemy-0.7.8[mysql,${PYTHON_USEDEP}]
-			<dev-python/sqlalchemy-0.7.99[mysql,${PYTHON_USEDEP}] )
-		postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres,${PYTHON_USEDEP}]
-			<dev-python/sqlalchemy-0.7.99[postgres,${PYTHON_USEDEP}] )
-		>=dev-python/amqplib-0.6.1[${PYTHON_USEDEP}]
-		>=dev-python/anyjson-0.3.3[${PYTHON_USEDEP}]
-		virtual/python-argparse[${PYTHON_USEDEP}]
-		>=dev-python/boto-2.4.0[${PYTHON_USEDEP}]
-		!~dev-python/boto-2.13.0[${PYTHON_USEDEP}]
-		>=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}]
-		dev-python/jinja[${PYTHON_USEDEP}]
-		>=dev-python/kombu-2.4.8[${PYTHON_USEDEP}]
-		>=dev-python/lxml-2.3[${PYTHON_USEDEP}]
-		>=dev-python/routes-1.12.3-r1[${PYTHON_USEDEP}]
-		>=dev-python/webob-1.2.3[${PYTHON_USEDEP}]
-		<dev-python/webob-1.3[${PYTHON_USEDEP}]
-		>=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
-		>=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}]
-		dev-python/paste[${PYTHON_USEDEP}]
-		>=dev-python/sqlalchemy-migrate-0.7.2[${PYTHON_USEDEP}]
-		dev-python/netaddr[${PYTHON_USEDEP}]
-		>=dev-python/suds-0.4[${PYTHON_USEDEP}]
-		>=dev-python/paramiko-1.8.0[${PYTHON_USEDEP}]
-		dev-python/pyasn1[${PYTHON_USEDEP}]
-		>=dev-python/Babel-0.9.6[${PYTHON_USEDEP}]
-		>=dev-python/iso8601-0.1.4[${PYTHON_USEDEP}]
-		>=dev-python/python-cinderclient-1.0.5[${PYTHON_USEDEP}]
-		>=dev-python/python-neutronclient-2.3.0[${PYTHON_USEDEP}]
-		<=dev-python/python-neutronclient-3.0.0[${PYTHON_USEDEP}]
-		>=dev-python/python-glanceclient-0.9.0[${PYTHON_USEDEP}]
-		>=dev-python/python-keystoneclient-0.3.2[${PYTHON_USEDEP}]
-		>=dev-python/stevedore-0.10[${PYTHON_USEDEP}]
-		>=dev-python/websockify-0.5.1[${PYTHON_USEDEP}]
-		<dev-python/websockify-0.6[${PYTHON_USEDEP}]
-		>=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
-		dev-python/libvirt-python[${PYTHON_USEDEP}]
-		novncproxy? ( www-apps/novnc )
-		sys-apps/iproute2
-		net-misc/openvswitch
-		sys-fs/sysfsutils
-		sys-fs/multipath-tools
-		kvm? ( app-emulation/qemu )
-		xen? ( app-emulation/xen
-			   app-emulation/xen-tools )"
-
-PATCHES=(
-)
-
-pkg_setup() {
-	enewgroup nova
-	enewuser nova -1 -1 /var/lib/nova nova
-}
-
-python_install() {
-	distutils-r1_python_install
-	newconfd "${FILESDIR}/nova-confd" "nova"
-	newinitd "${FILESDIR}/nova-initd" "nova"
-	use api && dosym /etc/init.d/nova /etc/init.d/nova-api
-	use cert && dosym /etc/init.d/nova /etc/init.d/nova-cert
-	use compute && dosym /etc/init.d/nova /etc/init.d/nova-compute
-	use conductor && dosym /etc/init.d/nova /etc/init.d/nova-conductor
-	use consoleauth && dosym /etc/init.d/nova /etc/init.d/nova-consoleauth
-	use network &&  dosym /etc/init.d/nova /etc/init.d/nova-network
-	use novncproxy &&dosym /etc/init.d/nova /etc/init.d/nova-novncproxy
-	use scheduler && dosym /etc/init.d/nova /etc/init.d/nova-scheduler
