[gentoo-commits] repo/gentoo:master commit in: app-emulation/libvirt/, app-emulation/libvirt/files/ - gentoo-commits

From:	Matthias Maier <tamiko@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: app-emulation/libvirt/, app-emulation/libvirt/files/
Date:	Fri, 01 Sep 2017 02:01:54
Message-Id:	`1504230927.02110c0d470e8549a31ae8bf953c8bd514185c68.tamiko@gentoo`

1

commit:     02110c0d470e8549a31ae8bf953c8bd514185c68

2

Author:     Matthias Maier <tamiko <AT> gentoo <DOT> org>

3

AuthorDate: Fri Sep  1 01:48:57 2017 +0000

4

Commit:     Matthias Maier <tamiko <AT> gentoo <DOT> org>

5

CommitDate: Fri Sep  1 01:55:27 2017 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02110c0d

7

8

app-emulation/libvirt: version bump to 3.6.0, bug #627780

9

10

Package-Manager: Portage-2.3.6, Repoman-2.3.3

11

12

 app-emulation/libvirt/Manifest                     |   1 +

13

 .../libvirt-3.6.0-ssh-malicious-hostname-fix.patch |  47 +++

14

 app-emulation/libvirt/libvirt-3.6.0.ebuild         | 383 +++++++++++++++++++++

15

 3 files changed, 431 insertions(+)

16

17

diff --git a/app-emulation/libvirt/Manifest b/app-emulation/libvirt/Manifest

18

index 36e0d82c84f..b58b705d38b 100644

19

--- a/app-emulation/libvirt/Manifest

20

+++ b/app-emulation/libvirt/Manifest

21

@@ -2,3 +2,4 @@ DIST libvirt-3.2.0.tar.xz 14057340 SHA256 9481a083b567a07927f239553dd70b5c0d1bff

22

 DIST libvirt-3.3.0.tar.xz 14043384 SHA256 29e00984174e33cf2183b478382c017de26860452ffee17b73871051264ebb1b SHA512 69166ddd7d4b9ef3b1bf2466e781139ef9b4d224a64acc7b8e6fca8786d36482138a1fe7b7407c0fca3b3d012cb418d168671a3e65e428f023c16493b7718c2d WHIRLPOOL 1b2688f6b9a89608677070b5ce1fd2b2af115336126d4214071bc1abba25056d54dbbf16d6bdfab7582b252a833d3e53e51175d552d5c936b08973c0eed76643

23

 DIST libvirt-3.4.0.tar.xz 14630904 SHA256 42186af6225904d2ada0b494fda4fa777fe5e662a9134686816e7919332c248d SHA512 41a3374e8a171827dfc11feb2ae8c1a9d889912257191b94111f53bbe0521d5bc73c824ea856e4cece257918b244120e9f44c800abe23d0296c85c18b5d14461 WHIRLPOOL 3b4b9ad35f590748fbc63595fab86671f66674d2c40fa8e02860265a39be5b48ed9c66c14ac235b36d29d833475aebbbf57f691e53ac2bd324dacb16507793bf

24

 DIST libvirt-3.5.0.tar.xz 14695760 SHA256 2963bae30d41411a2a8184de6a69cc3bd4dba14d2824b67906263dc35b27b516 SHA512 319d1573e55df0cbfd0808d658fb4ef5484d8381db6fe348b36a650ea60b62b7146882e616e9494109d44c8e57ed956137fb7b51c3895d96bd19e9aee6a3e82c WHIRLPOOL 90dc243e8fb8e619af319f2a8469dc98109a6200bee94f09508c22a75e90f82edf278796cf53ca38a7649e5ad1f5f4c0a258395624f830c1a42538519200637a

25

+DIST libvirt-3.6.0.tar.xz 14797704 SHA256 3a2c97f6950796f300f6a2e0404f4de8e51c3b9430cdb82738439adb0ac59e3d SHA512 6cde735a18cb71c9e6dbb25cd2a8f9c72d55ad7d74bdf97b00d784593f0bc59498917fb235ce04de4428899241520d87bf19c015b80282b3d0c12918d9b8b288 WHIRLPOOL 8185ad998158bac9aa6bc0dd0f590a3d9fb393ad94d308bdc84e60ac5c56e110d5f4a2355e2a10b01a6521d8261ae7484aee275e12a17cc7f2830f169e990596

26

27

diff --git a/app-emulation/libvirt/files/libvirt-3.6.0-ssh-malicious-hostname-fix.patch b/app-emulation/libvirt/files/libvirt-3.6.0-ssh-malicious-hostname-fix.patch

28

new file mode 100644

29

index 00000000000..62892841276

30

--- /dev/null

31

+++ b/app-emulation/libvirt/files/libvirt-3.6.0-ssh-malicious-hostname-fix.patch

32

@@ -0,0 +1,47 @@

33

+From e4cb8500810a310a10a6cb359e1b53fac03ed597 Mon Sep 17 00:00:00 2001

34

+From: "Daniel P. Berrange" <berrange@××××××.com>

35

+Date: Fri, 11 Aug 2017 17:19:53 +0100

36

+Subject: [PATCH] rpc: avoid ssh interpreting malicious hostname as arguments

37

+

38

+Inspired by the recent GIT / Mercurial security flaws

39

+(http://blog.recurity-labs.com/2017-08-10/scm-vulns),

40

+consider someone/something manages to feed libvirt a bogus

41

+URI such as:

42

+

43

+  virsh -c qemu+ssh://-oProxyCommand=gnome-calculator/system

44

+

45

+In this case, the hosname "-oProxyCommand=gnome-calculator"

46

+will get interpreted as an argument to ssh, not a hostname.

47

+Fortunately, due to the set of args we have following the

48

+hostname, SSH will then interpret our bit of shell script

49

+that runs 'nc' on the remote host as a cipher name, which is

50

+clearly invalid. This makes ssh exit during argv parsing and

51

+so it never tries to run gnome-calculator.

52

+

53

+We are lucky this time, but lets be more paranoid, by using

54

+'--' to explicitly tell SSH when it has finished seeing

55

+command line options. This forces it to interpret

56

+"-oProxyCommand=gnome-calculator" as a hostname, and thus

57

+see a fail from hostname lookup.

