updating cinder and addressing CVE-2013-1664 from bug 458332

Package-Manager: portage-2.1.11.50/cvs/Linux x86_64 Manifest-Sign-Key: 0x2471EB3E40AC5AC3
author: Matt Thode <prometheanfire@gentoo.org> 2013-02-20 05:57:22 +0000
committer: Matt Thode <prometheanfire@gentoo.org> 2013-02-20 05:57:22 +0000
commit: 72b9c620e4983e503967dea6e112cb5605af9e77 (patch)
tree: bfb60327f4570503660fc48db1f2305a573c5976 /sys-cluster
parent: updating nova and addressing CVE-2013-1664 from bug 458330 (diff)
download: historical-72b9c620e4983e503967dea6e112cb5605af9e77.tar.gz
historical-72b9c620e4983e503967dea6e112cb5605af9e77.tar.bz2
historical-72b9c620e4983e503967dea6e112cb5605af9e77.zip
4 files changed, 284 insertions, 19 deletions
diff --git a/sys-cluster/cinder/ChangeLog b/sys-cluster/cinder/ChangeLog
index 5f2061bab329..5fc110e798e0 100644
--- a/sys-cluster/cinder/ChangeLog
+++ b/sys-cluster/cinder/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-cluster/cinder
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/cinder/ChangeLog,v 1.3 2013/02/07 18:57:19 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/cinder/ChangeLog,v 1.4 2013/02/20 05:57:08 prometheanfire Exp $
+
+*cinder-2012.2.3 (20 Feb 2013)
+
+  20 Feb 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/cinder-2012.2-CVE-2013-1664.patch, -cinder-2012.2.1.ebuild,
+  +cinder-2012.2.3.ebuild:
+  updating cinder and addressing CVE-2013-1664 from bug 458332
 
   07 Feb 2013; Matthew Thode <prometheanfire@gentoo.org>
   cinder-2012.2.1.ebuild:
diff --git a/sys-cluster/cinder/Manifest b/sys-cluster/cinder/Manifest
index dad59528776c..4ffa42355fd3 100644
--- a/sys-cluster/cinder/Manifest
+++ b/sys-cluster/cinder/Manifest
@@ -1,24 +1,25 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
-DIST cinder-2012.2.1.tar.gz 3592524 SHA256 a833e9a97369012eb792cac2555bbeea266c3fd36782ac8d4c0807c5b12b52b0 SHA512 228463b0a711fb9e7d4e14b2e2419779cb3afb48946d27e99c0c5b06150d9db96353fecca39d7137b111ac30f0f2757c6690a6453b8a2403bb824e425bc4316e WHIRLPOOL 20c39781917536c3d133ad4f30e291e31d6959ce0d316377c992f03fd29d2fabe440b7b45dd55b1e2477b215b9b073f3f2de8d9ff4e547e1bcb16e42508a51bc
-EBUILD cinder-2012.2.1.ebuild 1847 SHA256 84ea071eb2c9c763f2f58970a5dfd212a38be97201f955905130dab495e69ef3 SHA512 31f41b9efb2f75520cba198267e32dedb1334ffa784737dd8374c45191c13592c614a370e4e207fb289c07180c1590b298d9ec3bcc991cc12251be78e7bbaf49 WHIRLPOOL aa51378dfb17f42cac4635fc7a70334e8776183737ef861854d08e4a704e499a0849284caa50fcc5eb9fe27bcc0dd9d84853b23700c6a9dce96de0919b67846a
