Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Matthias Maier <tamiko@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: app-emulation/libvirt/files/, app-emulation/libvirt/
Date: Wed, 15 Nov 2017 00:22:33
Message-Id: 1510705340.5d6f35fa50d81d06f2da8427d6ab6662100b38aa.tamiko@gentoo
1 commit: 5d6f35fa50d81d06f2da8427d6ab6662100b38aa
2 Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
3 AuthorDate: Wed Nov 15 00:19:38 2017 +0000
4 Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
5 CommitDate: Wed Nov 15 00:22:20 2017 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d6f35fa
7
8 app-emulation/libvirt: drop vulnerable (bug #635174)
9
10 Package-Manager: Portage-2.3.13, Repoman-2.3.4
11
12 app-emulation/libvirt/Manifest | 1 -
13 .../libvirt-3.6.0-ssh-malicious-hostname-fix.patch | 47 ---
14 app-emulation/libvirt/libvirt-3.6.0.ebuild | 382 ---------------------
15 3 files changed, 430 deletions(-)
16
17 diff --git a/app-emulation/libvirt/Manifest b/app-emulation/libvirt/Manifest
18 index 720dad9f13e..934a96a2b8d 100644
19 --- a/app-emulation/libvirt/Manifest
20 +++ b/app-emulation/libvirt/Manifest
21 @@ -1,3 +1,2 @@
22 -DIST libvirt-3.6.0.tar.xz 14797704 SHA256 3a2c97f6950796f300f6a2e0404f4de8e51c3b9430cdb82738439adb0ac59e3d SHA512 6cde735a18cb71c9e6dbb25cd2a8f9c72d55ad7d74bdf97b00d784593f0bc59498917fb235ce04de4428899241520d87bf19c015b80282b3d0c12918d9b8b288 WHIRLPOOL 8185ad998158bac9aa6bc0dd0f590a3d9fb393ad94d308bdc84e60ac5c56e110d5f4a2355e2a10b01a6521d8261ae7484aee275e12a17cc7f2830f169e990596
23 DIST libvirt-3.8.0.tar.xz 14868712 SHA256 73eba834089ed0ce74e3183a7f12cf0c6f7de08e9a700b5456c62fb124f903f9 SHA512 fc48f29b493a5ec2b3586f6c5df0b8cb81f3f26be847bc42acfb6481d45970edc760dda0232ad57b95b8cf13382d0269dd3edf4a744040cda15b835d32d8c672 WHIRLPOOL af36d20c2713398f0d7aaf1b9fc2bcf978abc096d3070cb7cb1efa6680204e591e02b03340f4d862f6e7d1fabd4135cba23eef8ccd459264a44a052acf0e509e
24 DIST libvirt-3.9.0.tar.xz 15010344 SHA256 89fc63213291d329d537ea96e363fd609160da080322973bd1126d431ff63424 SHA512 59878fe5f98ffb73f949315c02ec19f6a075cab21f695c9b98927d17fdc0820d6fd0aa6a9820a6bdb8e6957884a9dccc30b175bc5a3d8d25617546cccd460a38 WHIRLPOOL 9d00863262aefe3ee07653bb7b8fd5bd83efe08289edd106fd04acb93ddf9a65880fcc974b80f45057c410b87ea3233a2e09b4cc9475ee3fd65d597d2c4916ea
25
26 diff --git a/app-emulation/libvirt/files/libvirt-3.6.0-ssh-malicious-hostname-fix.patch b/app-emulation/libvirt/files/libvirt-3.6.0-ssh-malicious-hostname-fix.patch
27 deleted file mode 100644
28 index 62892841276..00000000000
29 --- a/app-emulation/libvirt/files/libvirt-3.6.0-ssh-malicious-hostname-fix.patch
30 +++ /dev/null
31 @@ -1,47 +0,0 @@
32 -From e4cb8500810a310a10a6cb359e1b53fac03ed597 Mon Sep 17 00:00:00 2001
33 -From: "Daniel P. Berrange" <berrange@××××××.com>
34 -Date: Fri, 11 Aug 2017 17:19:53 +0100
35 -Subject: [PATCH] rpc: avoid ssh interpreting malicious hostname as arguments
36 -
37 -Inspired by the recent GIT / Mercurial security flaws
38 -(http://blog.recurity-labs.com/2017-08-10/scm-vulns),
39 -consider someone/something manages to feed libvirt a bogus
40 -URI such as:
41 -
42 - virsh -c qemu+ssh://-oProxyCommand=gnome-calculator/system
43 -
44 -In this case, the hosname "-oProxyCommand=gnome-calculator"
45 -will get interpreted as an argument to ssh, not a hostname.
