1 |
commit: 2f0ef03da3f01aac834583e21ed090fcdaa20200 |
2 |
Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue May 30 16:32:15 2017 +0000 |
4 |
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue May 30 16:32:15 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f0ef03d |
7 |
|
8 |
net-misc/openvswitch: 2.7.0-r3 bup for CVE-2017-9214 bug 620200 |
9 |
|
10 |
Package-Manager: Portage-2.3.5, Repoman-2.3.2 |
11 |
|
12 |
net-misc/openvswitch/files/CVE-2017-9214.patch | 27 ++++ |
13 |
net-misc/openvswitch/openvswitch-2.7.0-r3.ebuild | 153 +++++++++++++++++++++++ |
14 |
2 files changed, 180 insertions(+) |
15 |
|
16 |
diff --git a/net-misc/openvswitch/files/CVE-2017-9214.patch b/net-misc/openvswitch/files/CVE-2017-9214.patch |
17 |
new file mode 100644 |
18 |
index 00000000000..33686df3acf |
19 |
--- /dev/null |
20 |
+++ b/net-misc/openvswitch/files/CVE-2017-9214.patch |
21 |
@@ -0,0 +1,27 @@ |
22 |
+Fix buffer overrread in ofputil_pull_queue_get_config_reply10() |
23 |
+ |
24 |
+msg->size isn't the relevant measurement here because we're only supposed |
25 |
+to read 'len' bytes. Reading more than that causes 'len' to underflow to a |
26 |
+large number at the end of the loop. |
27 |
+ |
28 |
+Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de> |
29 |
+Signed-off-by: Ben Pfaff <blp at ovn.org> |
30 |
+--- |
31 |
+ lib/ofp-util.c | 2 +- |
32 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
33 |
+ |
34 |
+diff --git a/lib/ofp-util.c b/lib/ofp-util.c |
35 |
+index bdf89b6c3017..f05ca398c13e 100644 |
36 |
+--- a/lib/ofp-util.c |
37 |
++++ b/lib/ofp-util.c |
38 |
+@@ -2610,7 +2610,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg, |
39 |
+ |
40 |
+ hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr); |
41 |
+ prop_len = ntohs(hdr->len); |
42 |
+- if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) { |
43 |
++ if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) { |
44 |
+ return OFPERR_OFPBRC_BAD_LEN; |
45 |
+ } |
46 |
+ |
47 |
+-- |
48 |
+2.10.2 |
49 |
|
50 |
diff --git a/net-misc/openvswitch/openvswitch-2.7.0-r3.ebuild b/net-misc/openvswitch/openvswitch-2.7.0-r3.ebuild |
51 |
new file mode 100644 |
52 |
index 00000000000..a3809b7fa0e |
53 |
--- /dev/null |
54 |
+++ b/net-misc/openvswitch/openvswitch-2.7.0-r3.ebuild |
55 |
@@ -0,0 +1,153 @@ |
56 |
+# Copyright 1999-2017 Gentoo Foundation |
57 |
+# Distributed under the terms of the GNU General Public License v2 |
58 |
+ |
59 |
+EAPI=6 |
60 |
+ |
61 |
+PYTHON_COMPAT=( python{2_7,3_4,3_5} ) |
62 |
+ |
63 |
+inherit autotools eutils linux-info linux-mod python-r1 systemd |
64 |
+ |
65 |
+DESCRIPTION="Production quality, multilayer virtual switch" |
66 |
