From 3930fb660c9d11c546f1959d4a2bdf66dd8f67e2 Mon Sep 17 00:00:00 2001
From: Matthew Thode <prometheanfire@gentoo.org>
Date: Fri, 4 Nov 2016 09:48:04 -0500
Subject: sys-cluster/heat: fix CVE-2016-9185 bug 598940

Package-Manager: portage-2.3.0
---
 sys-cluster/heat/files/CVE-2016-9185.patch |  53 ++++++++++
 sys-cluster/heat/heat-7.0.0-r1.ebuild      | 153 +++++++++++++++++++++++++++++
 sys-cluster/heat/heat-7.0.0.ebuild         | 152 ----------------------------
 3 files changed, 206 insertions(+), 152 deletions(-)
 create mode 100644 sys-cluster/heat/files/CVE-2016-9185.patch
 create mode 100644 sys-cluster/heat/heat-7.0.0-r1.ebuild
 delete mode 100644 sys-cluster/heat/heat-7.0.0.ebuild

(limited to 'sys-cluster')

diff --git a/sys-cluster/heat/files/CVE-2016-9185.patch b/sys-cluster/heat/files/CVE-2016-9185.patch
new file mode 100644
index 000000000000..7b6bd86b818a
--- /dev/null
+++ b/sys-cluster/heat/files/CVE-2016-9185.patch
@@ -0,0 +1,53 @@
+From 02dfb1a64f8a545a6dfed15245ac54c8ea835b81 Mon Sep 17 00:00:00 2001
+From: Daniel Gonzalez <daniel@gonzalez-nothnagel.de>
+Date: Mon, 17 Oct 2016 10:22:42 +0200
+Subject: Prevent template validate from scanning ports
+
+The template validation method in the heat API allows to specify the
+template to validate using a URL with the 'template_url' parameter.
+
+By entering invalid http URLs, like 'http://localhost:22' it is
+possible to scan ports by evaluating the error message of the request.
+
+For example, the request
+
+curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \
+-X POST -d '{"template_url": "http://localhost:22"}' \
+http://127.0.0.1:8004/v1/<TENANT_ID>/validate
+
+causes the following error message to be returned to the user:
+
+"Could not retrieve template: Failed to retrieve template:
+('Connection aborted.',
+BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))"
+
+This could be misused by tenants to gain knowledge about the internal
+network the heat API runs in.
+
+To prevent this information leak, this patch alters the error message
+to not include such details when the url scheme is not 'file'.
+
+SecurityImpact
+
+Closes-Bug: #1606500
+
+Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950
+(cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98)
+---
+ heat/common/urlfetch.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py
+index 7efd968..8a7deae 100644
+--- a/heat/common/urlfetch.py
++++ b/heat/common/urlfetch.py
+@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')):
+         return result
+ 
+     except exceptions.RequestException as ex:
+-        raise URLFetchError(_('Failed to retrieve template: %s') % ex)
++        LOG.info(_LI('Failed to retrieve template: %s') % ex)
++        raise URLFetchError(_('Failed to retrieve template from %s') % url)
+-- 
+cgit v0.12
+
diff --git a/sys-cluster/heat/heat-7.0.0-r1.ebuild b/sys-cluster/heat/heat-7.0.0-r1.ebuild
new file mode 100644
index 000000000000..37461d9a1c74
--- /dev/null
+++ b/sys-cluster/heat/heat-7.0.0-r1.ebuild
@@ -0,0 +1,153 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+PYTHON_COMPAT=( python2_7 python3_4 )
+
+inherit distutils-r1 eutils user
+
+DESCRIPTION="A CloudFormation-compatible openstack-native cloud orchistration engine."
