fix for CVE-2014-0167

(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)

3 files changed, 155 insertions, 2 deletions

diff --git a/sys-cluster/nova/ChangeLog b/sys-cluster/nova/ChangeLog
index fc37b78f545e..7999d793aded 100644
--- a/sys-cluster/nova/ChangeLog
+++ b/sys-cluster/nova/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-cluster/nova
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.58 2014/04/06 06:32:19 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.59 2014/04/11 15:12:49 prometheanfire Exp $
+
+*nova-2013.2.3-r1 (11 Apr 2014)
+
+  11 Apr 2014; Matthew Thode <prometheanfire@gentoo.org>
+  +files/CVE-2014-0167-2013.2.3.patch, +nova-2013.2.3-r1.ebuild,
+  -nova-2013.2.3.ebuild:
+  fix for CVE-2014-0167
 
 *nova-2013.2.3 (06 Apr 2014)
 
diff --git a/sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch b/sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch
new file mode 100644
index 000000000000..a29c9bde6439
--- /dev/null
+++ b/sys-cluster/nova/files/CVE-2014-0167-2013.2.3.patch
@@ -0,0 +1,145 @@
+From 5a1adb94e77f7be4885e4d86087140b94421c963 Mon Sep 17 00:00:00 2001
+From: Andrew Laski <andrew.laski@rackspace.com>
+Date: Thu, 3 Apr 2014 16:37:36 -0400
+Subject: [PATCH] Add RBAC policy for ec2 API security groups calls
+
+The revoke_security_group_ingress, revoke_security_group_ingress, and
+delete_security_group calls in the ec2 API were not restricted by policy
+checks.  This prevented a deployer from restricting their usage via
+roles or other checks.  Checks have been added for these calls.
+
+Change-Id: I4bf681bedd68ed2216b429d34db735823e0a6189
+---
+ nova/api/ec2/cloud.py            |   10 +++++++++
+ nova/tests/api/ec2/test_cloud.py |   44 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+)
+
+diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py
+index 94ff160..36c2f12 100644
+--- a/nova/api/ec2/cloud.py
++++ b/nova/api/ec2/cloud.py
+@@ -30,6 +30,7 @@ from oslo.config import cfg
+ from nova.api.ec2 import ec2utils
+ from nova.api.ec2 import inst_state
+ from nova.api.metadata import password
++from nova.api.openstack import extensions
+ from nova.api import validator
+ from nova import availability_zones
+ from nova import block_device
+@@ -85,6 +86,9 @@ LOG = logging.getLogger(__name__)
+ 
+ QUOTAS = quota.QUOTAS
+ 
++security_group_authorizer = extensions.extension_authorizer('compute',
++                                                            'security_groups')
++
+ 
+ def validate_ec2_id(val):
+     if not validator.validate_str()(val):
+@@ -631,6 +635,8 @@ class CloudController(object):
+         security_group = self.security_group_api.get(context, group_name,
+                                                      group_id)
+ 
++        security_group_authorizer(context, security_group)
++
+         prevalues = kwargs.get('ip_permissions', [kwargs])
+ 
+         rule_ids = []
+@@ -665,6 +671,8 @@ class CloudController(object):
+         security_group = self.security_group_api.get(context, group_name,
+                                                      group_id)
+ 
++        security_group_authorizer(context, security_group)
++
+         prevalues = kwargs.get('ip_permissions', [kwargs])
+         postvalues = []
+         for values in prevalues:
+@@ -737,6 +745,8 @@ class CloudController(object):
+         security_group = self.security_group_api.get(context, group_name,
+                                                      group_id)
+ 
++        security_group_authorizer(context, security_group)
++
+         self.security_group_api.destroy(context, security_group)
+ 
+         return True
+diff --git a/nova/tests/api/ec2/test_cloud.py b/nova/tests/api/ec2/test_cloud.py
+index 269a738..b28d194 100644
+--- a/nova/tests/api/ec2/test_cloud.py
++++ b/nova/tests/api/ec2/test_cloud.py