+HOMEPAGE="http://openvswitch.org" |
67 |
+SRC_URI="http://openvswitch.org/releases/${P}.tar.gz" |
68 |
+ |
69 |
+LICENSE="Apache-2.0 GPL-2" |
70 |
+SLOT="0" |
71 |
+KEYWORDS="~amd64 ~arm64 ~x86" |
72 |
+IUSE="debug modules monitor +ssl" |
73 |
+REQUIRED_USE="${PYTHON_REQUIRED_USE}" |
74 |
+ |
75 |
+RDEPEND=" |
76 |
+ || ( |
77 |
+ >=sys-apps/openrc-0.10.5 |
78 |
+ sys-apps/systemd |
79 |
+ ) |
80 |
+ ssl? ( dev-libs/openssl:0= ) |
81 |
+ ${PYTHON_DEPS} |
82 |
+ ~dev-python/ovs-${PV}[${PYTHON_USEDEP}] |
83 |
+ dev-python/twisted[conch,${PYTHON_USEDEP}] |
84 |
+ dev-python/zope-interface[${PYTHON_USEDEP}] |
85 |
+ debug? ( dev-lang/perl )" |
86 |
+DEPEND="${RDEPEND} |
87 |
+ virtual/pkgconfig" |
88 |
+ |
89 |
+PATCHES="${FILESDIR}/xcp-interface-reconfigure-2.3.2.patch ${FILESDIR}/doc-fix.patch" |
90 |
+ |
91 |
+CONFIG_CHECK="~NET_CLS_ACT ~NET_CLS_U32 ~NET_SCH_INGRESS ~NET_ACT_POLICE ~IPV6 ~TUN" |
92 |
+MODULE_NAMES="openvswitch(net:${S}/datapath/linux)" |
93 |
+BUILD_TARGETS="all" |
94 |
+ |
95 |
+pkg_setup() { |
96 |
+ if use modules ; then |
97 |
+ CONFIG_CHECK+=" ~!OPENVSWITCH" |
98 |
+ kernel_is ge 3 10 0 || die "Linux >= 3.10.0 and <= 4.8 required for userspace modules" |
99 |
+ kernel_is le 4 9 999 || die "Linux >= 3.10.0 and <= 4.8 required for userspace modules" |
100 |
+ linux-mod_pkg_setup |
101 |
+ else |
102 |
+ CONFIG_CHECK+=" ~OPENVSWITCH" |
103 |
+ linux-info_pkg_setup |
104 |
+ fi |
105 |
+} |
106 |
+ |
107 |
+src_prepare() { |
108 |
+ # Never build kernelmodules, doing this manually |
109 |
+ epatch "${FILESDIR}/CVE-2017-9214.patch" |
110 |
+ sed -i \ |
111 |
+ -e '/^SUBDIRS/d' \ |
112 |
+ datapath/Makefile.in || die "sed failed" |
113 |
+ eautoreconf |
114 |
+ default |
115 |
+} |
116 |
+ |
117 |
+src_configure() { |
118 |
+ set_arch_to_kernel |
119 |
+ # monitor is statically enabled for bug 596206 |
120 |
+ use monitor || export ovs_cv_python="no" |
121 |
+ # pyside is staticly disabled |
122 |
+ export ovs_cv_pyuic4="no" |
123 |
+ |
124 |
+ local linux_config |
125 |
+ use modules && linux_config="--with-linux=${KV_OUT_DIR}" |
126 |
+ |
127 |
+ econf ${linux_config} \ |
128 |
+ --with-rundir=/var/run/openvswitch \ |
129 |
+ --with-logdir=/var/log/openvswitch \ |
130 |
+ --with-pkidir=/etc/ssl/openvswitch \ |
131 |
+ --with-dbdir=/var/lib/openvswitch \ |
132 |
+ $(use_enable ssl) \ |
133 |
+ $(use_enable !debug ndebug) |
134 |
+} |
135 |
+ |
136 |
+src_compile() { |
137 |
+ default |
138 |
+ |
139 |
+ use modules && linux-mod_src_compile |
140 |
+} |
141 |
+ |
142 |
+src_install() { |
143 |
+ default |
144 |
+ |
145 |
+ local SCRIPT |
146 |
+ if use monitor; then |
147 |
+ for SCRIPT in ovs-{pcap,parse-backtrace,dpctl-top,l3ping,tcpdump,tcpundump,test,vlan-test} bugtool/ovs-bugtool; do |