+HOMEPAGE="https://launchpad.net/heat"
+SRC_URI="https://tarballs.openstack.org/${PN}/${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~x86"
+IUSE="+mysql +memcached postgres sqlite"
+REQUIRED_USE="|| ( mysql postgres sqlite )"
+
+CDEPEND=">=dev-python/pbr-1.6[${PYTHON_USEDEP}]"
+DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
+	${CDEPEND}
+	app-admin/sudo"
+
+RDEPEND="
+	${CDEPEND}
+	>=dev-python/Babel-2.3.4[${PYTHON_USEDEP}]
+	>=dev-python/croniter-0.3.4[${PYTHON_USEDEP}]
+	>=dev-python/cryptography-1.0.0[${PYTHON_USEDEP}]
+	!~dev-python/cryptography-1.3.0[${PYTHON_USEDEP}]
+	>=dev-python/debtcollector-1.2.0
+	>=dev-python/eventlet-0.18.4[${PYTHON_USEDEP}]
+	>=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
+	>=dev-python/keystoneauth-2.10.0[${PYTHON_USEDEP}]
+	>=dev-python/keystonemiddleware-4.0.0[${PYTHON_USEDEP}]
+	!~dev-python/keystonemiddleware-4.1.0[${PYTHON_USEDEP}]
+	!~dev-python/keystonemiddleware-4.5.0[${PYTHON_USEDEP}]
+	>=dev-python/lxml-2.3[${PYTHON_USEDEP}]
+	>=dev-python/netaddr-0.7.13[${PYTHON_USEDEP}]
+	!~dev-python/netaddr-0.7.16[${PYTHON_USEDEP}]
+	>=dev-python/oslo-cache-1.5.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-config-3.14.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-concurrency-3.8.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-context-2.9.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-db-4.10.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-db-4.13.1[${PYTHON_USEDEP}]
+	>=dev-python/oslo-db-4.13.2[${PYTHON_USEDEP}]
+	>=dev-python/oslo-i18n-2.1.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-log-1.14.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-messaging-5.2.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-middleware-3.0.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-policy-1.9.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-reports-0.6.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-serialization-1.10.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-service-1.10.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-utils-3.16.0[${PYTHON_USEDEP}]
+	>=dev-python/osprofiler-1.4.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-versionedobjects-1.13.0[${PYTHON_USEDEP}]
+	>=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}]
+	>=dev-python/pycrypto-2.6[${PYTHON_USEDEP}]
+	>=dev-python/aodhclient-0.5.0[${PYTHON_USEDEP}]
+	>=dev-python/python-barbicanclient-4.0.0[${PYTHON_USEDEP}]
+	>=dev-python/python-ceilometerclient-2.5.0[${PYTHON_USEDEP}]
+	>=dev-python/python-cinderclient-1.6.0[${PYTHON_USEDEP}]
+	!~dev-python/python-cinderclient-1.7.0[${PYTHON_USEDEP}]
+	!~dev-python/python-cinderclient-1.7.1[${PYTHON_USEDEP}]
+	>=dev-python/python-designateclient-1.5.0[${PYTHON_USEDEP}]
+	>=dev-python/python-glanceclient-2.3.0[${PYTHON_USEDEP}]
+	!~dev-python/python-glanceclient-2.4.0[${PYTHON_USEDEP}]
+	>=dev-python/python-heatclient-1.4.0[${PYTHON_USEDEP}]
+	>=dev-python/python-keystoneclient-2.0.0[${PYTHON_USEDEP}]
+	!~dev-python/python-keystoneclient-2.1.0[${PYTHON_USEDEP}]
+	>=dev-python/python-magnumclient-2.0.0[${PYTHON_USEDEP}]
+	>=dev-python/python-manilaclient-1.10.0[${PYTHON_USEDEP}]