58

+

59

+Signed-off-by: Daniel P. Berrange <berrange@××××××.com>

60

+---

61

+ src/rpc/virnetsocket.c | 2 +-

62

+ 1 file changed, 1 insertion(+), 1 deletion(-)

63

+

64

+diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c

65

+index d228c8a8c..23089afef 100644

66

+--- a/src/rpc/virnetsocket.c

67

++++ b/src/rpc/virnetsocket.c

68

+@@ -868,7 +868,7 @@ int virNetSocketNewConnectSSH(const char *nodename,

69

+     if (!netcat)

70

+         netcat = "nc";

71

+

72

+-    virCommandAddArgList(cmd, nodename, "sh", "-c", NULL);

73

++    virCommandAddArgList(cmd, "--", nodename, "sh", "-c", NULL);

74

+

75

+     virBufferEscapeShell(&buf, netcat);

76

+     if (virBufferCheckError(&buf) < 0) {

77

+--

78

+2.13.5

79

+

80

81

diff --git a/app-emulation/libvirt/libvirt-3.6.0.ebuild b/app-emulation/libvirt/libvirt-3.6.0.ebuild

82

new file mode 100644

83

index 00000000000..90f74a64df1

84

--- /dev/null

85

+++ b/app-emulation/libvirt/libvirt-3.6.0.ebuild

86

@@ -0,0 +1,383 @@

87

+# Copyright 1999-2017 Gentoo Foundation

88

+# Distributed under the terms of the GNU General Public License v2

89

+

90

+EAPI=6

91

+

92

+inherit autotools eutils user linux-info systemd readme.gentoo-r1

93

+

94

+if [[ ${PV} = *9999* ]]; then

95

+	inherit git-r3

96

+	EGIT_REPO_URI="git://libvirt.org/libvirt.git"

97

+	SRC_URI=""

98

+	KEYWORDS=""

99

+	SLOT="0"

100

+else

101

+	# Versions with 4 numbers are stable updates:

102

+	if [[ ${PV} =~ ^[0-9]+(\.[0-9]+){3} ]]; then

103

+		SRC_URI="http://libvirt.org/sources/stable_updates/${P}.tar.xz"

104

+	else

105

+		SRC_URI="http://libvirt.org/sources/${P}.tar.xz"

106

+	fi

107

+	KEYWORDS="~amd64 ~arm64 ~x86"

108

+	SLOT="0/${PV}"

109

+fi

110

+

111

+DESCRIPTION="C toolkit to manipulate virtual machines"

112

+HOMEPAGE="http://www.libvirt.org/"

113

+LICENSE="LGPL-2.1"

114

+IUSE="

115

+	apparmor audit +caps +dbus firewalld fuse glusterfs iscsi +libvirtd lvm

116

+	libssh lxc +macvtap nfs nls numa openvz parted pcap phyp policykit

117

+	+qemu rbd sasl selinux +udev uml +vepa virtualbox virt-network

118

+	wireshark-plugins xen zeroconf zfs elibc_glibc

119

+"

120

+

121

+REQUIRED_USE="

122

+	firewalld? ( virt-network )

123

+	libvirtd? ( || ( lxc openvz qemu uml virtualbox xen ) )

124

+	lxc? ( caps libvirtd )

125

+	openvz? ( libvirtd )

126

+	policykit? ( dbus )

127

+	qemu? ( libvirtd )

128

+	uml? ( libvirtd )

129

+	vepa? ( macvtap )

130

+	virt-network? ( libvirtd )

131

+	virtualbox? ( libvirtd )

132

+	xen? ( libvirtd )"

133

+

134

+# gettext.sh command is used by the libvirt command wrappers, and it's

135

+# non-optional, so put it into RDEPEND.

136

+# We can use both libnl:1.1 and libnl:3, but if you have both installed, the

137

+# package will use 3 by default. Since we don't have slot pinning in an API,

138

+# we must go with the most recent

139

+RDEPEND="

140

+	app-misc/scrub

141

+	dev-libs/libgcrypt:0

142

+	dev-libs/libnl:3

143

+	>=dev-libs/libxml2-2.7.6

144

+	|| ( >=net-analyzer/netcat6-1.0-r2 >=net-analyzer/openbsd-netcat-1.105-r1 )

145

+	>=net-libs/gnutls-1.0.25:0=

146

+	net-libs/libssh2

147

+	>=net-misc/curl-7.18.0

148

+	sys-apps/dmidecode

149

+	>=sys-apps/util-linux-2.17

150

+	sys-devel/gettext

151

+	sys-libs/ncurses:0=

152

+	sys-libs/readline:=

153

+	apparmor? ( sys-libs/libapparmor )

154

+	audit? ( sys-process/audit )

155

+	caps? ( sys-libs/libcap-ng )

156

+	dbus? ( sys-apps/dbus )

157

+	elibc_glibc? ( sys-libs/glibc[rpc(+)] )

158

+	firewalld? ( net-firewall/firewalld )

159

+	fuse? ( >=sys-fs/fuse-2.8.6:= )

160

+	glusterfs? ( >=sys-cluster/glusterfs-3.4.1 )

161

+	iscsi? ( sys-block/open-iscsi )

162

+	libssh? ( net-libs/libssh )

163

+	lvm? ( >=sys-fs/lvm2-2.02.48-r2[-device-mapper-only(-)] )

164

+	nfs? ( net-fs/nfs-utils )

165

+	numa? (

166

+		>sys-process/numactl-2.0.2

167

+		sys-process/numad

168

+	)

169

+	openvz? ( sys-kernel/openvz-sources:* )

170

+	parted? (

171

+		>=sys-block/parted-1.8[device-mapper]

172

+		sys-fs/lvm2[-device-mapper-only(-)]

173

+	)

174

+	pcap? ( >=net-libs/libpcap-1.0.0 )

175

+	policykit? ( >=sys-auth/polkit-0.9 )

176

+	qemu? (

177

+		>=app-emulation/qemu-0.13.0

178

+		dev-libs/yajl

179

+	)

180

+	rbd? ( sys-cluster/ceph )

181

+	sasl? ( dev-libs/cyrus-sasl )

