fixes for CVE-2013-7130, old badness removed

Package-Manager: portage-2.2.7/cvs/Linux x86_64 Manifest-Sign-Key: 0x2471EB3E40AC5AC3
author: Matt Thode <prometheanfire@gentoo.org> 2014-01-23 16:31:37 +0000
committer: Matt Thode <prometheanfire@gentoo.org> 2014-01-23 16:31:37 +0000
commit: caab3191844e82c30327f38c2fa6962ea60d0a7e (patch)
tree: 034f55810c74a02a40e26f5ee5a13c6b8f8223a9 /sys-cluster/nova
parent: Use SLOT="0/15" because SONAME changed in 0.92 (diff)
download: historical-caab3191844e82c30327f38c2fa6962ea60d0a7e.tar.gz
historical-caab3191844e82c30327f38c2fa6962ea60d0a7e.tar.bz2
historical-caab3191844e82c30327f38c2fa6962ea60d0a7e.zip
6 files changed, 323 insertions, 19 deletions
diff --git a/sys-cluster/nova/ChangeLog b/sys-cluster/nova/ChangeLog
index df08d6387bc2..ae74072ccbc3 100644
--- a/sys-cluster/nova/ChangeLog
+++ b/sys-cluster/nova/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for sys-cluster/nova
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.47 2014/01/08 06:00:45 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.48 2014/01/23 16:31:28 prometheanfire Exp $
+
+*nova-2013.2.1-r2 (23 Jan 2014)
+*nova-2013.1.4-r4 (23 Jan 2014)
+
+  23 Jan 2014; Matthew Thode <prometheanfire@gentoo.org>
+  +files/CVE-2013-7130-stable-grizzly.patch,
+  +files/CVE-2013-7130-stable-havana.patch, +nova-2013.1.4-r4.ebuild,
+  +nova-2013.2.1-r2.ebuild, -nova-2013.1.4-r3.ebuild, -nova-2013.2.1-r1.ebuild:
+  fixes for CVE-2013-7130, old badness removed
 
   08 Jan 2014; Mike Frysinger <vapier@gentoo.org> nova-2013.1.4-r3.ebuild,
   nova-2013.1.9999.ebuild, nova-2013.2.1-r1.ebuild, nova-2013.2.9999.ebuild,
diff --git a/sys-cluster/nova/Manifest b/sys-cluster/nova/Manifest
index f7d3085ddd9d..b0053ecd7431 100644
--- a/sys-cluster/nova/Manifest
+++ b/sys-cluster/nova/Manifest
@@ -7,32 +7,34 @@ AUX CVE-2013-4497-grizzly-2.patch 1945 SHA256 8c4be7bc42b485afd64d5ec1dd61ecfb55
 AUX CVE-2013-6419_2013.1.4.patch 5711 SHA256 0af9859e7cd0373c3c69fbb7d2256976412599cd079e696344288a81d3422bcd SHA512 b6f2fd940278cf7fa7b0a1d54d6c069f73a5c3462c4adb536c03d611c197ba3509d4464a7ef7539213ba51d749efc5ecc85800a4f86998464cdc2beb42bafd7e WHIRLPOOL ba62d91c0135a8328ca3e4048223630d2c2c133a2231e80655dc4d7dd0b772d1f81402aafaf7ec8742a77ee7cc58e7cf03d915e2058669a105c4553ccc976b48
 AUX CVE-2013-6437-2012.1.4.patch 5005 SHA256 75f90ee952d352d739c4702d72b9301c7bacd1a38fcf6601dd432cd4b057a85f SHA512 bdaba7dac2e98f251f6da04052b3bc0167068191685317b05a532372931d1c85c87a091133375b39a84ca87d961730e6f19c3aaae2ca9b7affc9fd0e47825d75 WHIRLPOOL 0404d151b89bb9852f359e27d7f553d9b80ed610a6f960a2d4a2372bf98817f7e0e69c177f2cfd15ff85a0f1043fa013b36f848c6a5b00b4a78a857bd2767a33
 AUX CVE-2013-6437-2012.2.1.patch 5116 SHA256 bca9608d40b0c70abebad6911ddb14a49f81412242465294dac0b809966f7303 SHA512 d948575d99e30663a6ab4ab84099b1a1990d1423e83ab353bf81ab1f89f2f6d69e822bc24c2f92a8f25447f6b8faf4891a6174d6c901b5703dfa897c4342d748 WHIRLPOOL 0d78c7d87d73366c6892a7c3170838c30788807e5b82766bd3bb01f0c3123c5107d1557ea7a074836dc7af6d28dc79a868adae3336e9e3a5284ea289b666f816