-MISC ChangeLog 612 SHA256 9bb30d53ac0759ca4370e13693b83fb8c65ac423aa0e712818766498b3358569 SHA512 6c3a29c76b52a97c203ab12f760bb996cc281ae23882f8a7c502a577742a4545eb921dfe7a3692a1a9e266c9d76f8891d634542ee75dc4964eeab53b1c01127a WHIRLPOOL ac37168e8a7da010258317b5624ebe14197c82bd67c89f258ad1278a60b61421b85c95774ff625b89a17dd77b9b33278d57f6bd7c7e13466eeed35d1538d05f7
+AUX cinder-2012.2-CVE-2013-1664.patch 9288 SHA256 d653def916b4a0900d6794ee516911d5be89524ccdde04b730455ecdc5d98714 SHA512 73d40a61fc1a71788578647f8072e69e96711d7297b39a57c3dceaee0a9a6f1f79d54adfbd60d85ba93cf2d4738546f70789ca3ef67c1a8f085eda3a6d00b117 WHIRLPOOL a5ab043f265cae1b27d6fb7ff445676e2eeade373e77ea050fe425f9b17891d8013f1e530ff8f0bc3e8c3f0907c8eedf6905455a4602ac0723c044fc745dcb9d
+DIST cinder-2012.2.3.tar.gz 3593130 SHA256 d30b01282c291637cfcb97d3d6b7deb7494a882510a60696005ea0cd12552285 SHA512 b529bed354cf252af9047e8a5d53a5e6ccf8fd4e022757fcf6652201ba581568665f9cd0636ce00ec142beddd063795cfa6aee91667a86eb3f7aa6b82bc7c401 WHIRLPOOL 4193dafccee86559212019d385b23f15db73e375ac0f6c865965cce449c6d49b7f648115cb4e2dde50596903887ea4cb2cb8c4b78a2d8c53a9ab7d82cafbc17b
+EBUILD cinder-2012.2.3.ebuild 1929 SHA256 4991bc206054a9815cca0147ff30e2090c0041fd1a6dadefbe311b8535fabf0d SHA512 29b93c4ed2e14eeecc252e8659cf05f6bbacbd1ee6077091d9cf66361bd70d4095cce317711ed8b17ede654f0753502cc295bc9b6e0d4b0452ceab9fd347abb7 WHIRLPOOL 621c811e911d21bf94398554e2fd4e6ec932c1e5fdbfa4080b9ac281d00835be2d03d060f4bf16fd2aef3635f2b85c1fbc714b6e0ae533b109ac538fdf5e660e
+MISC ChangeLog 861 SHA256 e19126c763985651519cbfc93fb67eb84fc82b936f51322558b8a9ce19cfc484 SHA512 caf9c7553506c3837dbb5e24e61a7fe274e8efba56b74f5cb2f9c13d98bc91bc6c8d1712f7a097b0fa10790eb3d405ec45e8dfba165ac7f77c30fcaba344d6cd WHIRLPOOL 073f176238e88ba08cf68369ad3a896cf2968f030aa55492659df0dac8bbf859df32c73320b96b4373c3cc4070171b98eb3291847af4c2588f31f5c75705c3c8
 MISC metadata.xml 386 SHA256 049469c130aea5d28154763070dfa05800c071d138bb7b3b67f54c0b1d6f5110 SHA512 b9a20b497b8b78043a823124aef87473e7dececbe9b13290a6113718b87b22b028d5b0893fd2c81436f39fcccc48d8d4fc17701ae19875df65782247fa58d22b WHIRLPOOL 3db5e73e3edef5166335d2a5db91616ca67b5bf6fd69781684a632b0e54a236ac96c46ab4f3c8522ef0c7e4a87d87dece07c48a5a8e9616aa9b6fb2d3ec47ade
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
-iQIcBAEBCAAGBQJRE/VDAAoJECRx6z5ArFrDW2wP/iDsAAi1HNv2OZJkfyiTXl6s
-ub0S5FkYyNzehTGQLlph70KUMwc7xd10i7TZCbUkB6Tkz78tHphg+uQ3XYwZwvAt
-3o5sCnNfddmay1m5dh3r2fplX7WbGzombudI0lCQA2oKn+aoUVMGiv5uhqG9xEFF
-V3r0V8w+STE7wCq0sVnPkMRGGw5jg1OzEt7XA+DkEaMEcyqBs0ZIf3XMJQit75xk
-d0whvsLFIX3MYWHzizWeCilYWKS7bDsGz46ZFGLfGiWeEcvQ9+0rGDilQHPNWCEi
