From 6a0cecccd4cde2ac81dd8a2409467dcc291133b5 Mon Sep 17 00:00:00 2001 From: Patrick McLean Date: Thu, 27 Oct 2016 14:31:02 -0700 Subject: sys-cluster/ceph: Revision bump to 10.2.3-r1 for CVE-2016-8626 Gentoo-Bug: 598206 Package-Manager: portage-2.3.2 --- sys-cluster/ceph/ceph-10.2.3-r1.ebuild | 263 +++++++++++++++++++++ .../ceph/files/ceph-10.2.3-CVE-2016-8626.patch | 33 +++ 2 files changed, 296 insertions(+) create mode 100644 sys-cluster/ceph/ceph-10.2.3-r1.ebuild create mode 100644 sys-cluster/ceph/files/ceph-10.2.3-CVE-2016-8626.patch (limited to 'sys-cluster') diff --git a/sys-cluster/ceph/ceph-10.2.3-r1.ebuild b/sys-cluster/ceph/ceph-10.2.3-r1.ebuild new file mode 100644 index 000000000000..5f40c53bf6ad --- /dev/null +++ b/sys-cluster/ceph/ceph-10.2.3-r1.ebuild @@ -0,0 +1,263 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=6 +PYTHON_COMPAT=( python{2_7,3_{4,5}} ) + +inherit check-reqs autotools eutils python-r1 udev user \ + readme.gentoo-r1 systemd versionator flag-o-matic + +if [[ ${PV} == *9999* ]]; then + inherit git-r3 + EGIT_REPO_URI=" + git://github.com/ceph/ceph.git + https://github.com/ceph/ceph.git" + SRC_URI="" +else + SRC_URI="http://ceph.com/download/${P}.tar.gz" + KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86" +fi + +DESCRIPTION="Ceph distributed filesystem" +HOMEPAGE="http://ceph.com/" + +LICENSE="LGPL-2.1" +SLOT="0" + +IUSE="babeltrace cephfs cryptopp debug fuse gtk jemalloc ldap +libaio" +IUSE+=" libatomic lttng +nss +radosgw static-libs +tcmalloc test xfs zfs" + +# unbundling code commented out pending bugs 584056 and 584058 +#>=dev-libs/jerasure-2.0.0-r1 +#>=dev-libs/gf-complete-2.0.0 +COMMON_DEPEND=" + app-arch/snappy + app-arch/lz4:= + app-arch/bzip2 + dev-libs/boost:=[threads] + dev-libs/libaio + dev-libs/leveldb[snappy] + nss? ( dev-libs/nss ) + libatomic? ( dev-libs/libatomic_ops ) + cryptopp? ( dev-libs/crypto++:= ) + sys-apps/keyutils + sys-apps/util-linux + dev-libs/libxml2 + radosgw? ( dev-libs/fcgi ) + ldap? ( net-nds/openldap ) + babeltrace? ( dev-util/babeltrace ) + fuse? ( sys-fs/fuse ) + xfs? ( sys-fs/xfsprogs ) + zfs? ( sys-fs/zfs ) + gtk? ( + x11-libs/gtk+:2 + dev-cpp/gtkmm:2.4 + gnome-base/librsvg + ) + radosgw? ( + dev-libs/fcgi + dev-libs/expat + net-misc/curl + ) + jemalloc? ( dev-libs/jemalloc ) + !jemalloc? ( dev-util/google-perftools ) + lttng? ( dev-util/lttng-ust ) + ${PYTHON_DEPS} + " +DEPEND="${COMMON_DEPEND} + dev-python/cython[${PYTHON_USEDEP}] + app-arch/cpio + sys-apps/lsb-release + virtual/pkgconfig + dev-python/sphinx + test? ( + sys-fs/btrfs-progs + sys-apps/grep[pcre] + dev-python/tox[${PYTHON_USEDEP}] + dev-python/virtualenv[${PYTHON_USEDEP}] + )" +RDEPEND="${COMMON_DEPEND} + sys-apps/hdparm + sys-block/parted + sys-fs/cryptsetup + sys-apps/gptfdisk + dev-python/flask[${PYTHON_USEDEP}] + dev-python/requests[${PYTHON_USEDEP}] + " +REQUIRED_USE=" + $(python_gen_useflags 'python2*') + ${PYTHON_REQUIRED_USE} + ^^ ( nss cryptopp ) + ?? ( jemalloc tcmalloc ) + " + +# work around bug in ceph compilation (rgw/ceph_dencoder-rgw_dencoder.o... undefined reference to `vtable for RGWZoneGroup') +REQUIRED_USE+=" radosgw" + +RESTRICT="test? ( userpriv )" + +# distribution tarball does not include everything needed for tests +RESTRICT+=" test" + +STRIP_MASK="/usr/lib*/rados-classes/*" + +UNBUNDLE_LIBS=( + src/erasure-code/jerasure/jerasure + src/erasure-code/jerasure/gf-complete +) + +PATCHES=( + "${FILESDIR}/ceph-10.2.0-dont-use-virtualenvs.patch" + #"${FILESDIR}/ceph-10.2.1-unbundle-jerasure.patch" + "${FILESDIR}/${PN}-10.2.1-libzfs.patch" + "${FILESDIR}/${PN}-10.2.3-build-without-openldap.patch" + "${FILESDIR}/${PN}-10.2.3-CVE-2016-8626.patch" +) + +check-reqs_export_vars() { + if use debug; then + CHECKREQS_DISK_BUILD="23G" + CHECKREQS_DISK_USR="7G" + elif use amd64; then + CHECKREQS_DISK_BUILD="12G" + CHECKREQS_DISK_USR="450M" + else + CHECKREQS_DISK_BUILD="1400M" + CHECKREQS_DISK_USR="450M" + fi + + export CHECKREQS_DISK_BUILD CHECKREQS_DISK_USR +} + +user_setup() { + enewgroup ceph ${CEPH_GID} + enewuser ceph "${CEPH_UID:--1}" -1 /var/lib/ceph ceph +} + +emake_python_bindings() { + local