+AUX CVE-2013-7130-stable-grizzly.patch 7860 SHA256 be82900f1f91e02a6298cf5872f7ff9b3915a9485631c743c1c7f0dcbc172178 SHA512 4b967aa333d55a25133722b828f2f94acf777598ccef31027911ad17e17b9d766b29b7b23cda8bb4ec659623c9e5c4fbe330394a54cd4434b793f97f5cc406ac WHIRLPOOL 3a646f94f4ecd8b7433bd66b6d55cfa96e63178f313db1e31d99a51f3e303aa25246ecd70c8a33fc6f7d31cd810c7e65a1d45758671d65ac56167686ce8616c0
+AUX CVE-2013-7130-stable-havana.patch 6536 SHA256 30fe28b32a6ab5cb329a7673289e1cbf29bb0ae679d17e98b2821a49e9a85b4a SHA512 e7742b5f91a43ef535a54f515f15a90de438d37303945d6cee6a3c490cfa4e26ebca0006bc4e009a580528151727658a5fada953614acb0f5643504b9f283c23 WHIRLPOOL 440eb7a5ec2b7a64d9d391abbebfd7a7700dcd708fffbb96d35b8b82a3533c818233702f55b2ab11616369f03288d43b48b91587e2cb02316f8539fc3713c23d
 AUX nova-confd 101 SHA256 d9013141618d1e8b8ba85297155747d9c8fc362238de7bba3108b9a2539c8c73 SHA512 4c7ec1d123f2cdaf394d1f4824df861bbe309b0b329db44080160d81746cd0fc9d4cc1b35da0f66ab075f1d4e835ababfb7bccaf4a2e931e60f2c0ac572a552e WHIRLPOOL 6a237357a3905d29a96b32c37f6d189e4f5cefc0986bb091e24a79295191332143741c604c2a9fd44484c75b3be89742a5570862cf0cd4ba225425f7f32b5348
 AUX nova-initd 1496 SHA256 5b5f928335ac345103492555c3bc57407f547915b099762d0087aef172e5edf8 SHA512 cca06baba484d505f3a96643d836204a08e9dde50197531cdab2d95188b992a95a375a386b9c54fcc8e0a4f6167babba975db7510db1087f044afa39effe4eec WHIRLPOOL 4c667a5cc469826063a65879c1beddc98371edf295a273c9b8f679627cabfe2260d8b3bbdf9550d3894fc1525d63b9f98d6e939406f90ac5f2f745daa59311c2
 AUX nova-sudoers 78 SHA256 9e88c2843fb74cc46802c0b103067ad12915ec50335d05e546a5dba76acb4a76 SHA512 22c0606c6335b2d1a03bd18a319a54f16f76f091b2e8416dbba05ce7c15890beff7f32f0322eb5ba3f2a5c750436cacbe0cee189b390b878e3f0c0df219ef984 WHIRLPOOL bc42ae1d12e9f900b263fd5c3d0f59062f46fbec1ff97c0bceb234082bea5943eb64795b4f5e102b8e2749c6868163e5924467088cad42df09345e3406e5f83c
 DIST nova-2013.1.4.tar.gz 5801779 SHA256 0491ec81552b9c407021941ea1c477d5bcd93ec1dcc66d5fc0c1cef594dac760 SHA512 de1addcbc4577c4a376d8762e44d6f7c455bd63ba0be9d8a6a7176ef7a24e85f2bf9014e31d1180e42e48308ee6a17dcf039da2739388501a5fedbad8e5a7f0c WHIRLPOOL 08898e55b7380bd1852c00dcd8e03d4eb06c8c888688d66ba717842929973235eb9d6d34dda4be2700f208a7ff9e088de2690a74acd97f5cb6b81bcce743ece3
 DIST nova-2013.2.1.tar.gz 8937179 SHA256 b1a4ccb24d9a55b7ef0edc1a2b4ba374d52360a1f41148c92823787e8747401e SHA512 34b8e05128e000770731c63c4240071b8a764913b42bc9284a79af3d76fb10d6c825ca78e490762237a8ee416ce04a9a3f0c7ddcad54cb6830fd6376851d050f WHIRLPOOL 9a54affc20c10d88f0f559528b5d24ce71a073b90d710b7d84be53d150a2cfe47e766a4eda3638620ba8d7075b7f354af1ada2489eb04f8d18cdeb9cee5d5016
-EBUILD nova-2013.1.4-r3.ebuild 5411 SHA256 2cb18af6e9bd42bd542d60e08b684b3fad0dd8b1bc52cde88a32baeb890e7ecf SHA512 e05d1e3b0451b316c819bcb0b0521e8d540a8ec5501c91544d5918008f5cf1c9b914f039824c917eb6059d924b7a0d8290c9d835ae68f04aabd04f27f8222566 WHIRLPOOL 3016fa0948ea65ac46f0bf09b2fa73d93b86d24eb0c4e1e90e89df08ab17a1620203ec325e77a1e2805cdbaa4c08d6628c8e1faf3fa2425f782b87e0f17be5a6
+EBUILD nova-2013.1.4-r4.ebuild 5469 SHA256 0e69374d3dad28e8f8836a9db74ae005942de8f6d297e389e769190008bd2f78 SHA512 75773feaee68f407cd359b7b27824aae1c8cfbba118237d429ce8c33bebef355028b26ba08e1335cb146b73dd5666e6d2cd86cb482c4f131ecddbbd34d116076 WHIRLPOOL 2593e0171c8abeafb5ddbb7d1a4f6931793cd25a16577cc033889dfa3f52044c53149de7f474dab74862e1f02a11c55258e18887b8b8e6c1627e37269f81c114