46 -Fortunately, due to the set of args we have following the
47 -hostname, SSH will then interpret our bit of shell script
48 -that runs 'nc' on the remote host as a cipher name, which is
49 -clearly invalid. This makes ssh exit during argv parsing and
50 -so it never tries to run gnome-calculator.
51 -
52 -We are lucky this time, but lets be more paranoid, by using
53 -'--' to explicitly tell SSH when it has finished seeing
54 -command line options. This forces it to interpret
55 -"-oProxyCommand=gnome-calculator" as a hostname, and thus
56 -see a fail from hostname lookup.
57 -
58 -Signed-off-by: Daniel P. Berrange <berrange@××××××.com>
59 ----
60 - src/rpc/virnetsocket.c | 2 +-
61 - 1 file changed, 1 insertion(+), 1 deletion(-)
62 -
63 -diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
64 -index d228c8a8c..23089afef 100644
65 ---- a/src/rpc/virnetsocket.c
66 -+++ b/src/rpc/virnetsocket.c
67 -@@ -868,7 +868,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
68 - if (!netcat)
69 - netcat = "nc";
70 -
71 -- virCommandAddArgList(cmd, nodename, "sh", "-c", NULL);
72 -+ virCommandAddArgList(cmd, "--", nodename, "sh", "-c", NULL);
73 -
74 - virBufferEscapeShell(&buf, netcat);
75 - if (virBufferCheckError(&buf) < 0) {
76 ---
77 -2.13.5
78 -
79
80 diff --git a/app-emulation/libvirt/libvirt-3.6.0.ebuild b/app-emulation/libvirt/libvirt-3.6.0.ebuild
81 deleted file mode 100644
82 index d4d2786ca14..00000000000
83 --- a/app-emulation/libvirt/libvirt-3.6.0.ebuild
84 +++ /dev/null
85 @@ -1,382 +0,0 @@
86 -# Copyright 1999-2017 Gentoo Foundation
87 -# Distributed under the terms of the GNU General Public License v2
88 -
89 -EAPI=6
90 -
91 -inherit autotools eutils user linux-info systemd readme.gentoo-r1
92 -
93 -if [[ ${PV} = *9999* ]]; then
94 - inherit git-r3
95 - EGIT_REPO_URI="git://libvirt.org/libvirt.git"
96 - SRC_URI=""
97 - KEYWORDS=""
98 - SLOT="0"
99 -else
100 - # Versions with 4 numbers are stable updates:
101 - if [[ ${PV} =~ ^[0-9]+(\.[0-9]+){3} ]]; then
102 - SRC_URI="http://libvirt.org/sources/stable_updates/${P}.tar.xz"
103 - else
104 - SRC_URI="http://libvirt.org/sources/${P}.tar.xz"
105 - fi
106 - KEYWORDS="amd64 ~arm64 x86"
107 - SLOT="0/${PV}"
108 -fi
109 -
110 -DESCRIPTION="C toolkit to manipulate virtual machines"
111 -HOMEPAGE="http://www.libvirt.org/"
112 -LICENSE="LGPL-2.1"
113 -IUSE="
114 - apparmor audit +caps +dbus firewalld fuse glusterfs iscsi +libvirtd lvm
115 - libssh lxc +macvtap nfs nls numa openvz parted pcap phyp policykit
116 - +qemu rbd sasl selinux +udev uml +vepa virtualbox virt-network
117 - wireshark-plugins xen zeroconf zfs elibc_glibc
118 -"
119 -
120 -REQUIRED_USE="
121 - firewalld? ( virt-network )
122 - libvirtd? ( || ( lxc openvz qemu uml virtualbox xen ) )
123 - lxc? ( caps libvirtd )
124 - openvz? ( libvirtd )
125 - policykit? ( dbus )
126 - qemu? ( libvirtd )
127 - uml? ( libvirtd )
128 - vepa? ( macvtap )
129 - virt-network? ( libvirtd )
130 - virtualbox? ( libvirtd )
131 - xen? ( libvirtd )"
132 -
133 -# gettext.sh command is used by the libvirt command wrappers, and it's
134 -# non-optional, so put it into RDEPEND.
