Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Matt Thode <prometheanfire@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/openvswitch/, net-misc/openvswitch/files/
Date: Tue, 30 May 2017 16:32:39
Message-Id: 1496161935.2f0ef03da3f01aac834583e21ed090fcdaa20200.prometheanfire@gentoo
1 commit: 2f0ef03da3f01aac834583e21ed090fcdaa20200
2 Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org>
3 AuthorDate: Tue May 30 16:32:15 2017 +0000
4 Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org>
5 CommitDate: Tue May 30 16:32:15 2017 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f0ef03d
7
8 net-misc/openvswitch: 2.7.0-r3 bup for CVE-2017-9214 bug 620200
9
10 Package-Manager: Portage-2.3.5, Repoman-2.3.2
11
12 net-misc/openvswitch/files/CVE-2017-9214.patch | 27 ++++
13 net-misc/openvswitch/openvswitch-2.7.0-r3.ebuild | 153 +++++++++++++++++++++++
14 2 files changed, 180 insertions(+)
15
16 diff --git a/net-misc/openvswitch/files/CVE-2017-9214.patch b/net-misc/openvswitch/files/CVE-2017-9214.patch
17 new file mode 100644
18 index 00000000000..33686df3acf
19 --- /dev/null
20 +++ b/net-misc/openvswitch/files/CVE-2017-9214.patch
21 @@ -0,0 +1,27 @@
22 +Fix buffer overrread in ofputil_pull_queue_get_config_reply10()
23 +
24 +msg->size isn't the relevant measurement here because we're only supposed
25 +to read 'len' bytes. Reading more than that causes 'len' to underflow to a
26 +large number at the end of the loop.
27 +
28 +Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
29 +Signed-off-by: Ben Pfaff <blp at ovn.org>
30 +---
31 + lib/ofp-util.c | 2 +-
32 + 1 file changed, 1 insertion(+), 1 deletion(-)
33 +
34 +diff --git a/lib/ofp-util.c b/lib/ofp-util.c
35 +index bdf89b6c3017..f05ca398c13e 100644
36 +--- a/lib/ofp-util.c
37 ++++ b/lib/ofp-util.c
38 +@@ -2610,7 +2610,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg,
39 +
40 + hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr);
41 + prop_len = ntohs(hdr->len);
42 +- if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) {
43 ++ if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) {
44 + return OFPERR_OFPBRC_BAD_LEN;
45 + }
46 +
47 +--
48 +2.10.2
49
50 diff --git a/net-misc/openvswitch/openvswitch-2.7.0-r3.ebuild b/net-misc/openvswitch/openvswitch-2.7.0-r3.ebuild
51 new file mode 100644
52 index 00000000000..a3809b7fa0e
53 --- /dev/null
54 +++ b/net-misc/openvswitch/openvswitch-2.7.0-r3.ebuild
55 @@ -0,0 +1,153 @@
56 +# Copyright 1999-2017 Gentoo Foundation
57 +# Distributed under the terms of the GNU General Public License v2
58 +
59 +EAPI=6
60 +
61 +PYTHON_COMPAT=( python{2_7,3_4,3_5} )
62 +
63 +inherit autotools eutils linux-info linux-mod python-r1 systemd
64 +
65 +DESCRIPTION="Production quality, multilayer virtual switch"
66 +HOMEPAGE="http://openvswitch.org"
67 +SRC_URI="http://openvswitch.org/releases/${P}.tar.gz"
68 +
69 +LICENSE="Apache-2.0 GPL-2"
70 +SLOT="0"
71 +KEYWORDS="~amd64 ~arm64 ~x86"
72 +IUSE="debug modules monitor +ssl"
73 +REQUIRED_USE="${PYTHON_REQUIRED_USE}"
74 +
75 +RDEPEND="
76 + || (
77 + >=sys-apps/openrc-0.10.5
78 + sys-apps/systemd
79 + )
80 + ssl? ( dev-libs/openssl:0= )
81 + ${PYTHON_DEPS}
82 + ~dev-python/ovs-${PV}[${PYTHON_USEDEP}]
83 + dev-python/twisted[conch,${PYTHON_USEDEP}]
84 + dev-python/zope-interface[${PYTHON_USEDEP}]
85 + debug? ( dev-lang/perl )"
86 +DEPEND="${RDEPEND}
87 + virtual/pkgconfig"
88 +
89 +PATCHES="${FILESDIR}/xcp-interface-reconfigure-2.3.2.patch ${FILESDIR}/doc-fix.patch"
90 +
91 +CONFIG_CHECK="~NET_CLS_ACT ~NET_CLS_U32 ~NET_SCH_INGRESS ~NET_ACT_POLICE ~IPV6 ~TUN"
92 +MODULE_NAMES="openvswitch(net:${S}/datapath/linux)"
93 +BUILD_TARGETS="all"
94 +
95 +pkg_setup() {
96 + if use modules ; then
97 + CONFIG_CHECK+=" ~!OPENVSWITCH"
98 + kernel_is ge 3 10 0 || die "Linux >= 3.10.0 and <= 4.8 required for userspace modules"