182

+	selinux? ( >=sys-libs/libselinux-2.0.85 )

183

+	virt-network? (

184

+		net-dns/dnsmasq[script]

185

+		net-firewall/ebtables

186

+		>=net-firewall/iptables-1.4.10[ipv6]

187

+		net-misc/radvd

188

+		sys-apps/iproute2[-minimal]

189

+	)

190

+	virtualbox? ( || ( app-emulation/virtualbox >=app-emulation/virtualbox-bin-2.2.0 ) )

191

+	wireshark-plugins? ( net-analyzer/wireshark:= )

192

+	xen? (

193

+		app-emulation/xen

194

+		app-emulation/xen-tools:=

195

+	)

196

+	udev? (

197

+		virtual/udev

198

+		>=x11-libs/libpciaccess-0.10.9

199

+	)

200

+	zeroconf? ( >=net-dns/avahi-0.6[dbus] )

201

+	zfs? ( sys-fs/zfs )"

202

+

203

+DEPEND="${RDEPEND}

204

+	app-text/xhtml1

205

+	dev-lang/perl

206

+	dev-libs/libxslt

207

+	dev-perl/XML-XPath

208

+	virtual/pkgconfig"

209

+

210

+PATCHES=(

211

+	"${FILESDIR}"/${PN}-1.3.0-do_not_use_sysconf.patch

212

+	"${FILESDIR}"/${PN}-1.2.16-fix_paths_in_libvirt-guests_sh.patch

213

+	"${FILESDIR}"/${PN}-3.0.0-fix_paths_for_apparmor.patch

214

+	"${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch

215

+	"${FILESDIR}"/${PN}-3.1.0-musl-fix-includes.patch          # bug #609488

216

+	"${FILESDIR}"/${PN}-3.6.0-ssh-malicious-hostname-fix.patch # bug #629462

217

+)

218

+

219

+pkg_setup() {

220

+	if use qemu; then

221

+		enewgroup qemu 77

222

+		enewuser qemu 77 -1 -1 "qemu,kvm"

223

+	fi

224

+

225

+	use policykit && enewgroup libvirt

226

+

227

+	# Check kernel configuration:

228

+	CONFIG_CHECK=""

229

+	use fuse && CONFIG_CHECK+="

230

+		~FUSE_FS"

231

+

232

+	use lvm && CONFIG_CHECK+="

233

+		~BLK_DEV_DM

234

+		~DM_MULTIPATH

235

+		~DM_SNAPSHOT"

236

+

237

+	use lxc && CONFIG_CHECK+="

238

+		~BLK_CGROUP

239

+		~CGROUP_CPUACCT

240

+		~CGROUP_DEVICE

241

+		~CGROUP_FREEZER

242

+		~CGROUP_NET_PRIO

243

+		~CGROUP_PERF

244

+		~CGROUPS

245

+		~CGROUP_SCHED

246

+		~CPUSETS

247

+		~IPC_NS

248

+		~MACVLAN

249

+		~NAMESPACES

250

+		~NET_CLS_CGROUP

251

+		~NET_NS

252

+		~PID_NS

253

+		~POSIX_MQUEUE

254

+		~SECURITYFS

255

+		~USER_NS

256

+		~UTS_NS

257

+		~VETH

258

+		~!GRKERNSEC_CHROOT_MOUNT

259

+		~!GRKERNSEC_CHROOT_DOUBLE

260

+		~!GRKERNSEC_CHROOT_PIVOT

261

+		~!GRKERNSEC_CHROOT_CHMOD

262

+		~!GRKERNSEC_CHROOT_CAPS"

263

+

264

+	kernel_is lt 4 7 && use lxc && CONFIG_CHECK+="

265

+		~DEVPTS_MULTIPLE_INSTANCES"

266

+

267

+	use macvtap && CONFIG_CHECK+="

268

+		~MACVTAP"

269

+

270

+	use virt-network && CONFIG_CHECK+="

271

+		~BRIDGE_EBT_MARK_T

272

+		~BRIDGE_NF_EBTABLES

273

+		~NETFILTER_ADVANCED

274

+		~NETFILTER_XT_CONNMARK

275

+		~NETFILTER_XT_MARK

276

+		~NETFILTER_XT_TARGET_CHECKSUM"

277

+	# Bandwidth Limiting Support

278

+	use virt-network && CONFIG_CHECK+="

279

+		~BRIDGE_EBT_T_NAT

280

+		~NET_ACT_POLICE

281

+		~NET_CLS_FW

282

+		~NET_CLS_U32

283

+		~NET_SCH_HTB

284

+		~NET_SCH_INGRESS

285

+		~NET_SCH_SFQ"

286

+

287

+	# Handle specific kernel versions for different features

288

+	kernel_is lt 3 6 && CONFIG_CHECK+=" ~CGROUP_MEM_RES_CTLR"

289

+	if kernel_is ge 3 6; then

290

+		CONFIG_CHECK+=" ~MEMCG ~MEMCG_SWAP "

291

+		kernel_is lt 4 5 && CONFIG_CHECK+=" ~MEMCG_KMEM "

292

+	fi

293

+

294

+	ERROR_USER_NS="Optional depending on LXC configuration."

295

+

296

+	if [[ -n ${CONFIG_CHECK} ]]; then

297

+		linux-info_pkg_setup

298

+	fi

299

+}

300

+

301

+src_prepare() {

302

+	touch "${S}/.mailmap"

303

+

304

+	default

305

+

306

+	if [[ ${PV} = *9999* ]]; then

307

+		# git checkouts require bootstrapping to create the configure script.