 EBUILD nova-2013.1.9999.ebuild 5070 SHA256 1dd4815b62e7290b24f0a6ebed20b388546d1cc143fc9ee3ecf1fc9a572188c6 SHA512 d75b2d6e7c100b86627f06de5d14b9094b3074f8bf758b5f9195f5fd589bf3bd0fe6a5d0ac9d1b74e604754b905f9e2020c953631da7549156de6b50bb273b09 WHIRLPOOL 83349cd2a1d59d7faef7112d786e223dcc0403664ce763cfb8b793b1ad7fb2d68b33dc1134eafc9cddccfd366815013e578e992080d280d29239e33cfdd12e46
-EBUILD nova-2013.2.1-r1.ebuild 5124 SHA256 ffa6f0e9a1a0ae24fcbb0528bc0614643c1dd3f343c3610879a0b4a9a0bd6e3a SHA512 03ff0c76465d982657610f554ccb5f877ff2e428725fd4fe9cde05169a5e12c7ab4287c7e7a548d279e3ecfe4aea60aeb3d65f48a638d4bd25b7edcc8e67cddf WHIRLPOOL 542594a826ba2f1931cc173985bf9da15cc4aaf4f45714f5c164b35fc9d3bc7329631789ca4233943c82de1525379e620fd75fd0f72f518816b7a88ac42197e6
+EBUILD nova-2013.2.1-r2.ebuild 5181 SHA256 efbe3d0d2ee7eb826f65afc978ad44e3612d2fb890c58368d0eec49a4267e57d SHA512 456b1a3dadb2c10d486a297732b39e9fee3839c7565a2008c66b9eccd5c9766c01423f6602a4ce16adc2652a04806ee40e05c0b60d50a572c478114d51c937c1 WHIRLPOOL 9c8edb98bbfd16f7a5c086b6f61183d78a7b13ac2f27e8f190c68d7af59d88bb17f2a335ca922d3bcefd83930efeeecdd9f39c822e281446fb324ae70965c413
 EBUILD nova-2013.2.9999.ebuild 5086 SHA256 9a7a79415aa6c5597a7eaac6967c9a69e917c183dc6424f5eaaed42753c996ab SHA512 b964c5fe5caf221fd00c94444470b3c638b504352fdaf48985784a157cbb1b71379af34e10bb9977da99dede7e6eb67e3ceb8d40bcd5b570639d609cb710a724 WHIRLPOOL 2088fe0677075c2efdaebdd9a5295146daba5a2f1bf0d3bd85c24ca891564176523a324445325e7b7f2019c7dfcdbc2cede820b89fa417746fadb2a0796a0f89
 EBUILD nova-9999.ebuild 5225 SHA256 8336956c0a15fd17e15f748c6445c3b144f2a9047dd8257ba3dda7a7b7f1ad01 SHA512 6d961e646096eb4df5814d31b06352f999291becefa5e8fdd88afd14e6ede54e583ba224e474e1122e90b114da4136782cd8336afb467c61fc5400a7dd3a05e8 WHIRLPOOL c4bad3d35be8adb4af48562507ef213185e6d722541226e7d8bedd02578265c035874b371f432db4d1db222fc2776cc74374a508ca562a30dae622a86e0bab10
-MISC ChangeLog 11316 SHA256 64081113b1d942c4033a227bb9fc21afd049723886f8cc3d9694ef14b7ad3b87 SHA512 308512dd0b830464561f42c017da9afdff8e56c0cd8f3aba3673e286e53cc6862ff4165c8e12f548050a8067041b5f53b2f02762e36774064a8c7575eb809afc WHIRLPOOL d8766d6626f8b3cb631299419aa85bb020175e1e012cf4dce37294b13582ddc16365dc1dcd74759f4a1ae9f63ae890c9393b2f58bb4395e9a322e691aa244f56
+MISC ChangeLog 11689 SHA256 aee0af3bed3bd1cb489cfe7d2465c0bcd7fb7fe88de301c080cfa94aa40e80d2 SHA512 7dbadc7f394870ba5083545fc28850b10a35efa6cb03b15b096ed008b71478b6f9af6f553fac80ef2c11499ca9d4b82089360f39a4dd919217b14abad6a98b7c WHIRLPOOL 72b73d0f25ffd0ce88a8fea3324557a72ba5c0eeabc6c71f927351b4390d6292aa6d3d22853a4625708376b9f1c4a04356be943d5ef93e3a07acc5e70cb95672
 MISC metadata.xml 1452 SHA256 29bf3efaab7a4e45f5e442b26a7606edaed3f47e4ffec3e8990f95aea6bf2450 SHA512 537664b6ff29f4afe09eb4635c2cb06d87a6c3c3101e8ef89d1ab9b5b802c79024e94a0cce5a44ec2fd5b1cc37a251dd42156a015b6a294f219b90daff17c9c1 WHIRLPOOL c6e44f9a48fea6ae2a323e9e03d8805301fb0d94bb5634b1946909715f6c05d45c49180204d00221aae1e6dc6748347b4273fae838216b5d5d07932bc473a851
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
-iQIcBAEBCAAGBQJSzOmWAAoJEPGu1DbS6WIAokkP+gIFq08+qwezBY/+PH12vzbz