148 |
+ sed -e '1s|^.*$|#!/usr/bin/python|' -i utilities/"${SCRIPT}" |
149 |
+ python_foreach_impl python_doscript utilities/"${SCRIPT}" |
150 |
+ done |
151 |
+ rm -r "${ED%/}"/usr/share/openvswitch/python || die |
152 |
+ fi |
153 |
+ |
154 |
+ keepdir /var/{lib,log}/openvswitch |
155 |
+ keepdir /etc/ssl/openvswitch |
156 |
+ fperms 0750 /etc/ssl/openvswitch |
157 |
+ |
158 |
+ rm -rf "${ED%/}"/var/run || die |
159 |
+ |
160 |
+ newconfd "${FILESDIR}/ovsdb-server_conf2" ovsdb-server |
161 |
+ newconfd "${FILESDIR}/ovs-vswitchd_conf" ovs-vswitchd |
162 |
+ newinitd "${FILESDIR}/ovsdb-server-r1" ovsdb-server |
163 |
+ newinitd "${FILESDIR}/ovs-vswitchd-r1" ovs-vswitchd |
164 |
+ |
165 |
+ systemd_dounit "${FILESDIR}/ovsdb-server.service" |
166 |
+ systemd_dounit "${FILESDIR}/ovs-vswitchd.service" |
167 |
+ systemd_newtmpfilesd "${FILESDIR}/openvswitch.tmpfiles" openvswitch.conf |
168 |
+ |
169 |
+ insinto /etc/logrotate.d |
170 |
+ newins rhel/etc_logrotate.d_openvswitch openvswitch |
171 |
+ |
172 |
+ use modules && linux-mod_src_install |
173 |
+} |
174 |
+ |
175 |
+pkg_postinst() { |
176 |
+ use modules && linux-mod_pkg_postinst |
177 |
+ |
178 |
+ local pv |
179 |
+ for pv in ${REPLACING_VERSIONS}; do |
180 |
+ if ! version_is_at_least 1.9.0 ${pv} ; then |
181 |
+ ewarn "The configuration database for Open vSwitch got moved in version 1.9.0 from" |
182 |
+ ewarn " /etc/openvswitch" |
183 |
+ ewarn "to" |
184 |
+ ewarn " /var/lib/openvswitch" |
185 |
+ ewarn "Please copy/move the database manually before running the schema upgrade." |
186 |
+ ewarn "The PKI files are now supposed to go to /etc/ssl/openvswitch" |
187 |
+ fi |
188 |
+ done |
189 |
+ |
190 |
+ elog "Use the following command to create an initial database for ovsdb-server:" |
191 |
+ elog " emerge --config =${CATEGORY}/${PF}" |
192 |
+ elog "(will create a database in /var/lib/openvswitch/conf.db)" |
193 |
+ elog "or to convert the database to the current schema after upgrading." |
194 |
+} |
195 |
+ |
196 |
+pkg_config() { |
197 |
+ local db="${EROOT%/}"/var/lib/openvswitch/conf.db |
198 |
+ if [[ -e "${db}" ]] ; then |
199 |
+ einfo "Database '${db}' already exists, doing schema migration..." |
200 |
+ einfo "(if the migration fails, make sure that ovsdb-server is not running)" |
201 |
+ ovsdb-tool convert "${db}" \ |
202 |
+ "${EROOT%/}"/usr/share/openvswitch/vswitch.ovsschema || die "converting database failed" |
203 |
+ else |
204 |
+ einfo "Creating new database '${db}'..." |
205 |
+ ovsdb-tool create "${db}" \ |
206 |
+ "${EROOT%/}"/usr/share/openvswitch/vswitch.ovsschema || die "creating database failed" |
207 |
+ fi |
208 |
+} |