action="${1}" params binding + shift + params=("${@}") + + __emake_python_bindings_do_impl() { + emake "${params[@]}" PYTHON="${EPYTHON}" "${binding}-pybind-${action}" + + # these don't work and aren't needed on python3 + if [[ ${EBUILD_PHASE} == install ]] && python_is_python3; then + rm -f "${ED}/$(python_get_sitedir)"/ceph_{argparse,volume_client}.py + fi + } + + pushd "${S}/src" + for binding in rados rbd $(use cephfs && echo cephfs); do + python_foreach_impl __emake_python_bindings_do_impl + done + popd + + unset __emake_python_bindings_do_impl +} + +pkg_pretend() { + check-reqs_export_vars + check-reqs_pkg_pretend +} + +pkg_setup() { + python_setup + check-reqs_export_vars + check-reqs_pkg_setup + user_setup +} + +src_prepare() { + default + + # remove tests that need root access + rm src/test/cli/ceph-authtool/cap*.t + + #rm -rf "${UNBUNDLE_LIBS[@]}" + + append-flags -fPIC + eautoreconf +} + +src_configure() { + local myeconfargs=( + --without-hadoop + --includedir=/usr/include + $(use_with cephfs) + $(use_with debug) + $(use_with fuse) + $(use_with libaio) + $(use_with libatomic libatomic-ops) + $(use_with nss) + $(use_with cryptopp) + $(use_with radosgw) + $(use_with gtk gtk2) + $(use_enable static-libs static) + $(use_with jemalloc) + $(use_with xfs libxfs) + $(use_with zfs libzfs) + $(use_with lttng ) + $(use_with babeltrace) + $(use_with ldap openldap) + $(use jemalloc || usex tcmalloc " --with-tcmalloc" " --with-tcmalloc-minimal") + --with-mon + --with-eventfd + --with-cython + --without-kinetic + --without-librocksdb + --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" + ) + + # we can only use python2.7 for building at the moment + python_export python2.7 PYTHON EPYTHON + econf "${myeconfargs[@]}" +} + +src_compile() { + emake + emake_python_bindings all + + use test && emake check-local +} + +src_test() { + make check || die "make check failed" +} + +src_install() { + default + emake_python_bindings install-exec "DESTDIR=\"${D}\"" + + prune_libtool_files --all + + exeinto /usr/$(get_libdir)/ceph + newexe src/init-ceph ceph_init.sh + + insinto /etc/logrotate.d/ + newins "${FILESDIR}"/ceph.logrotate ${PN} + + keepdir /var/lib/${PN}{,/tmp} /var/log/${PN}/stat + + fowners ceph:ceph /var/lib/ceph + + newinitd "${FILESDIR}/rbdmap.initd" rbdmap + newinitd "${FILESDIR}/${PN}.initd-r2" ${PN} + newconfd "${FILESDIR}/${PN}.confd-r1" ${PN} + + systemd_install_serviced "${FILESDIR}/ceph-mds_at.service.conf" "ceph-mds@.service" + systemd_install_serviced "${FILESDIR}/ceph-osd_at.service.conf" "ceph-osd@.service" + systemd_install_serviced "${FILESDIR}/ceph-mon_at.service.conf" "ceph-mon@.service" + + python_fix_shebang "${ED}"/usr/{,s}bin/ + + udev_dorules udev/*.rules + + readme.gentoo_create_doc +} + +pkg_postinst() { + readme.gentoo_print_elog +} diff --git a/sys-cluster/ceph/files/ceph-10.2.3-CVE-2016-8626.patch b/sys-cluster/ceph/files/ceph-10.2.3-CVE-2016-8626.patch new file mode 100644 index 000000000000..d767d8170dfa --- /dev/null +++ b/sys-cluster/ceph/files/ceph-10.2.3-CVE-2016-8626.patch @@ -0,0 +1,33 @@ +commit dc2ffda7819d2ebeed3526d9e6da8f53221818de +Author: Yehuda Sadeh +Date: Thu Oct 20 10:17:36 2016 -0700 + + rgw: handle empty POST condition + + Fixes: http://tracker.ceph.com/issues/17635 + + Before accessing json entity, need to check that iterator is valid. + If there is no entry return appropriate error code. + + Signed-off-by: Yehuda Sadeh + (cherry picked from commit 23cb642243e09ca4a8e104f62a3bb7b2cbb6ea12) + +diff --git a/src/rgw/rgw_policy_s3.cc b/src/rgw/rgw_policy_s3.cc +index 3843511..8af70a8 100644 +--- a/src/rgw/rgw_policy_s3.cc ++++ b/src/rgw/rgw_policy_s3.cc +@@ -286,11 +286,13 @@ int RGWPolicy::from_json(bufferlist& bl, string& err_msg) + int r = add_condition(v[0], v[1], v[2], err_msg); + if (r < 0) + return r; +- } else { ++ } else if (!citer.end()) { + JSONObj *c = *citer; + dout(0) << "adding simple_check: " << c->get_name() << " : " << c->get_data() << dendl; + + add_simple_check(c->get_name(), c->get_data()); ++ } else { ++ return -EINVAL; + } + } + return 0; -- cgit v1.2.3-65-gdbad