99 + kernel_is le 4 9 999 || die "Linux >= 3.10.0 and <= 4.8 required for userspace modules"
100 + linux-mod_pkg_setup
101 + else
102 + CONFIG_CHECK+=" ~OPENVSWITCH"
103 + linux-info_pkg_setup
104 + fi
105 +}
106 +
107 +src_prepare() {
108 + # Never build kernelmodules, doing this manually
109 + epatch "${FILESDIR}/CVE-2017-9214.patch"
110 + sed -i \
111 + -e '/^SUBDIRS/d' \
112 + datapath/Makefile.in || die "sed failed"
113 + eautoreconf
114 + default
115 +}
116 +
117 +src_configure() {
118 + set_arch_to_kernel
119 + # monitor is statically enabled for bug 596206
120 + use monitor || export ovs_cv_python="no"
121 + # pyside is staticly disabled
122 + export ovs_cv_pyuic4="no"
123 +
124 + local linux_config
125 + use modules && linux_config="--with-linux=${KV_OUT_DIR}"
126 +
127 + econf ${linux_config} \
128 + --with-rundir=/var/run/openvswitch \
129 + --with-logdir=/var/log/openvswitch \
130 + --with-pkidir=/etc/ssl/openvswitch \
131 + --with-dbdir=/var/lib/openvswitch \
132 + $(use_enable ssl) \
133 + $(use_enable !debug ndebug)
134 +}
135 +
136 +src_compile() {
137 + default
138 +
139 + use modules && linux-mod_src_compile
140 +}
141 +
142 +src_install() {
143 + default
144 +
145 + local SCRIPT
146 + if use monitor; then
147 + for SCRIPT in ovs-{pcap,parse-backtrace,dpctl-top,l3ping,tcpdump,tcpundump,test,vlan-test} bugtool/ovs-bugtool; do
148 + sed -e '1s|^.*$|#!/usr/bin/python|' -i utilities/"${SCRIPT}"
149 + python_foreach_impl python_doscript utilities/"${SCRIPT}"
150 + done
151 + rm -r "${ED%/}"/usr/share/openvswitch/python || die
152 + fi
153 +
154 + keepdir /var/{lib,log}/openvswitch
155 + keepdir /etc/ssl/openvswitch
156 + fperms 0750 /etc/ssl/openvswitch
157 +
158 + rm -rf "${ED%/}"/var/run || die
159 +
160 + newconfd "${FILESDIR}/ovsdb-server_conf2" ovsdb-server
161 + newconfd "${FILESDIR}/ovs-vswitchd_conf" ovs-vswitchd
162 + newinitd "${FILESDIR}/ovsdb-server-r1" ovsdb-server
163 + newinitd "${FILESDIR}/ovs-vswitchd-r1" ovs-vswitchd
164 +
165 + systemd_dounit "${FILESDIR}/ovsdb-server.service"
166 + systemd_dounit "${FILESDIR}/ovs-vswitchd.service"
167 + systemd_newtmpfilesd "${FILESDIR}/openvswitch.tmpfiles" openvswitch.conf
168 +
169 + insinto /etc/logrotate.d
170 + newins rhel/etc_logrotate.d_openvswitch openvswitch
171 +
172 + use modules && linux-mod_src_install
173 +}
174 +
175 +pkg_postinst() {
176 + use modules && linux-mod_pkg_postinst
177 +
178 + local pv
179 + for pv in ${REPLACING_VERSIONS}; do
180 + if ! version_is_at_least 1.9.0 ${pv} ; then
181 + ewarn "The configuration database for Open vSwitch got moved in version 1.9.0 from"
182 + ewarn " /etc/openvswitch"
183 + ewarn "to"
184 + ewarn " /var/lib/openvswitch"
185 + ewarn "Please copy/move the database manually before running the schema upgrade."
186 + ewarn "The PKI files are now supposed to go to /etc/ssl/openvswitch"
187 + fi
188 + done
189 +
190 + elog "Use the following command to create an initial database for ovsdb-server:"
191 + elog " emerge --config =${CATEGORY}/${PF}"
192 + elog "(will create a database in /var/lib/openvswitch/conf.db)"
193 + elog "or to convert the database to the current schema after upgrading."
194 +}
195 +
196 +pkg_config() {
197 + local db="${EROOT%/}"/var/lib/openvswitch/conf.db
198 + if [[ -e "${db}" ]] ; then
199 + einfo "Database '${db}' already exists, doing schema migration..."
200 + einfo "(if the migration fails, make sure that ovsdb-server is not running)"
201 + ovsdb-tool convert "${db}" \
202 + "${EROOT%/}"/usr/share/openvswitch/vswitch.ovsschema || die "converting database failed"
203 + else
204 + einfo "Creating new database '${db}'..."
205 + ovsdb-tool create "${db}" \
206 + "${EROOT%/}"/usr/share/openvswitch/vswitch.ovsschema || die "creating database failed"
207 + fi
208 +}
Report Message
Find on MARC Find on Google Groups