308

+		# Additionally the submodules must be cloned to the right locations

309

+		# bug #377279

310

+		./bootstrap || die "bootstrap failed"

311

+		(

312

+			git submodule status | sed 's/^[ +-]//;s/ .*//'

313

+			git hash-object bootstrap.conf

314

+		) >.git-module-status

315

+	fi

316

+

317

+	# Tweak the init script:

318

+	cp "${FILESDIR}/libvirtd.init-r16" "${S}/libvirtd.init" || die

319

+	sed -e "s/USE_FLAG_FIREWALLD/$(usex firewalld 'need firewalld' '')/" \

320

+		-e "s/USE_FLAG_AVAHI/$(usex zeroconf 'use avahi-daemon' '')/" \

321

+		-e "s/USE_FLAG_ISCSI/$(usex iscsi 'use iscsid' '')/" \

322

+		-e "s/USE_FLAG_RBD/$(usex rbd 'use ceph' '')/" \

323

+		-i "${S}/libvirtd.init" || die "sed failed"

324

+

325

+	eautoreconf

326

+}

327

+

328

+src_configure() {

329

+	local myeconfargs=(

330

+		$(use_with apparmor)

331

+		$(use_with apparmor apparmor-profiles)

332

+		$(use_with audit)

333

+		$(use_with caps capng)

334

+		$(use_with dbus)

335

+		$(use_with firewalld)

336

+		$(use_with fuse)

337

+		$(use_with glusterfs)

338

+		$(use_with glusterfs storage-gluster)

339

+		$(use_with iscsi storage-iscsi)

340

+		$(use_with libvirtd)

341

+		$(use_with libssh)

342

+		$(use_with lvm storage-lvm)

343

+		$(use_with lvm storage-mpath)

344

+		$(use_with lxc)

345

+		$(use_with macvtap)

346

+		$(use_enable nls)

347

+		$(use_with numa numactl)

348

+		$(use_with numa numad)

349

+		$(use_with openvz)

350

+		$(use_with parted storage-disk)

351

+		$(use_with pcap libpcap)

352

+		$(use_with phyp)

353

+		$(use_with policykit polkit)

354

+		$(use_with qemu)

355

+		$(use_with qemu yajl)

356

+		$(use_with rbd storage-rbd)

357

+		$(use_with sasl)

358

+		$(use_with selinux)

359

+		$(use_with udev)

360

+		$(use_with uml)

361

+		$(use_with vepa virtualport)

362

+		$(use_with virt-network network)

363

+		$(use_with wireshark-plugins wireshark-dissector)

364

+		$(use_with xen)

365

+		$(use_with xen xen-inotify)

366

+		$(use_with xen libxl)

367

+		$(use_with zeroconf avahi)

368

+		$(use_with zfs storage-zfs)

369

+

370

+		--without-hal

371

+		--without-netcf

372

+		--without-sanlock

373

+		--without-xenapi

374

+

375

+		--with-esx

376

+		--with-init-script=systemd

377

+		--with-qemu-group=$(usex caps qemu root)

378

+		--with-qemu-user=$(usex caps qemu root)

379

+		--with-remote

380

+		--with-storage-fs

381

+		--with-vmware

382

+

383

+		--disable-static

384

+		--disable-werror

385

+

386

+		--with-html-subdir=${PF}/html

387

+		--localstatedir=/var

388

+	)

389

+

390

+	if use virtualbox && has_version app-emulation/virtualbox-ose; then

391

+		myeconfargs+=( --with-vbox=/usr/lib/virtualbox-ose/ )

392

+	else

393

+		myeconfargs+=( $(use_with virtualbox vbox) )

394

+	fi

395

+

396

+	econf "${myeconfargs[@]}"

397

+

398

+	if [[ ${PV} = *9999* ]]; then

399

+		# Restore gnulib's config.sub and config.guess

400

+		# bug #377279

401

+		(cd .gnulib && git reset --hard > /dev/null)

402

+	fi

403

+}

404

+

405

+src_test() {

406

+	cd "${BUILD_DIR}"

407

+

408

+	# remove problematic tests, bug #591416, bug #591418

409

+	sed -i -e 's#commandtest$(EXEEXT) # #' \

410

+		-e 's#virfirewalltest$(EXEEXT) # #' \

411

+		-e 's#nwfilterebiptablestest$(EXEEXT) # #' \

412

+		-e 's#nwfilterxml2firewalltest$(EXEEXT)$##' \

413

+		tests/Makefile

414

+

415

+	export VIR_TEST_DEBUG=1

416

+	HOME="${T}" emake check || die "tests failed"

417

+}

418

+

419

+src_install() {

420

+	emake DESTDIR="${D}" \

421

+		SYSTEMD_UNIT_DIR="$(systemd_get_systemunitdir)" install

422

+

423

+	find "${D}" -name '*.la' -delete || die

424

+

425

+	# Remove bogus, empty directories. They are either not used, or

426

+	# libvirtd is able to create them on demand

427

+	rm -rf "${D}"/etc/sysconfig

428

+	rm -rf "${D}"/var/cache

429

+	rm -rf "${D}"/var/run

430

+	rm -rf "${D}"/var/log

431

+

432

+	use libvirtd || return 0

433

+	# From here, only libvirtd-related instructions, be warned!

434

+

435

+	systemd_install_serviced \

436

+		"${FILESDIR}"/libvirtd.service.conf libvirtd.service

437

+

438

+	systemd_newtmpfilesd "${FILESDIR}"/libvirtd.tmpfiles.conf libvirtd.conf

439

+

440

+	newinitd "${S}/libvirtd.init" libvirtd || die

441

+	newinitd "${FILESDIR}/libvirt-guests.init-r2" libvirt-guests || die

442

+	newinitd "${FILESDIR}/virtlockd.init-r1" virtlockd || die

443

+	newinitd "${FILESDIR}/virtlogd.init-r1" virtlogd || die

444

+

445

+	newconfd "${FILESDIR}/libvirtd.confd-r5" libvirtd || die

446

+	newconfd "${FILESDIR}/libvirt-guests.confd" libvirt-guests || die

447

+

448

+	DOC_CONTENTS=$(<"${FILESDIR}/README.gentoo-r2")

449

+	DISABLE_AUTOFORMATTING=true

450

+	readme.gentoo_create_doc

451

+}

452

+

453

+pkg_preinst() {

454

+	# we only ever want to generate this once

455

+	if [[ -e "${ROOT}"/etc/libvirt/qemu/networks/default.xml ]]; then

456

+		rm -rf "${D}"/etc/libvirt/qemu/networks/default.xml

457

+	fi

458

+}

459

+

460

+pkg_postinst() {

461

+	if [[ -e "${ROOT}"/etc/libvirt/qemu/networks/default.xml ]]; then

462

+		touch "${ROOT}"/etc/libvirt/qemu/networks/default.xml

463

+	fi

464

+

465

+	use libvirtd || return 0

466

+	# From here, only libvirtd-related instructions, be warned!