+	>=dev-python/python-mistralclient-2.0.0[${PYTHON_USEDEP}]
+	>=dev-python/python-monascaclient-1.1.0[${PYTHON_USEDEP}]
+	>=dev-python/python-neutronclient-5.1.0[${PYTHON_USEDEP}]
+	>=dev-python/python-novaclient-2.29.0[${PYTHON_USEDEP}]
+	!~dev-python/python-novaclient-2.33.0[${PYTHON_USEDEP}]
+	>=dev-python/python-openstackclient-2.1.0[${PYTHON_USEDEP}]
+	>=dev-python/python-senlinclient-0.3.0[${PYTHON_USEDEP}]
+	>=dev-python/python-swiftclient-2.2.0[${PYTHON_USEDEP}]
+	>=dev-python/python-troveclient-2.2.0[${PYTHON_USEDEP}]
+	>=dev-python/python-zaqarclient-1.0.0[${PYTHON_USEDEP}]
+	>=dev-python/pytz-2013.6[${PYTHON_USEDEP}]
+	>=dev-python/pyyaml-3.1.0[${PYTHON_USEDEP}]
+	>=dev-python/requests-2.10.0[${PYTHON_USEDEP}]
+	>=dev-python/retrying-1.2.3[${PYTHON_USEDEP}]
+	!~dev-python/retrying-1.3.0[${PYTHON_USEDEP}]
+	>=dev-python/routes-1.12.3[${PYTHON_USEDEP}]
+	!~dev-python/routes-2.0[${PYTHON_USEDEP}]
+	!~dev-python/routes-2.1[$(python_gen_usedep 'python2_7')]
+	!~dev-python/routes-2.3[${PYTHON_USEDEP}]
+	>=dev-python/six-1.9.0[${PYTHON_USEDEP}]
+	sqlite? (
+		>=dev-python/sqlalchemy-1.0.10[sqlite,${PYTHON_USEDEP}]
+		<dev-python/sqlalchemy-1.1.0[sqlite,${PYTHON_USEDEP}]
+	)
+	mysql? (
+		>=dev-python/pymysql-0.6.2[${PYTHON_USEDEP}]
+		!~dev-python/pymysql-0.7.7[${PYTHON_USEDEP}]
+		>=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}]
+		<dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}]
+	)
+	postgres? (
+		>=dev-python/psycopg-2.5.0
+		>=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}]
+		<dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}]
+	)
+	>=dev-python/sqlalchemy-migrate-0.9.6[${PYTHON_USEDEP}]
+	>=dev-python/stevedore-1.16.0[${PYTHON_USEDEP}]
+
+	>=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
+	>=dev-python/yaql-1.1.0[${PYTHON_USEDEP}]"
+
+PATCHES=(
+	"${FILESDIR}/CVE-2016-9185.patch"
+)
+
+pkg_setup() {
+	enewgroup heat
+	enewuser heat -1 -1 /var/lib/heat heat
+}
+
+python_prepare_all() {
+	sed -i '/^hacking/d' test-requirements.txt || die
+	distutils-r1_python_prepare_all
+}
+
+python_install() {
+	distutils-r1_python_install
+	diropts -m0750 -o heat -g heat
+	keepdir /etc/heat
+	dodir /etc/heat/environment.d
+	dodir /etc/heat/templates
+
+	for svc in api api-cfn engine; do
+		newinitd "${FILESDIR}/heat.initd" heat-${svc}
+	done
+
+	insinto /etc/heat
+	insopts -m0640 -o heat -g heat
+	newins "${FILESDIR}/newton-heat.conf.sample" "heat.conf.sample"
+	doins "etc/heat/api-paste.ini"
+	doins "etc/heat/policy.json"
+	insinto /etc/heat/templates
+	doins "etc/heat/templates/"*
+	insinto /etc/heat/environment.d
+	doins "etc/heat/environment.d/default.yaml"
+
+	dodir /var/log/heat
+	fowners heat:heat /var/log/heat
+}
diff --git a/sys-cluster/heat/heat-7.0.0.ebuild b/sys-cluster/heat/heat-7.0.0.ebuild
deleted file mode 100644
index 9477a1488a4c..000000000000
--- a/sys-cluster/heat/heat-7.0.0.ebuild
+++ /dev/null
@@ -1,152 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=6
-PYTHON_COMPAT=( python2_7 python3_4 )
-
-inherit distutils-r1 eutils user
-
-DESCRIPTION="A CloudFormation-compatible openstack-native cloud orchistration engine."