135 -# We can use both libnl:1.1 and libnl:3, but if you have both installed, the
136 -# package will use 3 by default. Since we don't have slot pinning in an API,
137 -# we must go with the most recent
138 -RDEPEND="
139 - app-misc/scrub
140 - dev-libs/libgcrypt:0
141 - dev-libs/libnl:3
142 - >=dev-libs/libxml2-2.7.6
143 - || ( >=net-analyzer/netcat6-1.0-r2 >=net-analyzer/openbsd-netcat-1.105-r1 )
144 - >=net-libs/gnutls-1.0.25:0=
145 - net-libs/libssh2
146 - >=net-misc/curl-7.18.0
147 - sys-apps/dmidecode
148 - >=sys-apps/util-linux-2.17
149 - sys-devel/gettext
150 - sys-libs/ncurses:0=
151 - sys-libs/readline:=
152 - apparmor? ( sys-libs/libapparmor )
153 - audit? ( sys-process/audit )
154 - caps? ( sys-libs/libcap-ng )
155 - dbus? ( sys-apps/dbus )
156 - elibc_glibc? ( sys-libs/glibc[rpc(+)] )
157 - firewalld? ( net-firewall/firewalld )
158 - fuse? ( >=sys-fs/fuse-2.8.6:= )
159 - glusterfs? ( >=sys-cluster/glusterfs-3.4.1 )
160 - iscsi? ( sys-block/open-iscsi )
161 - libssh? ( net-libs/libssh )
162 - lvm? ( >=sys-fs/lvm2-2.02.48-r2[-device-mapper-only(-)] )
163 - nfs? ( net-fs/nfs-utils )
164 - numa? (
165 - >sys-process/numactl-2.0.2
166 - sys-process/numad
167 - )
168 - parted? (
169 - >=sys-block/parted-1.8[device-mapper]
170 - sys-fs/lvm2[-device-mapper-only(-)]
171 - )
172 - pcap? ( >=net-libs/libpcap-1.0.0 )
173 - policykit? ( >=sys-auth/polkit-0.9 )
174 - qemu? (
175 - >=app-emulation/qemu-0.13.0
176 - dev-libs/yajl
177 - )
178 - rbd? ( sys-cluster/ceph )
179 - sasl? ( dev-libs/cyrus-sasl )
180 - selinux? ( >=sys-libs/libselinux-2.0.85 )
181 - virt-network? (
182 - net-dns/dnsmasq[script]
183 - net-firewall/ebtables
184 - >=net-firewall/iptables-1.4.10[ipv6]
185 - net-misc/radvd
186 - sys-apps/iproute2[-minimal]
187 - )
188 - virtualbox? ( || ( app-emulation/virtualbox >=app-emulation/virtualbox-bin-2.2.0 ) )
189 - wireshark-plugins? ( net-analyzer/wireshark:= )
190 - xen? (
191 - app-emulation/xen
192 - app-emulation/xen-tools:=
193 - )
194 - udev? (
195 - virtual/udev
196 - >=x11-libs/libpciaccess-0.10.9
197 - )
198 - zeroconf? ( >=net-dns/avahi-0.6[dbus] )
199 - zfs? ( sys-fs/zfs )"
200 -
201 -DEPEND="${RDEPEND}
202 - app-text/xhtml1
203 - dev-lang/perl
204 - dev-libs/libxslt
205 - dev-perl/XML-XPath
206 - virtual/pkgconfig"
207 -