467

+

468

+	readme.gentoo_print_elog

469

+}

1	commit: 02110c0d470e8549a31ae8bf953c8bd514185c68
2	Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
3	AuthorDate: Fri Sep 1 01:48:57 2017 +0000
4	Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
5	CommitDate: Fri Sep 1 01:55:27 2017 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02110c0d
7
8	app-emulation/libvirt: version bump to 3.6.0, bug #627780
9
10	Package-Manager: Portage-2.3.6, Repoman-2.3.3
11
12	app-emulation/libvirt/Manifest \| 1 +
13	.../libvirt-3.6.0-ssh-malicious-hostname-fix.patch \| 47 +++
14	app-emulation/libvirt/libvirt-3.6.0.ebuild \| 383 +++++++++++++++++++++
15	3 files changed, 431 insertions(+)
16
17	diff --git a/app-emulation/libvirt/Manifest b/app-emulation/libvirt/Manifest
18	index 36e0d82c84f..b58b705d38b 100644
19	--- a/app-emulation/libvirt/Manifest
20	+++ b/app-emulation/libvirt/Manifest
21	@@ -2,3 +2,4 @@ DIST libvirt-3.2.0.tar.xz 14057340 SHA256 9481a083b567a07927f239553dd70b5c0d1bff
22	DIST libvirt-3.3.0.tar.xz 14043384 SHA256 29e00984174e33cf2183b478382c017de26860452ffee17b73871051264ebb1b SHA512 69166ddd7d4b9ef3b1bf2466e781139ef9b4d224a64acc7b8e6fca8786d36482138a1fe7b7407c0fca3b3d012cb418d168671a3e65e428f023c16493b7718c2d WHIRLPOOL 1b2688f6b9a89608677070b5ce1fd2b2af115336126d4214071bc1abba25056d54dbbf16d6bdfab7582b252a833d3e53e51175d552d5c936b08973c0eed76643
23	DIST libvirt-3.4.0.tar.xz 14630904 SHA256 42186af6225904d2ada0b494fda4fa777fe5e662a9134686816e7919332c248d SHA512 41a3374e8a171827dfc11feb2ae8c1a9d889912257191b94111f53bbe0521d5bc73c824ea856e4cece257918b244120e9f44c800abe23d0296c85c18b5d14461 WHIRLPOOL 3b4b9ad35f590748fbc63595fab86671f66674d2c40fa8e02860265a39be5b48ed9c66c14ac235b36d29d833475aebbbf57f691e53ac2bd324dacb16507793bf
24	DIST libvirt-3.5.0.tar.xz 14695760 SHA256 2963bae30d41411a2a8184de6a69cc3bd4dba14d2824b67906263dc35b27b516 SHA512 319d1573e55df0cbfd0808d658fb4ef5484d8381db6fe348b36a650ea60b62b7146882e616e9494109d44c8e57ed956137fb7b51c3895d96bd19e9aee6a3e82c WHIRLPOOL 90dc243e8fb8e619af319f2a8469dc98109a6200bee94f09508c22a75e90f82edf278796cf53ca38a7649e5ad1f5f4c0a258395624f830c1a42538519200637a
25	+DIST libvirt-3.6.0.tar.xz 14797704 SHA256 3a2c97f6950796f300f6a2e0404f4de8e51c3b9430cdb82738439adb0ac59e3d SHA512 6cde735a18cb71c9e6dbb25cd2a8f9c72d55ad7d74bdf97b00d784593f0bc59498917fb235ce04de4428899241520d87bf19c015b80282b3d0c12918d9b8b288 WHIRLPOOL 8185ad998158bac9aa6bc0dd0f590a3d9fb393ad94d308bdc84e60ac5c56e110d5f4a2355e2a10b01a6521d8261ae7484aee275e12a17cc7f2830f169e990596
26
27	diff --git a/app-emulation/libvirt/files/libvirt-3.6.0-ssh-malicious-hostname-fix.patch b/app-emulation/libvirt/files/libvirt-3.6.0-ssh-malicious-hostname-fix.patch
28	new file mode 100644
29	index 00000000000..62892841276
30	--- /dev/null
31	+++ b/app-emulation/libvirt/files/libvirt-3.6.0-ssh-malicious-hostname-fix.patch
32	@@ -0,0 +1,47 @@
33	+From e4cb8500810a310a10a6cb359e1b53fac03ed597 Mon Sep 17 00:00:00 2001
34	+From: "Daniel P. Berrange" <berrange@××××××.com>
35	+Date: Fri, 11 Aug 2017 17:19:53 +0100
36	+Subject: [PATCH] rpc: avoid ssh interpreting malicious hostname as arguments
37	+
38	+Inspired by the recent GIT / Mercurial security flaws
39	+(http://blog.recurity-labs.com/2017-08-10/scm-vulns),
40	+consider someone/something manages to feed libvirt a bogus
41	+URI such as:
42	+
43	+ virsh -c qemu+ssh://-oProxyCommand=gnome-calculator/system
44	+
45	+In this case, the hosname "-oProxyCommand=gnome-calculator"
46	+will get interpreted as an argument to ssh, not a hostname.
47	+Fortunately, due to the set of args we have following the
48	+hostname, SSH will then interpret our bit of shell script
49	+that runs 'nc' on the remote host as a cipher name, which is
50	+clearly invalid. This makes ssh exit during argv parsing and
51	+so it never tries to run gnome-calculator.
52	+
53	+We are lucky this time, but lets be more paranoid, by using
54	+'--' to explicitly tell SSH when it has finished seeing
55	+command line options. This forces it to interpret
56	+"-oProxyCommand=gnome-calculator" as a hostname, and thus
57	+see a fail from hostname lookup.
58	+