-mwobOkhALRE4WiqqgcKquGLuRExkrZJkFKYlvplR4QrYj3Pmg9Th68Q1hKgxGfJ8
-k9Q2F/AhJI2abddT02nVj1fkJK2CBvSJ3CBXxi12uGsm1Fa5qUX+bH8InV84vv6c
-A3xLCUQyisVj9PG1SCfpqMWXoy6c9K3X5Iv7nfUZHkX0rvGjE9+CF64YL60AkQGn
-viuxvU1ew3BQQUl6UxzqVts6uJjwODLibTD7vM+Ftl21Voq2gmyrymOpQeJwTxga
-gMUbEEDndEFM3+ww1fJ9RaF3lxkjNcCxW+IapLYjhtKLu4YGk0H4LVuqdwobfjhD
-fQUSWVRVmedXT582egzs4f3R7crwjFsKDwjzQGXtQ2YjniGJX+SKG69Ko4w+rd8O
-q/p47G/gD/J4TOlF4kCz
-=/I+Z
+iQIcBAEBCAAGBQJRJF8DAAoJECRx6z5ArFrDsGUP/2N/W1P7zELRk1fwrxFd0+kv
+ECpJcffQM3jY14sVd5vEHgv6zIDGZNOg7RI9zndPLsve/P24jrO+9q706gghYGJW
+tgTgFRBcVvSFWn3RCMhRFPlJ/xj2jbH7EFDVn/95kGKSw5cXcQDDmvNXytykpCQr
+46mf7YPIxCNTUKtvW01CkOduyETfssDQAK7qD0xEQAOOmrw/LK7vCOezS/C7Q3l7
+82ryZaGLHz5F9j5zy5kN/1/B21uj3Ijrg4yUtxRPi/sOFHLUFWj8wT47l5ENJZoq
+aZKIRG6nZAxYEGlYsF2vHAvYggOJ6A1l+AYGKorKb5oQSFZDELyp5C80WetdT2Wt
+uVJ1sjQGxOZ9AdGGXbLgQgB3hn/WqKlr3+g/ePw5zAyiWRCyYnceY5N6YjUwOMJ7
+EpMvi6QJNvGdEq+HBc0FMLISyuU/B0wGwQevS2Ot1FwsMO5RyANlXf+E3grakef1
+UDK67JtRqglMh/Cg9np6dtGHV2C7mPxHJBA/BGwToCqpKBDd/kfPh71AcqZOgYph
+9yRl7KZ67uxWyJ0pkzFk04oZ76oF0p+EoYx1EmB3AYXXj6uIGOJ9c5Hbu9F99pd7
+CffNvZg71kDimAn+vNwB5+I3/b9nELsSKhE6GvlD6knSNqC8aFv1ul5cQaU+Rl5V
+MEMk91sqvfUKfWriZdYt
+=Ze8M
 -----END PGP SIGNATURE-----
diff --git a/sys-cluster/cinder/cinder-2012.2.1.ebuild b/sys-cluster/cinder/cinder-2012.2.3.ebuild
index ae85e078296d..553bea659481 100644
--- a/sys-cluster/cinder/cinder-2012.2.1.ebuild
+++ b/sys-cluster/cinder/cinder-2012.2.3.ebuild
@@ -1,11 +1,11 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/cinder/cinder-2012.2.1.ebuild,v 1.3 2013/02/07 18:57:19 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/cinder/cinder-2012.2.3.ebuild,v 1.1 2013/02/20 05:57:08 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_5 python2_6 python2_7 )
 
-inherit distutils-r1
+inherit distutils-r1 eutils
 
 DESCRIPTION="Cinder is the OpenStack Block storage service. This is a spin out
 of nova-volumes."
@@ -43,6 +43,10 @@ RDEPEND="=dev-python/amqplib-0.6.1
 		<dev-python/python-glanceclient-2
 		>=dev-python/python-keystoneclient-0.2.0"
 
+src_prepare() {
+	epatch "${FILESDIR}/cinder-2012.2-CVE-2013-1664.patch"
+}
+
 python_install() {
 	distutils-r1_python_install
 	keepdir /etc/cinder
diff --git a/sys-cluster/cinder/files/cinder-2012.2-CVE-2013-1664.patch b/sys-cluster/cinder/files/cinder-2012.2-CVE-2013-1664.patch
new file mode 100644
index 000000000000..93ab272c5088
--- /dev/null
+++ b/sys-cluster/cinder/files/cinder-2012.2-CVE-2013-1664.patch
@@ -0,0 +1,253 @@
+From: Dan Prince <dprince@redhat.com>
+Date: Mon, 4 Feb 2013 03:25:12 +0000 (-0500)
+Subject: Add a safe_minidom_parse_string function.