208 -PATCHES=(
209 - "${FILESDIR}"/${PN}-1.3.0-do_not_use_sysconf.patch
210 - "${FILESDIR}"/${PN}-1.2.16-fix_paths_in_libvirt-guests_sh.patch
211 - "${FILESDIR}"/${PN}-3.0.0-fix_paths_for_apparmor.patch
212 - "${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch
213 - "${FILESDIR}"/${PN}-3.1.0-musl-fix-includes.patch # bug #609488
214 - "${FILESDIR}"/${PN}-3.6.0-ssh-malicious-hostname-fix.patch # bug #629462
215 -)
216 -
217 -pkg_setup() {
218 - if use qemu; then
219 - enewgroup qemu 77
220 - enewuser qemu 77 -1 -1 "qemu,kvm"
221 - fi
222 -
223 - use policykit && enewgroup libvirt
224 -
225 - # Check kernel configuration:
226 - CONFIG_CHECK=""
227 - use fuse && CONFIG_CHECK+="
228 - ~FUSE_FS"
229 -
230 - use lvm && CONFIG_CHECK+="
231 - ~BLK_DEV_DM
232 - ~DM_MULTIPATH
233 - ~DM_SNAPSHOT"
234 -
235 - use lxc && CONFIG_CHECK+="
236 - ~BLK_CGROUP
237 - ~CGROUP_CPUACCT
238 - ~CGROUP_DEVICE
239 - ~CGROUP_FREEZER
240 - ~CGROUP_NET_PRIO
241 - ~CGROUP_PERF
242 - ~CGROUPS
243 - ~CGROUP_SCHED
244 - ~CPUSETS
245 - ~IPC_NS
246 - ~MACVLAN
247 - ~NAMESPACES
248 - ~NET_CLS_CGROUP
249 - ~NET_NS
250 - ~PID_NS
251 - ~POSIX_MQUEUE
252 - ~SECURITYFS
253 - ~USER_NS
254 - ~UTS_NS
255 - ~VETH
256 - ~!GRKERNSEC_CHROOT_MOUNT
257 - ~!GRKERNSEC_CHROOT_DOUBLE
258 - ~!GRKERNSEC_CHROOT_PIVOT
259 - ~!GRKERNSEC_CHROOT_CHMOD
260 - ~!GRKERNSEC_CHROOT_CAPS"
261 -
262 - kernel_is lt 4 7 && use lxc && CONFIG_CHECK+="
263 - ~DEVPTS_MULTIPLE_INSTANCES"
264 -
265 - use macvtap && CONFIG_CHECK+="
266 - ~MACVTAP"
267 -
268 - use virt-network && CONFIG_CHECK+="
269 - ~BRIDGE_EBT_MARK_T
270 - ~BRIDGE_NF_EBTABLES
271 - ~NETFILTER_ADVANCED
272 - ~NETFILTER_XT_CONNMARK
273 - ~NETFILTER_XT_MARK
274 - ~NETFILTER_XT_TARGET_CHECKSUM"
275 - # Bandwidth Limiting Support
276 - use virt-network && CONFIG_CHECK+="
277 - ~BRIDGE_EBT_T_NAT
278 - ~NET_ACT_POLICE
279 - ~NET_CLS_FW
280 - ~NET_CLS_U32
281 - ~NET_SCH_HTB
282 - ~NET_SCH_INGRESS
283 - ~NET_SCH_SFQ"
284 -
285 - # Handle specific kernel versions for different features
286 - kernel_is lt 3 6 && CONFIG_CHECK+=" ~CGROUP_MEM_RES_CTLR"
287 - if kernel_is ge 3 6; then
288 - CONFIG_CHECK+=" ~MEMCG ~MEMCG_SWAP "
289 - kernel_is lt 4 5 && CONFIG_CHECK+=" ~MEMCG_KMEM "
290 - fi
291 -
292 - ERROR_USER_NS="Optional depending on LXC configuration."