-HOMEPAGE="https://launchpad.net/heat"
-SRC_URI="https://tarballs.openstack.org/${PN}/${P}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="~amd64 ~arm64 ~x86"
-IUSE="+mysql +memcached postgres sqlite"
-REQUIRED_USE="|| ( mysql postgres sqlite )"
-
-CDEPEND=">=dev-python/pbr-1.6[${PYTHON_USEDEP}]"
-DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
-	${CDEPEND}
-	app-admin/sudo"
-
-RDEPEND="
-	${CDEPEND}
-	>=dev-python/Babel-2.3.4[${PYTHON_USEDEP}]
-	>=dev-python/croniter-0.3.4[${PYTHON_USEDEP}]
-	>=dev-python/cryptography-1.0.0[${PYTHON_USEDEP}]
-	!~dev-python/cryptography-1.3.0[${PYTHON_USEDEP}]
-	>=dev-python/debtcollector-1.2.0
-	>=dev-python/eventlet-0.18.4[${PYTHON_USEDEP}]
-	>=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
-	>=dev-python/keystoneauth-2.10.0[${PYTHON_USEDEP}]
-	>=dev-python/keystonemiddleware-4.0.0[${PYTHON_USEDEP}]
-	!~dev-python/keystonemiddleware-4.1.0[${PYTHON_USEDEP}]
-	!~dev-python/keystonemiddleware-4.5.0[${PYTHON_USEDEP}]
-	>=dev-python/lxml-2.3[${PYTHON_USEDEP}]
-	>=dev-python/netaddr-0.7.13[${PYTHON_USEDEP}]
-	!~dev-python/netaddr-0.7.16[${PYTHON_USEDEP}]
-	>=dev-python/oslo-cache-1.5.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-config-3.14.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-concurrency-3.8.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-context-2.9.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-db-4.10.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-db-4.13.1[${PYTHON_USEDEP}]
-	>=dev-python/oslo-db-4.13.2[${PYTHON_USEDEP}]
-	>=dev-python/oslo-i18n-2.1.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-log-1.14.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-messaging-5.2.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-middleware-3.0.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-policy-1.9.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-reports-0.6.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-serialization-1.10.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-service-1.10.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-utils-3.16.0[${PYTHON_USEDEP}]
-	>=dev-python/osprofiler-1.4.0[${PYTHON_USEDEP}]
-	>=dev-python/oslo-versionedobjects-1.13.0[${PYTHON_USEDEP}]
-	>=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}]
-	>=dev-python/pycrypto-2.6[${PYTHON_USEDEP}]
-	>=dev-python/aodhclient-0.5.0[${PYTHON_USEDEP}]
-	>=dev-python/python-barbicanclient-4.0.0[${PYTHON_USEDEP}]
-	>=dev-python/python-ceilometerclient-2.5.0[${PYTHON_USEDEP}]
-	>=dev-python/python-cinderclient-1.6.0[${PYTHON_USEDEP}]
-	!~dev-python/python-cinderclient-1.7.0[${PYTHON_USEDEP}]
-	!~dev-python/python-cinderclient-1.7.1[${PYTHON_USEDEP}]
-	>=dev-python/python-designateclient-1.5.0[${PYTHON_USEDEP}]
-	>=dev-python/python-glanceclient-2.3.0[${PYTHON_USEDEP}]
-	!~dev-python/python-glanceclient-2.4.0[${PYTHON_USEDEP}]
-	>=dev-python/python-heatclient-1.4.0[${PYTHON_USEDEP}]