-ofO60ahnIOjWRRMpro0lk4daXVZhc73oX9junZ1XQyeiylrvXjTSZD79APrFaTEU
-BKIDzJLr9IanYtSy5NYuRv5SctgghKH1fd6ZSX36uiM4DUacY2pbS/RtyRrCpYcu
-7XSGYmU8rA0bLQcRkSpH+pDL9ACbB29KzixDlkkT+xz1xGAdhrAXbquuiEs6RmiN
-mAKQyrEKyRtRSsOn30zhk2ynugupzqKcNgRg+5qnoZ+rGAcDx9OJFVSzlYMqAniC
-L1O5x0dhV0tx0EHuhhTMHlrcUgxIrVUU3h5oxFK5keECGpfpRxApRU0jjEnbAnTj
-EiIZ5zFTpC0GtTkuww309bGGPsXy/kW0diMHQqrZXEniajkEar8zyb58xsZeR9Xp
-8OQQfPKmQkxOWreCjkvVlTRJZ+wiY/AkSkglvpYqzcfjYfZWTbaskv/Kcs+6bWNO
-eKg1B4p8eNh9Hs5m34nCcv/KJ9BDCX6gaBy1dULOc2jikiLtDvauuasqM0l3T526
-Jgz+ELA2e1RLYjh+Elu7A9Te6J4sF83Vxd66TESBFu3nJcdeZiefFNZivXMTl4cf
-AjtQvyrnvMhmm32lcItAjxpwFmQQ8FnL3rqkxpNtJjVAHGVeKtyaQvWapdw+yuV+
-Y1J+aSBUzsxTxaCbEA4x
-=38mf
+iQIcBAEBCAAGBQJS4UQPAAoJECRx6z5ArFrD+HsP/0NBqEBPbfXwyegKYxXTedhr
+dyPqAJjGD/ibNssJJWvcczousCaEjMgK7Ei5cFxArp6ii2sGjlT1shuNpXwqy/4v
+Qw8lxqywR/DKyL7o+MHqtEPADNTmuay8uFRvpUw3WU/gexKIeT9JQi7muYgmQKBB
+7O2Z7FhdDp0pLsZX2L4Rk6EMefyG6+WmVwp72GCD2XCfk88W1XDx9JIPHtC3/8yk
+QNRtLhHPfRdeS36wG96qEstxPWXyA/CI65+dokbL9eQl/xangM9yoSXLCbKfga/T
+wOE/teKEvaxj5s8Nw6/ApVPLyeJZwLa08IRm9Q+jgjYxK39PVweYLKQ1BKUUd51Q
+JCHA36VwXvWgOjiL5sYpKj3cpnk54W/50Q95Bk1aQ2/Icq0AXDXuBWTjuVVQp+uA
+FodvZal74i9wgzCvMLLnq24gRMeMKXQs1rNid//sQWVmWJgcrjEmgD8pQnHI1Yk0
+Fatw35iU/GEMksO5QDLFB6tDMoXgcYb28uiew250pREEJACXPowguASKlUblY1cH
+EYWRy5WZusxteXUpZXN5bW9815XS5/mezfQdWZS8Un287W2/zOrHBC3m2raGN2sp
+/XVpeCawAtWzrYPTmlxg1xQB82HEJW+EVSpoMcIUvuBVey+2kLJeVaS3MVH6gSdm
+uaQc1j4KYdbvFbBP5+3a
+=FKIC
 -----END PGP SIGNATURE-----
diff --git a/sys-cluster/nova/files/CVE-2013-7130-stable-grizzly.patch b/sys-cluster/nova/files/CVE-2013-7130-stable-grizzly.patch
new file mode 100644
index 000000000000..c77d629a06d9
--- /dev/null
+++ b/sys-cluster/nova/files/CVE-2013-7130-stable-grizzly.patch
@@ -0,0 +1,161 @@
+From 35e0ee309e040a95988a433120f1eba747f6f33c Mon Sep 17 00:00:00 2001
+From: Nikola Dipanov <ndipanov@redhat.com>
+Date: Tue, 10 Dec 2013 17:43:17 +0100
+Subject: [PATCH] libvirt: Fix root disk leak in live mig
+
+This patch makes sure that i_create_images_and_backing method of the
+libvirt driver (called in several places, but most problematic one is
+the call in the pre_live_migration method) creates all the files the
+instance needs that are not present.
+
+Prioir to this patch - the method would only attempt to download the
+image, and if it did so with the path of the ephemeral drives, it could
+expose the image to other users as an ephemeral devices. See the related
+bug for more detaiis.
+
+After this patch - we properly distinguish between image, ephemeral and
+swap files, and make sure that the imagebackend does the correct thing.
+
+Closes-bug: #1251590
+
+Co-authored-by: Loganathan Parthipan <parthipan@hp.com>
+
+This patch also includes part of commit
+65386c91910ee03d947c2b8bcc226a53c30e060a, not cherry-picked as a whole
+due to the fact that it is a trivial change, and to avoud the
+proliferation of patches needed to fix this bug.
+
+Change-Id: I78aa2f4243899db4f4941e77014a7e18e27fc63e
+(cherry picked from commit c69a619668b5f44e94a8fe1a23f3d887ba2834d7)
+
+Conflicts:
+	nova/tests/test_libvirt.py
+	nova/virt/libvirt/driver.py
+---
+ nova/tests/test_libvirt.py  | 63 +++++++++++++++++++++++++++++++++++++++++++++