293 -
294 - if [[ -n ${CONFIG_CHECK} ]]; then
295 - linux-info_pkg_setup
296 - fi
297 -}
298 -
299 -src_prepare() {
300 - touch "${S}/.mailmap"
301 -
302 - default
303 -
304 - if [[ ${PV} = *9999* ]]; then
305 - # git checkouts require bootstrapping to create the configure script.
306 - # Additionally the submodules must be cloned to the right locations
307 - # bug #377279
308 - ./bootstrap || die "bootstrap failed"
309 - (
310 - git submodule status | sed 's/^[ +-]//;s/ .*//'
311 - git hash-object bootstrap.conf
312 - ) >.git-module-status
313 - fi
314 -
315 - # Tweak the init script:
316 - cp "${FILESDIR}/libvirtd.init-r16" "${S}/libvirtd.init" || die
317 - sed -e "s/USE_FLAG_FIREWALLD/$(usex firewalld 'need firewalld' '')/" \
318 - -e "s/USE_FLAG_AVAHI/$(usex zeroconf 'use avahi-daemon' '')/" \
319 - -e "s/USE_FLAG_ISCSI/$(usex iscsi 'use iscsid' '')/" \
320 - -e "s/USE_FLAG_RBD/$(usex rbd 'use ceph' '')/" \
321 - -i "${S}/libvirtd.init" || die "sed failed"
322 -
323 - eautoreconf
324 -}
325 -
326 -src_configure() {
327 - local myeconfargs=(
328 - $(use_with apparmor)
329 - $(use_with apparmor apparmor-profiles)
330 - $(use_with audit)
331 - $(use_with caps capng)
332 - $(use_with dbus)
333 - $(use_with firewalld)
334 - $(use_with fuse)
335 - $(use_with glusterfs)
336 - $(use_with glusterfs storage-gluster)
337 - $(use_with iscsi storage-iscsi)
338 - $(use_with libvirtd)
339 - $(use_with libssh)
340 - $(use_with lvm storage-lvm)
341 - $(use_with lvm storage-mpath)
342 - $(use_with lxc)
343 - $(use_with macvtap)
344 - $(use_enable nls)
345 - $(use_with numa numactl)
346 - $(use_with numa numad)
347 - $(use_with openvz)
348 - $(use_with parted storage-disk)
349 - $(use_with pcap libpcap)
350 - $(use_with phyp)
351 - $(use_with policykit polkit)
352 - $(use_with qemu)
353 - $(use_with qemu yajl)
354 - $(use_with rbd storage-rbd)
355 - $(use_with sasl)
356 - $(use_with selinux)
357 - $(use_with udev)
358 - $(use_with uml)
359 - $(use_with vepa virtualport)
360 - $(use_with virt-network network)
361 - $(use_with wireshark-plugins wireshark-dissector)
362 - $(use_with xen)
363 - $(use_with xen xen-inotify)
364 - $(use_with xen libxl)
365 - $(use_with zeroconf avahi)
366 - $(use_with zfs storage-zfs)
367 -
368 - --without-hal
369 - --without-netcf
370 - --without-sanlock
371 - --without-xenapi
372 -
373 - --with-esx
374 - --with-init-script=systemd
375 - --with-qemu-group=$(usex caps qemu root)
376 - --with-qemu-user=$(usex caps qemu root)
377 - --with-remote
378 - --with-storage-fs
379 - --with-vmware
380 -
381 - --disable-static
382 - --disable-werror
383 -
384 - --with-html-subdir=${PF}/html
385 - --localstatedir=/var
386 - )