-	>=dev-python/python-keystoneclient-2.0.0[${PYTHON_USEDEP}]
-	!~dev-python/python-keystoneclient-2.1.0[${PYTHON_USEDEP}]
-	>=dev-python/python-magnumclient-2.0.0[${PYTHON_USEDEP}]
-	>=dev-python/python-manilaclient-1.10.0[${PYTHON_USEDEP}]
-	>=dev-python/python-mistralclient-2.0.0[${PYTHON_USEDEP}]
-	>=dev-python/python-monascaclient-1.1.0[${PYTHON_USEDEP}]
-	>=dev-python/python-neutronclient-5.1.0[${PYTHON_USEDEP}]
-	>=dev-python/python-novaclient-2.29.0[${PYTHON_USEDEP}]
-	!~dev-python/python-novaclient-2.33.0[${PYTHON_USEDEP}]
-	>=dev-python/python-openstackclient-2.1.0[${PYTHON_USEDEP}]
-	>=dev-python/python-senlinclient-0.3.0[${PYTHON_USEDEP}]
-	>=dev-python/python-swiftclient-2.2.0[${PYTHON_USEDEP}]
-	>=dev-python/python-troveclient-2.2.0[${PYTHON_USEDEP}]
-	>=dev-python/python-zaqarclient-1.0.0[${PYTHON_USEDEP}]
-	>=dev-python/pytz-2013.6[${PYTHON_USEDEP}]
-	>=dev-python/pyyaml-3.1.0[${PYTHON_USEDEP}]
-	>=dev-python/requests-2.10.0[${PYTHON_USEDEP}]
-	>=dev-python/retrying-1.2.3[${PYTHON_USEDEP}]
-	!~dev-python/retrying-1.3.0[${PYTHON_USEDEP}]
-	>=dev-python/routes-1.12.3[${PYTHON_USEDEP}]
-	!~dev-python/routes-2.0[${PYTHON_USEDEP}]
-	!~dev-python/routes-2.1[$(python_gen_usedep 'python2_7')]
-	!~dev-python/routes-2.3[${PYTHON_USEDEP}]
-	>=dev-python/six-1.9.0[${PYTHON_USEDEP}]
-	sqlite? (
-		>=dev-python/sqlalchemy-1.0.10[sqlite,${PYTHON_USEDEP}]
-		<dev-python/sqlalchemy-1.1.0[sqlite,${PYTHON_USEDEP}]
-	)
-	mysql? (
-		>=dev-python/pymysql-0.6.2[${PYTHON_USEDEP}]
-		!~dev-python/pymysql-0.7.7[${PYTHON_USEDEP}]
-		>=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}]
-		<dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}]
-	)
-	postgres? (
-		>=dev-python/psycopg-2.5.0
-		>=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}]
-		<dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}]
-	)
-	>=dev-python/sqlalchemy-migrate-0.9.6[${PYTHON_USEDEP}]
-	>=dev-python/stevedore-1.16.0[${PYTHON_USEDEP}]
-
-	>=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
-	>=dev-python/yaql-1.1.0[${PYTHON_USEDEP}]"
-
-#PATCHES=(
-#)
-
-pkg_setup() {
-	enewgroup heat
-	enewuser heat -1 -1 /var/lib/heat heat
-}
-
-python_prepare_all() {
-	sed -i '/^hacking/d' test-requirements.txt || die
-	distutils-r1_python_prepare_all
-}
-
-python_install() {
-	distutils-r1_python_install
-	diropts -m0750 -o heat -g heat
-	keepdir /etc/heat
-	dodir /etc/heat/environment.d
-	dodir /etc/heat/templates
-
-	for svc in api api-cfn engine; do
-		newinitd "${FILESDIR}/heat.initd" heat-${svc}
-	done
-
-	insinto /etc/heat
-	insopts -m0640 -o heat -g heat
-	newins "${FILESDIR}/newton-heat.conf.sample" "heat.conf.sample"
-	doins "etc/heat/api-paste.ini"
-	doins "etc/heat/policy.json"
-	insinto /etc/heat/templates
-	doins "etc/heat/templates/"*
-	insinto /etc/heat/environment.d
-	doins "etc/heat/environment.d/default.yaml"
-
-	dodir /var/log/heat
-	fowners heat:heat /var/log/heat
-}
-- 
cgit v1.2.3-65-gdbad