-	use spicehtml5proxy && dosym /etc/init.d/nova /etc/init.d/nova-spicehtml5proxy
-	use xvpvncproxy && dosym /etc/init.d/nova /etc/init.d/nova-xvpncproxy
-
-	diropts -m 0750
-	dodir /var/run/nova /var/log/nova /var/lock/nova
-	fowners nova:nova /var/log/nova /var/lock/nova /var/run/nova
-
-	diropts -m 0755
-	dodir /var/lib/nova/instances
-	fowners nova:nova /var/lib/nova/instances
-
-	keepdir /etc/nova
-	insinto /etc/nova
-	newins "etc/nova/nova.conf.sample" "nova.conf"
-	doins "etc/nova/api-paste.ini"
-	doins "etc/nova/logging_sample.conf"
-	doins "etc/nova/policy.json"
-	doins "etc/nova/rootwrap.conf"
-	insinto /etc/nova/rootwrap.d
-	doins "etc/nova/rootwrap.d/api-metadata.filters"
-	doins "etc/nova/rootwrap.d/compute.filters"
-	doins "etc/nova/rootwrap.d/network.filters"
-
-	#copy migration conf file (not coppied on install via setup.py script)
-	insinto /usr/$(get_libdir)/python2.7/site-packages/nova/db/sqlalchemy/migrate_repo/
-	doins "nova/db/sqlalchemy/migrate_repo/migrate.cfg"
-
-	#copy the CA cert dir (not coppied on install via setup.py script)
-	cp -R "${S}/nova/CA" "${D}/usr/$(get_libdir)/python2.7/site-packages/nova/" || die "isntalling CA files failed"
-
-	#add sudoers definitions for user nova
-	insinto /etc/sudoers.d/
-	doins "${FILESDIR}/nova-sudoers"
-}
diff --git a/sys-cluster/nova/nova-2013.2-r2.ebuild b/sys-cluster/nova/nova-2013.2-r3.ebuild
index 88bab45e4644..fe1912f5f7ce 100644
--- a/sys-cluster/nova/nova-2013.2-r2.ebuild
+++ b/sys-cluster/nova/nova-2013.2-r3.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2-r2.ebuild,v 1.2 2013/11/30 12:46:49 idella4 Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2-r3.ebuild,v 1.1 2013/12/13 21:10:35 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -60,7 +60,7 @@ RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
 		>=dev-python/websockify-0.5.1[${PYTHON_USEDEP}]
 		<dev-python/websockify-0.6[${PYTHON_USEDEP}]
 		>=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
-		app-emulation/libvirt[${PYTHON_USEDEP}]
+		dev-python/libvirt-python[${PYTHON_USEDEP}]
 		novncproxy? ( www-apps/novnc )
 		sys-apps/iproute2
 		net-misc/openvswitch
@@ -72,6 +72,7 @@ RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
 
 PATCHES=(
 	"${FILESDIR}/CVE-2013-4463_4469-havana.patch"
+	"${FILESDIR}/CVE-2013-6419_2013.2.patch"
 )
 
 pkg_setup() {
author	Matt Thode <prometheanfire@gentoo.org>	2013-12-13 21:10:44 +0000
committer	Matt Thode <prometheanfire@gentoo.org>	2013-12-13 21:10:44 +0000
commit	4506f456606e99bdfdc235e8fd940dd71025771f (patch)
tree	e5eeefca72520dc4062cac0a6d47374a03307fa8 /sys-cluster
parent	version bump (diff)
download	historical-4506f456606e99bdfdc235e8fd940dd71025771f.tar.gz historical-4506f456606e99bdfdc235e8fd940dd71025771f.tar.bz2 historical-4506f456606e99bdfdc235e8fd940dd71025771f.zip