387 -
388 - if use virtualbox && has_version app-emulation/virtualbox-ose; then
389 - myeconfargs+=( --with-vbox=/usr/lib/virtualbox-ose/ )
390 - else
391 - myeconfargs+=( $(use_with virtualbox vbox) )
392 - fi
393 -
394 - econf "${myeconfargs[@]}"
395 -
396 - if [[ ${PV} = *9999* ]]; then
397 - # Restore gnulib's config.sub and config.guess
398 - # bug #377279
399 - (cd .gnulib && git reset --hard > /dev/null)
400 - fi
401 -}
402 -
403 -src_test() {
404 - cd "${BUILD_DIR}"
405 -
406 - # remove problematic tests, bug #591416, bug #591418
407 - sed -i -e 's#commandtest$(EXEEXT) # #' \
408 - -e 's#virfirewalltest$(EXEEXT) # #' \
409 - -e 's#nwfilterebiptablestest$(EXEEXT) # #' \
410 - -e 's#nwfilterxml2firewalltest$(EXEEXT)$##' \
411 - tests/Makefile
412 -
413 - export VIR_TEST_DEBUG=1
414 - HOME="${T}" emake check || die "tests failed"
415 -}
416 -
417 -src_install() {
418 - emake DESTDIR="${D}" \
419 - SYSTEMD_UNIT_DIR="$(systemd_get_systemunitdir)" install
420 -
421 - find "${D}" -name '*.la' -delete || die
422 -
423 - # Remove bogus, empty directories. They are either not used, or
424 - # libvirtd is able to create them on demand
425 - rm -rf "${D}"/etc/sysconfig
426 - rm -rf "${D}"/var/cache
427 - rm -rf "${D}"/var/run
428 - rm -rf "${D}"/var/log
429 -
430 - use libvirtd || return 0
431 - # From here, only libvirtd-related instructions, be warned!
432 -
433 - systemd_install_serviced \
434 - "${FILESDIR}"/libvirtd.service.conf libvirtd.service
435 -
436 - systemd_newtmpfilesd "${FILESDIR}"/libvirtd.tmpfiles.conf libvirtd.conf
437 -
438 - newinitd "${S}/libvirtd.init" libvirtd || die
439 - newinitd "${FILESDIR}/libvirt-guests.init-r2" libvirt-guests || die
440 - newinitd "${FILESDIR}/virtlockd.init-r1" virtlockd || die
441 - newinitd "${FILESDIR}/virtlogd.init-r1" virtlogd || die
442 -
443 - newconfd "${FILESDIR}/libvirtd.confd-r5" libvirtd || die
444 - newconfd "${FILESDIR}/libvirt-guests.confd" libvirt-guests || die
445 -
446 - DOC_CONTENTS=$(<"${FILESDIR}/README.gentoo-r2")
447 - DISABLE_AUTOFORMATTING=true
448 - readme.gentoo_create_doc
449 -}
450 -
451 -pkg_preinst() {
452 - # we only ever want to generate this once
453 - if [[ -e "${ROOT}"/etc/libvirt/qemu/networks/default.xml ]]; then
454 - rm -rf "${D}"/etc/libvirt/qemu/networks/default.xml
455 - fi
456 -}
457 -
458 -pkg_postinst() {
459 - if [[ -e "${ROOT}"/etc/libvirt/qemu/networks/default.xml ]]; then
460 - touch "${ROOT}"/etc/libvirt/qemu/networks/default.xml
461 - fi
462 -
463 - use libvirtd || return 0
464 - # From here, only libvirtd-related instructions, be warned!
465 -
466 - readme.gentoo_print_elog
467 -}
Report Message
Find on MARC Find on Google Groups