59	+Signed-off-by: Daniel P. Berrange <berrange@××××××.com>
60	+---
61	+ src/rpc/virnetsocket.c \| 2 +-
62	+ 1 file changed, 1 insertion(+), 1 deletion(-)
63	+
64	+diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
65	+index d228c8a8c..23089afef 100644
66	+--- a/src/rpc/virnetsocket.c
67	++++ b/src/rpc/virnetsocket.c
68	+@@ -868,7 +868,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
69	+ if (!netcat)
70	+ netcat = "nc";
71	+
72	+- virCommandAddArgList(cmd, nodename, "sh", "-c", NULL);
73	++ virCommandAddArgList(cmd, "--", nodename, "sh", "-c", NULL);
74	+
75	+ virBufferEscapeShell(&buf, netcat);
76	+ if (virBufferCheckError(&buf) < 0) {
77	+--
78	+2.13.5
79	+
80
81	diff --git a/app-emulation/libvirt/libvirt-3.6.0.ebuild b/app-emulation/libvirt/libvirt-3.6.0.ebuild
82	new file mode 100644
83	index 00000000000..90f74a64df1
84	--- /dev/null
85	+++ b/app-emulation/libvirt/libvirt-3.6.0.ebuild
86	@@ -0,0 +1,383 @@
87	+# Copyright 1999-2017 Gentoo Foundation
88	+# Distributed under the terms of the GNU General Public License v2
89	+
90	+EAPI=6
91	+
92	+inherit autotools eutils user linux-info systemd readme.gentoo-r1
93	+
94	+if [[ ${PV} = 9999 ]]; then
95	+ inherit git-r3
96	+ EGIT_REPO_URI="git://libvirt.org/libvirt.git"
97	+ SRC_URI=""
98	+ KEYWORDS=""
99	+ SLOT="0"
100	+else
101	+ # Versions with 4 numbers are stable updates:
102	+ if [[ ${PV} =~ ^[0-9]+(\.[0-9]+){3} ]]; then
103	+ SRC_URI="http://libvirt.org/sources/stable_updates/${P}.tar.xz"
104	+ else
105	+ SRC_URI="http://libvirt.org/sources/${P}.tar.xz"
106	+ fi
107	+ KEYWORDS="~amd64 ~arm64 ~x86"
108	+ SLOT="0/${PV}"
109	+fi
110	+
111	+DESCRIPTION="C toolkit to manipulate virtual machines"
112	+HOMEPAGE="http://www.libvirt.org/"
113	+LICENSE="LGPL-2.1"
114	+IUSE="
115	+ apparmor audit +caps +dbus firewalld fuse glusterfs iscsi +libvirtd lvm
116	+ libssh lxc +macvtap nfs nls numa openvz parted pcap phyp policykit
117	+ +qemu rbd sasl selinux +udev uml +vepa virtualbox virt-network
118	+ wireshark-plugins xen zeroconf zfs elibc_glibc
119	+"
120	+
121	+REQUIRED_USE="
122	+ firewalld? ( virt-network )
123	+ libvirtd? ( \|\| ( lxc openvz qemu uml virtualbox xen ) )
124	+ lxc? ( caps libvirtd )
125	+ openvz? ( libvirtd )
126	+ policykit? ( dbus )
127	+ qemu? ( libvirtd )
128	+ uml? ( libvirtd )
129	+ vepa? ( macvtap )
130	+ virt-network? ( libvirtd )
131	+ virtualbox? ( libvirtd )
132	+ xen? ( libvirtd )"
133	+
134	+# gettext.sh command is used by the libvirt command wrappers, and it's
135	+# non-optional, so put it into RDEPEND.
136	+# We can use both libnl:1.1 and libnl:3, but if you have both installed, the
137	+# package will use 3 by default. Since we don't have slot pinning in an API,
138	+# we must go with the most recent
139	+RDEPEND="
140	+ app-misc/scrub
141	+ dev-libs/libgcrypt:0
142	+ dev-libs/libnl:3
143	+ >=dev-libs/libxml2-2.7.6
144	+ \|\| ( >=net-analyzer/netcat6-1.0-r2 >=net-analyzer/openbsd-netcat-1.105-r1 )
145	+ >=net-libs/gnutls-1.0.25:0=
146	+ net-libs/libssh2
147	+ >=net-misc/curl-7.18.0
148	+ sys-apps/dmidecode
149	+ >=sys-apps/util-linux-2.17
150	+ sys-devel/gettext
151	+ sys-libs/ncurses:0=
152	+ sys-libs/readline:=
153	+ apparmor? ( sys-libs/libapparmor )
154	+ audit? ( sys-process/audit )
155	+ caps? ( sys-libs/libcap-ng )
156	+ dbus? ( sys-apps/dbus )
157	+ elibc_glibc? ( sys-libs/glibc[rpc(+)] )
158	+ firewalld? ( net-firewall/firewalld )
159	+ fuse? ( >=sys-fs/fuse-2.8.6:= )
160	+ glusterfs? ( >=sys-cluster/glusterfs-3.4.1 )
161	+ iscsi? ( sys-block/open-iscsi )
162	+ libssh? ( net-libs/libssh )
163	+ lvm? ( >=sys-fs/lvm2-2.02.48-r2[-device-mapper-only(-)] )
164	+ nfs? ( net-fs/nfs-utils )
165	+ numa? (
166	+ >sys-process/numactl-2.0.2
167	+ sys-process/numad
168	+ )
169	+ openvz? ( sys-kernel/openvz-sources:* )
170	+ parted? (
171	+ >=sys-block/parted-1.8[device-mapper]
172	+ sys-fs/lvm2[-device-mapper-only(-)]
173	+ )
174	+ pcap? ( >=net-libs/libpcap-1.0.0 )
175	+ policykit? ( >=sys-auth/polkit-0.9 )
176	+ qemu? (
177	+ >=app-emulation/qemu-0.13.0
178	+ dev-libs/yajl
179	+ )
180	+ rbd? ( sys-cluster/ceph )
181	+ sasl? ( dev-libs/cyrus-sasl )
182	+ selinux? ( >=sys-libs/libselinux-2.0.85 )
183	+ virt-network? (