+ nova/virt/libvirt/driver.py | 31 +++++++++++++++-------
+ 2 files changed, 85 insertions(+), 9 deletions(-)
+
+diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py
+index d2ac73b..d9c7405 100644
+--- a/nova/tests/test_libvirt.py
++++ b/nova/tests/test_libvirt.py
+@@ -2346,6 +2346,69 @@ class LibvirtConnTestCase(test.TestCase):
+ 
+         db.instance_destroy(self.context, instance_ref['uuid'])
+ 
++    def test_create_images_and_backing(self):
++        conn = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
++        self.mox.StubOutWithMock(conn, '_fetch_instance_kernel_ramdisk')
++        self.mox.StubOutWithMock(libvirt_driver.libvirt_utils, 'create_image')
++
++        libvirt_driver.libvirt_utils.create_image(mox.IgnoreArg(),
++                                                  mox.IgnoreArg(),
++                                                  mox.IgnoreArg())
++        conn._fetch_instance_kernel_ramdisk(self.context, self.test_instance)
++        self.mox.ReplayAll()
++
++        self.stubs.Set(os.path, 'exists', lambda *args: False)
++        disk_info_json = jsonutils.dumps([{'path': 'foo', 'type': None,
++                                           'disk_size': 0,
++                                           'backing_file': None}])
++        conn._create_images_and_backing(self.context, self.test_instance,
++                                        "/fake/instance/dir", disk_info_json)
++
++    def test_create_images_and_backing_ephemeral_gets_created(self):
++        conn = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
++        disk_info_json = jsonutils.dumps(
++            [{u'backing_file': u'fake_image_backing_file',
++              u'disk_size': 10747904,
++              u'path': u'disk_path',
++              u'type': u'qcow2',
++              u'virt_disk_size': 25165824},
++             {u'backing_file': u'ephemeral_1_default',
++              u'disk_size': 393216,
++              u'over_committed_disk_size': 1073348608,
++              u'path': u'disk_eph_path',
++              u'type': u'qcow2',
++              u'virt_disk_size': 1073741824}])
++
++        base_dir = os.path.join(CONF.instances_path, '_base')
++        ephemeral_target = os.path.join(base_dir, 'ephemeral_1_default')
++        image_target = os.path.join(base_dir, 'fake_image_backing_file')
++        self.test_instance.update({'name': 'fake_instance',
++                                   'user_id': 'fake-user',
++                                   'os_type': None,
++                                   'project_id': 'fake-project'})
++
++        self.mox.StubOutWithMock(libvirt_driver.libvirt_utils, 'fetch_image')
++        self.mox.StubOutWithMock(conn, '_create_ephemeral')
++        self.mox.StubOutWithMock(conn, '_fetch_instance_kernel_ramdisk')
++
++        conn._create_ephemeral(
++                target=ephemeral_target,
++                ephemeral_size=self.test_instance['ephemeral_gb'],
++                max_size=mox.IgnoreArg(), os_type=mox.IgnoreArg(),
++                fs_label=mox.IgnoreArg())
++        libvirt_driver.libvirt_utils.fetch_image(context=self.context,
++                image_id=mox.IgnoreArg(),