+@@ -23,6 +23,7 @@ import copy
+ import datetime
+ import functools
+ import iso8601
++import mock
+ import os
+ import string
+ import tempfile
+@@ -47,6 +48,7 @@ from nova.image import s3
+ from nova.network import api as network_api
+ from nova.network import neutronv2
+ from nova.openstack.common import log as logging
++from nova.openstack.common import policy as common_policy
+ from nova.openstack.common import timeutils
+ from nova import test
+ from nova.tests.api.openstack.compute.contrib import (
+@@ -471,6 +473,34 @@ class CloudTestCase(test.TestCase):
+         delete = self.cloud.delete_security_group
+         self.assertRaises(exception.MissingParameter, delete, self.context)
+ 
++    def test_delete_security_group_policy_not_allowed(self):
++        rules = common_policy.Rules(
++                {'compute_extension:security_groups':
++                    common_policy.parse_rule('project_id:%(project_id)s')})
++        common_policy.set_rules(rules)
++
++        with mock.patch.object(self.cloud.security_group_api,
++                'get') as get:
++            get.return_value = {'project_id': 'invalid'}
++
++            self.assertRaises(exception.PolicyNotAuthorized,
++                    self.cloud.delete_security_group, self.context,
++                    'fake-name', 'fake-id')
++
++    def test_authorize_security_group_ingress_policy_not_allowed(self):
++        rules = common_policy.Rules(
++                {'compute_extension:security_groups':
++                    common_policy.parse_rule('project_id:%(project_id)s')})
++        common_policy.set_rules(rules)
++
++        with mock.patch.object(self.cloud.security_group_api,
++                'get') as get:
++            get.return_value = {'project_id': 'invalid'}
++
++            self.assertRaises(exception.PolicyNotAuthorized,
++                    self.cloud.authorize_security_group_ingress, self.context,
++                    'fake-name', 'fake-id')
++
+     def test_authorize_security_group_ingress(self):
+         kwargs = {'project_id': self.context.project_id, 'name': 'test'}
+         sec = db.security_group_create(self.context, kwargs)
+@@ -575,6 +605,20 @@ class CloudTestCase(test.TestCase):
+         db.security_group_destroy(self.context, sec2['id'])
+         db.security_group_destroy(self.context, sec1['id'])
+ 
++    def test_revoke_security_group_ingress_policy_not_allowed(self):
++        rules = common_policy.Rules(
++                {'compute_extension:security_groups':
++                    common_policy.parse_rule('project_id:%(project_id)s')})
++        common_policy.set_rules(rules)
++
++        with mock.patch.object(self.cloud.security_group_api,
++                'get') as get:
++            get.return_value = {'project_id': 'invalid'}
++
++            self.assertRaises(exception.PolicyNotAuthorized,
++                    self.cloud.revoke_security_group_ingress, self.context,
++                    'fake-name', 'fake-id')
++
+     def test_revoke_security_group_ingress(self):
+         kwargs = {'project_id': self.context.project_id, 'name': 'test'}
+         sec = db.security_group_create(self.context, kwargs)
+-- 
+1.7.9.5
+
+
diff --git a/sys-cluster/nova/nova-2013.2.3.ebuild b/sys-cluster/nova/nova-2013.2.3-r1.ebuild
index 2571904f99ba..df210a182a5e 100644
--- a/sys-cluster/nova/nova-2013.2.3.ebuild
+++ b/sys-cluster/nova/nova-2013.2.3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2.3.ebuild,v 1.1 2014/04/06 06:32:19 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2.3-r1.ebuild,v 1.1 2014/04/11 15:12:49 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -72,6 +72,7 @@ RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
 			   app-emulation/xen-tools )"
 
 PATCHES=(
+		"${FILESDIR}/CVE-2014-0167-2013.2.3.patch"
 )
 
 pkg_setup() {