184	+ net-dns/dnsmasq[script]
185	+ net-firewall/ebtables
186	+ >=net-firewall/iptables-1.4.10[ipv6]
187	+ net-misc/radvd
188	+ sys-apps/iproute2[-minimal]
189	+ )
190	+ virtualbox? ( \|\| ( app-emulation/virtualbox >=app-emulation/virtualbox-bin-2.2.0 ) )
191	+ wireshark-plugins? ( net-analyzer/wireshark:= )
192	+ xen? (
193	+ app-emulation/xen
194	+ app-emulation/xen-tools:=
195	+ )
196	+ udev? (
197	+ virtual/udev
198	+ >=x11-libs/libpciaccess-0.10.9
199	+ )
200	+ zeroconf? ( >=net-dns/avahi-0.6[dbus] )
201	+ zfs? ( sys-fs/zfs )"
202	+
203	+DEPEND="${RDEPEND}
204	+ app-text/xhtml1
205	+ dev-lang/perl
206	+ dev-libs/libxslt
207	+ dev-perl/XML-XPath
208	+ virtual/pkgconfig"
209	+
210	+PATCHES=(
211	+ "${FILESDIR}"/${PN}-1.3.0-do_not_use_sysconf.patch
212	+ "${FILESDIR}"/${PN}-1.2.16-fix_paths_in_libvirt-guests_sh.patch
213	+ "${FILESDIR}"/${PN}-3.0.0-fix_paths_for_apparmor.patch
214	+ "${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch
215	+ "${FILESDIR}"/${PN}-3.1.0-musl-fix-includes.patch # bug #609488
216	+ "${FILESDIR}"/${PN}-3.6.0-ssh-malicious-hostname-fix.patch # bug #629462
217	+)
218	+
219	+pkg_setup() {
220	+ if use qemu; then
221	+ enewgroup qemu 77
222	+ enewuser qemu 77 -1 -1 "qemu,kvm"
223	+ fi
224	+
225	+ use policykit && enewgroup libvirt
226	+
227	+ # Check kernel configuration:
228	+ CONFIG_CHECK=""
229	+ use fuse && CONFIG_CHECK+="
230	+ ~FUSE_FS"
231	+
232	+ use lvm && CONFIG_CHECK+="
233	+ ~BLK_DEV_DM
234	+ ~DM_MULTIPATH
235	+ ~DM_SNAPSHOT"
236	+
237	+ use lxc && CONFIG_CHECK+="
238	+ ~BLK_CGROUP
239	+ ~CGROUP_CPUACCT
240	+ ~CGROUP_DEVICE
241	+ ~CGROUP_FREEZER
242	+ ~CGROUP_NET_PRIO
243	+ ~CGROUP_PERF
244	+ ~CGROUPS
245	+ ~CGROUP_SCHED
246	+ ~CPUSETS
247	+ ~IPC_NS
248	+ ~MACVLAN
249	+ ~NAMESPACES
250	+ ~NET_CLS_CGROUP
251	+ ~NET_NS
252	+ ~PID_NS
253	+ ~POSIX_MQUEUE
254	+ ~SECURITYFS
255	+ ~USER_NS
256	+ ~UTS_NS
257	+ ~VETH
258	+ ~!GRKERNSEC_CHROOT_MOUNT
259	+ ~!GRKERNSEC_CHROOT_DOUBLE
260	+ ~!GRKERNSEC_CHROOT_PIVOT
261	+ ~!GRKERNSEC_CHROOT_CHMOD
262	+ ~!GRKERNSEC_CHROOT_CAPS"
263	+
264	+ kernel_is lt 4 7 && use lxc && CONFIG_CHECK+="
265	+ ~DEVPTS_MULTIPLE_INSTANCES"
266	+
267	+ use macvtap && CONFIG_CHECK+="
268	+ ~MACVTAP"
269	+
270	+ use virt-network && CONFIG_CHECK+="
271	+ ~BRIDGE_EBT_MARK_T
272	+ ~BRIDGE_NF_EBTABLES
273	+ ~NETFILTER_ADVANCED
274	+ ~NETFILTER_XT_CONNMARK
275	+ ~NETFILTER_XT_MARK
276	+ ~NETFILTER_XT_TARGET_CHECKSUM"
277	+ # Bandwidth Limiting Support
278	+ use virt-network && CONFIG_CHECK+="
279	+ ~BRIDGE_EBT_T_NAT
280	+ ~NET_ACT_POLICE
281	+ ~NET_CLS_FW
282	+ ~NET_CLS_U32
283	+ ~NET_SCH_HTB
284	+ ~NET_SCH_INGRESS
285	+ ~NET_SCH_SFQ"
286	+
287	+ # Handle specific kernel versions for different features
288	+ kernel_is lt 3 6 && CONFIG_CHECK+=" ~CGROUP_MEM_RES_CTLR"
289	+ if kernel_is ge 3 6; then
290	+ CONFIG_CHECK+=" ~MEMCG ~MEMCG_SWAP "
291	+ kernel_is lt 4 5 && CONFIG_CHECK+=" ~MEMCG_KMEM "
292	+ fi
293	+
294	+ ERROR_USER_NS="Optional depending on LXC configuration."
295	+
296	+ if [[ -n ${CONFIG_CHECK} ]]; then
297	+ linux-info_pkg_setup
298	+ fi
299	+}
300	+
301	+src_prepare() {
302	+ touch "${S}/.mailmap"
303	+
304	+ default
305	+
306	+ if [[ ${PV} = 9999 ]]; then
307	+ # git checkouts require bootstrapping to create the configure script.
308	+ # Additionally the submodules must be cloned to the right locations
309	+ # bug #377279
310	+ ./bootstrap \|\| die "bootstrap failed"
311	+ (
312	+ git submodule status \| sed 's/^[ +-]//;s/ .*//'
313	+ git hash-object bootstrap.conf
314	+ ) >.git-module-status
315	+ fi
316	+
317	+ # Tweak the init script:
318	+ cp "${FILESDIR}/libvirtd.init-r16" "${S}/libvirtd.init" \|\| die
319	+ sed -e "s/USE_FLAG_FIREWALLD/$(usex firewalld 'need firewalld' '')/" \
320	+ -e "s/USE_FLAG_AVAHI/$(usex zeroconf 'use avahi-daemon' '')/" \
321	+ -e "s/USE_FLAG_ISCSI/$(usex iscsi 'use iscsid' '')/" \
322	+ -e "s/USE_FLAG_RBD/$(usex rbd 'use ceph' '')/" \
323	+ -i "${S}/libvirtd.init" \|\| die "sed failed"
324	+
325	+ eautoreconf
326	+}
327	+
328	+src_configure() {
329	+ local myeconfargs=(
330	+ $(use_with apparmor)
331	+ $(use_with apparmor apparmor-profiles)
332	+ $(use_with audit)
333	+ $(use_with caps capng)