++                user_id=mox.IgnoreArg(), project_id=mox.IgnoreArg(),
++                max_size=mox.IgnoreArg(), target=image_target)
++        conn._fetch_instance_kernel_ramdisk(
++                self.context, self.test_instance).AndReturn(None)
++
++        self.mox.ReplayAll()
++
++        conn._create_images_and_backing(self.context, self.test_instance,
++                                        "/fake/instance/dir",
++                                        disk_info_json)
++
+     def test_pre_live_migration_works_correctly_mocked(self):
+         # Creating testdata
+         vol = {'block_device_mapping': [
+diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
+index 0f0ea46..39191af 100755
+--- a/nova/virt/libvirt/driver.py
++++ b/nova/virt/libvirt/driver.py
+@@ -3304,19 +3304,32 @@ class LibvirtDriver(driver.ComputeDriver):
+             elif info['backing_file']:
+                 # Creating backing file follows same way as spawning instances.
+                 cache_name = os.path.basename(info['backing_file'])
+-                # Remove any size tags which the cache manages
+-                cache_name = cache_name.split('_')[0]
+ 
+                 image = self.image_backend.image(instance,
+                                                  instance_disk,
+                                                  CONF.libvirt_images_type)
+-                image.cache(fetch_func=libvirt_utils.fetch_image,
+-                            context=ctxt,
+-                            filename=cache_name,
+-                            image_id=instance['image_ref'],
+-                            user_id=instance['user_id'],
+-                            project_id=instance['project_id'],
+-                            size=info['virt_disk_size'])
++                if cache_name.startswith('ephemeral'):
++                    image.cache(fetch_func=self._create_ephemeral,
++                                fs_label=cache_name,
++                                os_type=instance["os_type"],
++                                filename=cache_name,
++                                size=info['virt_disk_size'],
++                                ephemeral_size=instance['ephemeral_gb'])
++                elif cache_name.startswith('swap'):
++                    inst_type = flavors.extract_flavor(instance)
++                    swap_mb = inst_type['swap']
++                    image.cache(fetch_func=self._create_swap,
++                                filename="swap_%s" % swap_mb,
++                                size=swap_mb * unit.Mi,
++                                swap_mb=swap_mb)
++                else:
++                    image.cache(fetch_func=libvirt_utils.fetch_image,
++                                context=ctxt,
++                                filename=cache_name,
++                                image_id=instance['image_ref'],
++                                user_id=instance['user_id'],
++                                project_id=instance['project_id'],
++                                size=info['virt_disk_size'])
+ 
+         # if image has kernel and ramdisk, just download
+         # following normal way.