334	+ $(use_with dbus)
335	+ $(use_with firewalld)
336	+ $(use_with fuse)
337	+ $(use_with glusterfs)
338	+ $(use_with glusterfs storage-gluster)
339	+ $(use_with iscsi storage-iscsi)
340	+ $(use_with libvirtd)
341	+ $(use_with libssh)
342	+ $(use_with lvm storage-lvm)
343	+ $(use_with lvm storage-mpath)
344	+ $(use_with lxc)
345	+ $(use_with macvtap)
346	+ $(use_enable nls)
347	+ $(use_with numa numactl)
348	+ $(use_with numa numad)
349	+ $(use_with openvz)
350	+ $(use_with parted storage-disk)
351	+ $(use_with pcap libpcap)
352	+ $(use_with phyp)
353	+ $(use_with policykit polkit)
354	+ $(use_with qemu)
355	+ $(use_with qemu yajl)
356	+ $(use_with rbd storage-rbd)
357	+ $(use_with sasl)
358	+ $(use_with selinux)
359	+ $(use_with udev)
360	+ $(use_with uml)
361	+ $(use_with vepa virtualport)
362	+ $(use_with virt-network network)
363	+ $(use_with wireshark-plugins wireshark-dissector)
364	+ $(use_with xen)
365	+ $(use_with xen xen-inotify)
366	+ $(use_with xen libxl)
367	+ $(use_with zeroconf avahi)
368	+ $(use_with zfs storage-zfs)
369	+
370	+ --without-hal
371	+ --without-netcf
372	+ --without-sanlock
373	+ --without-xenapi
374	+
375	+ --with-esx
376	+ --with-init-script=systemd
377	+ --with-qemu-group=$(usex caps qemu root)
378	+ --with-qemu-user=$(usex caps qemu root)
379	+ --with-remote
380	+ --with-storage-fs
381	+ --with-vmware
382	+
383	+ --disable-static
384	+ --disable-werror
385	+
386	+ --with-html-subdir=${PF}/html
387	+ --localstatedir=/var
388	+ )
389	+
390	+ if use virtualbox && has_version app-emulation/virtualbox-ose; then
391	+ myeconfargs+=( --with-vbox=/usr/lib/virtualbox-ose/ )
392	+ else
393	+ myeconfargs+=( $(use_with virtualbox vbox) )
394	+ fi
395	+
396	+ econf "${myeconfargs[@]}"
397	+
398	+ if [[ ${PV} = 9999 ]]; then
399	+ # Restore gnulib's config.sub and config.guess
400	+ # bug #377279
401	+ (cd .gnulib && git reset --hard > /dev/null)
402	+ fi
403	+}
404	+
405	+src_test() {
406	+ cd "${BUILD_DIR}"
407	+
408	+ # remove problematic tests, bug #591416, bug #591418
409	+ sed -i -e 's#commandtest$(EXEEXT) # #' \
410	+ -e 's#virfirewalltest$(EXEEXT) # #' \
411	+ -e 's#nwfilterebiptablestest$(EXEEXT) # #' \
412	+ -e 's#nwfilterxml2firewalltest$(EXEEXT)$##' \
413	+ tests/Makefile
414	+
415	+ export VIR_TEST_DEBUG=1
416	+ HOME="${T}" emake check \|\| die "tests failed"
417	+}
418	+
419	+src_install() {
420	+ emake DESTDIR="${D}" \
421	+ SYSTEMD_UNIT_DIR="$(systemd_get_systemunitdir)" install
422	+
423	+ find "${D}" -name '*.la' -delete \|\| die
424	+
425	+ # Remove bogus, empty directories. They are either not used, or
426	+ # libvirtd is able to create them on demand
427	+ rm -rf "${D}"/etc/sysconfig
428	+ rm -rf "${D}"/var/cache
429	+ rm -rf "${D}"/var/run
430	+ rm -rf "${D}"/var/log
431	+
432	+ use libvirtd \|\| return 0
433	+ # From here, only libvirtd-related instructions, be warned!
434	+
435	+ systemd_install_serviced \
436	+ "${FILESDIR}"/libvirtd.service.conf libvirtd.service
437	+
438	+ systemd_newtmpfilesd "${FILESDIR}"/libvirtd.tmpfiles.conf libvirtd.conf
439	+
440	+ newinitd "${S}/libvirtd.init" libvirtd \|\| die
441	+ newinitd "${FILESDIR}/libvirt-guests.init-r2" libvirt-guests \|\| die
442	+ newinitd "${FILESDIR}/virtlockd.init-r1" virtlockd \|\| die
443	+ newinitd "${FILESDIR}/virtlogd.init-r1" virtlogd \|\| die
444	+
445	+ newconfd "${FILESDIR}/libvirtd.confd-r5" libvirtd \|\| die
446	+ newconfd "${FILESDIR}/libvirt-guests.confd" libvirt-guests \|\| die
447	+
448	+ DOC_CONTENTS=$(<"${FILESDIR}/README.gentoo-r2")
449	+ DISABLE_AUTOFORMATTING=true
450	+ readme.gentoo_create_doc
451	+}
452	+
453	+pkg_preinst() {
454	+ # we only ever want to generate this once
455	+ if [[ -e "${ROOT}"/etc/libvirt/qemu/networks/default.xml ]]; then
456	+ rm -rf "${D}"/etc/libvirt/qemu/networks/default.xml
457	+ fi
458	+}
459	+
460	+pkg_postinst() {
461	+ if [[ -e "${ROOT}"/etc/libvirt/qemu/networks/default.xml ]]; then
462	+ touch "${ROOT}"/etc/libvirt/qemu/networks/default.xml
463	+ fi
464	+
465	+ use libvirtd \|\| return 0
466	+ # From here, only libvirtd-related instructions, be warned!
467	+
468	+ readme.gentoo_print_elog
469	+}

Gentoo Archives: gentoo-commits