+-- 
+1.8.3.1
+
diff --git a/sys-cluster/nova/files/CVE-2013-7130-stable-havana.patch b/sys-cluster/nova/files/CVE-2013-7130-stable-havana.patch
new file mode 100644
index 000000000000..6e2c55de2a88
--- /dev/null
+++ b/sys-cluster/nova/files/CVE-2013-7130-stable-havana.patch
@@ -0,0 +1,130 @@
+From c8423d648d578397e2742f9d0b21c90171e2efc3 Mon Sep 17 00:00:00 2001
+From: Nikola Dipanov <ndipanov@redhat.com>
+Date: Tue, 10 Dec 2013 17:43:17 +0100
+Subject: [PATCH] libvirt: Fix root disk leak in live mig
+
+This patch makes sure that i_create_images_and_backing method of the
+libvirt driver (called in several places, but most problematic one is
+the call in the pre_live_migration method) creates all the files the
+instance needs that are not present.
+
+Prioir to this patch - the method would only attempt to download the
+image, and if it did so with the path of the ephemeral drives, it could
+expose the image to other users as an ephemeral devices. See the related
+bug for more detaiis.
+
+After this patch - we properly distinguish between image, ephemeral and
+swap files, and make sure that the imagebackend does the correct thing.
+
+Closes-bug: #1251590
+
+Co-authored-by: Loganathan Parthipan <parthipan@hp.com>
+
+Change-Id: I78aa2f4243899db4f4941e77014a7e18e27fc63e
+(cherry picked from commit c69a619668b5f44e94a8fe1a23f3d887ba2834d7)
+
+Conflicts:
+	nova/virt/libvirt/driver.py
+---
+ nova/tests/virt/libvirt/test_libvirt.py | 42 +++++++++++++++++++++++++++++++++
+ nova/virt/libvirt/driver.py             | 31 +++++++++++++++++-------
+ 2 files changed, 65 insertions(+), 8 deletions(-)
+
+diff --git a/nova/tests/virt/libvirt/test_libvirt.py b/nova/tests/virt/libvirt/test_libvirt.py
+index c176985..191b3f8 100644
+--- a/nova/tests/virt/libvirt/test_libvirt.py
++++ b/nova/tests/virt/libvirt/test_libvirt.py
+@@ -3047,6 +3047,48 @@ class LibvirtConnTestCase(test.TestCase):
+         conn._create_images_and_backing(self.context, self.test_instance,
+                                         "/fake/instance/dir", disk_info_json)
+ 
++    def test_create_images_and_backing_ephemeral_gets_created(self):
++        conn = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
++        disk_info_json = jsonutils.dumps(
++            [{u'backing_file': u'fake_image_backing_file',
++              u'disk_size': 10747904,
++              u'path': u'disk_path',
++              u'type': u'qcow2',
++              u'virt_disk_size': 25165824},
++             {u'backing_file': u'ephemeral_1_default',
++              u'disk_size': 393216,
++              u'over_committed_disk_size': 1073348608,
++              u'path': u'disk_eph_path',
++              u'type': u'qcow2',
++              u'virt_disk_size': 1073741824}])
++
++        base_dir = os.path.join(CONF.instances_path,
++                                CONF.image_cache_subdirectory_name)
++        self.test_instance.update({'name': 'fake_instance',
++                                   'user_id': 'fake-user',
++                                   'os_type': None,
++                                   'project_id': 'fake-project'})
++
++        with contextlib.nested(
++            mock.patch.object(conn, '_fetch_instance_kernel_ramdisk'),
++            mock.patch.object(libvirt_driver.libvirt_utils, 'fetch_image'),
++            mock.patch.object(conn, '_create_ephemeral')
++        ) as (fetch_kernel_ramdisk_mock, fetch_image_mock,
++                create_ephemeral_mock):
++            conn._create_images_and_backing(self.context, self.test_instance,
++                                            "/fake/instance/dir",
++                                            disk_info_json)
++            self.assertEqual(len(create_ephemeral_mock.call_args_list), 1)
++            m_args, m_kwargs = create_ephemeral_mock.call_args_list[0]
++            self.assertEqual(
++                    os.path.join(base_dir, 'ephemeral_1_default'),
++                    m_kwargs['target'])
++            self.assertEqual(len(fetch_image_mock.call_args_list), 1)
++            m_args, m_kwargs = fetch_image_mock.call_args_list[0]
++            self.assertEqual(
++                    os.path.join(base_dir, 'fake_image_backing_file'),
++                    m_kwargs['target'])
++
+     def test_create_images_and_backing_disk_info_none(self):
+         conn = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
+         self.mox.StubOutWithMock(conn, '_fetch_instance_kernel_ramdisk')
+diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
+index 500ce51..c74b2ad 100644
+--- a/nova/virt/libvirt/driver.py
++++ b/nova/virt/libvirt/driver.py
+@@ -4209,14 +4209,29 @@ class LibvirtDriver(driver.ComputeDriver):
+ 
+                 image = self.image_backend.image(instance,
+                                                  instance_disk,
+-                                                 CONF.libvirt_images_type)
+-                image.cache(fetch_func=libvirt_utils.fetch_image,
+-                            context=context,
+-                            filename=cache_name,
+-                            image_id=instance['image_ref'],
+-                            user_id=instance['user_id'],
+-                            project_id=instance['project_id'],
+-                            size=info['virt_disk_size'])
++                                                 CONF.libvirt.images_type)
++                if cache_name.startswith('ephemeral'):
++                    image.cache(fetch_func=self._create_ephemeral,
++                                fs_label=cache_name,
++                                os_type=instance["os_type"],
++                                filename=cache_name,
++                                size=info['virt_disk_size'],
++                                ephemeral_size=instance['ephemeral_gb'])
++                elif cache_name.startswith('swap'):
++                    inst_type = flavors.extract_flavor(instance)
++                    swap_mb = inst_type['swap']
++                    image.cache(fetch_func=self._create_swap,
++                                filename="swap_%s" % swap_mb,
++                                size=swap_mb * unit.Mi,
++                                swap_mb=swap_mb)
++                else:
++                    image.cache(fetch_func=libvirt_utils.fetch_image,
++                                context=context,
++                                filename=cache_name,
++                                image_id=instance['image_ref'],
++                                user_id=instance['user_id'],
++                                project_id=instance['project_id'],
++                                size=info['virt_disk_size'])
+ 
+         # if image has kernel and ramdisk, just download
+         # following normal way.
+-- 
+1.8.3.1
+
diff --git a/sys-cluster/nova/nova-2013.1.4-r3.ebuild b/sys-cluster/nova/nova-2013.1.4-r4.ebuild
index 0400a6760267..aacf80b50784 100644
--- a/sys-cluster/nova/nova-2013.1.4-r3.ebuild
+++ b/sys-cluster/nova/nova-2013.1.4-r4.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.1.4-r3.ebuild,v 1.2 2014/01/08 06:00:45 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.1.4-r4.ebuild,v 1.1 2014/01/23 16:31:28 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -75,6 +75,7 @@ PATCHES=(
 	"${FILESDIR}/CVE-2013-4497-grizzly-2.patch"
 	"${FILESDIR}/CVE-2013-6419_2013.1.4.patch"
 	"${FILESDIR}/CVE-2013-6437-2012.1.4.patch"
+	"${FILESDIR}/CVE-2013-7130-stable-grizzly.patch"
 )
 
 pkg_setup() {
diff --git a/sys-cluster/nova/nova-2013.2.1-r1.ebuild b/sys-cluster/nova/nova-2013.2.1-r2.ebuild
index 1195edefa90c..2b4842a7299f 100644
--- a/sys-cluster/nova/nova-2013.2.1-r1.ebuild
+++ b/sys-cluster/nova/nova-2013.2.1-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2.1-r1.ebuild,v 1.2 2014/01/08 06:00:45 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2013.2.1-r2.ebuild,v 1.1 2014/01/23 16:31:28 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -72,6 +72,7 @@ RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
 
 PATCHES=(
 	"${FILESDIR}/CVE-2013-6437-2012.2.1.patch"
+	"${FILESDIR}/CVE-2013-7130-stable-havana.patch"
 )
 
 pkg_setup() {
author	Matt Thode <prometheanfire@gentoo.org>	2014-01-23 16:31:37 +0000
committer	Matt Thode <prometheanfire@gentoo.org>	2014-01-23 16:31:37 +0000
commit	caab3191844e82c30327f38c2fa6962ea60d0a7e (patch)
tree	034f55810c74a02a40e26f5ee5a13c6b8f8223a9 /sys-cluster/nova
parent	Use SLOT="0/15" because SONAME changed in 0.92 (diff)
download	historical-caab3191844e82c30327f38c2fa6962ea60d0a7e.tar.gz historical-caab3191844e82c30327f38c2fa6962ea60d0a7e.tar.bz2 historical-caab3191844e82c30327f38c2fa6962ea60d0a7e.zip