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fcinder.git;a=commitdiff_plain;h=fcf249d1f06938280d841cb13b61556971a58e0c
+
+Add a safe_minidom_parse_string function.
+
+Adds a new utils.safe_minidom_parse_string function and
+updates external API facing Cinder modules to use it.
+This ensures we have safe defaults on our incoming API XML parsing.
+
+Internally safe_minidom_parse_string uses a ProtectedExpatParser
+class to disable DTDs and entities from being parsed when using
+minidom.
+
+Fixes LP Bug #1100282 for Folsom.
+
+Change-Id: Ie8ae7a6e12fbf51de406d10ca21072140374abf5
+---
+
+diff --git a/cinder/api/openstack/common.py b/cinder/api/openstack/common.py
+index 255a0a7..91e488f 100644
+--- a/cinder/api/openstack/common.py
++++ b/cinder/api/openstack/common.py
+@@ -25,6 +25,7 @@ from cinder import flags
+ from cinder.api.openstack import wsgi
+ from cinder.api.openstack import xmlutil
+ from cinder.openstack.common import log as logging
++from cinder import utils
+ 
+ 
+ LOG = logging.getLogger(__name__)
+@@ -247,7 +248,7 @@ class ViewBuilder(object):
+ 
+ class MetadataDeserializer(wsgi.MetadataXMLDeserializer):
+     def deserialize(self, text):
+-        dom = minidom.parseString(text)
++        dom = utils.safe_minidom_parse_string(text)
+         metadata_node = self.find_first_child_named(dom, "metadata")
+         metadata = self.extract_metadata(metadata_node)
+         return {'body': {'metadata': metadata}}
+@@ -255,7 +256,7 @@ class MetadataDeserializer(wsgi.MetadataXMLDeserializer):
+ 
+ class MetaItemDeserializer(wsgi.MetadataXMLDeserializer):
+     def deserialize(self, text):
+-        dom = minidom.parseString(text)
++        dom = utils.safe_minidom_parse_string(text)
+         metadata_item = self.extract_metadata(dom)
+         return {'body': {'meta': metadata_item}}
+ 
+@@ -273,7 +274,7 @@ class MetadataXMLDeserializer(wsgi.XMLDeserializer):
+         return metadata
+ 
+     def _extract_metadata_container(self, datastring):
+-        dom = minidom.parseString(datastring)
++        dom = utils.safe_minidom_parse_string(datastring)
+         metadata_node = self.find_first_child_named(dom, "metadata")
+         metadata = self.extract_metadata(metadata_node)
+         return {'body': {'metadata': metadata}}
+@@ -285,7 +286,7 @@ class MetadataXMLDeserializer(wsgi.XMLDeserializer):
+         return self._extract_metadata_container(datastring)
+ 
+     def update(self, datastring):
+-        dom = minidom.parseString(datastring)
++        dom = utils.safe_minidom_parse_string(datastring)
+         metadata_item = self.extract_metadata(dom)
+         return {'body': {'meta': metadata_item}}
+ 
+diff --git a/cinder/api/openstack/volume/contrib/volume_actions.py b/cinder/api/openstack/volume/contrib/volume_actions.py
+index 5c62766..eac8f17 100644
+--- a/cinder/api/openstack/volume/contrib/volume_actions.py
++++ b/cinder/api/openstack/volume/contrib/volume_actions.py
+@@ -13,7 +13,6 @@
+ #   under the License.
+ 
+ import webob
+-from xml.dom import minidom
+ 
+ from cinder.api.openstack import extensions
+ from cinder.api.openstack import wsgi
+@@ -23,6 +22,7 @@ from cinder import exception
+ from cinder import flags
+ from cinder.openstack.common import log as logging
+ from cinder.openstack.common.rpc import common as rpc_common
++from cinder import utils
+ 
+ 
+ FLAGS = flags.FLAGS
+@@ -54,7 +54,7 @@ class VolumeToImageSerializer(xmlutil.TemplateBuilder):
+ class VolumeToImageDeserializer(wsgi.XMLDeserializer):
+     """Deserializer to handle xml-formatted requests"""
+     def default(self, string):
+-        dom = minidom.parseString(string)
++        dom = utils.safe_minidom_parse_string(string)
+         action_node = dom.childNodes[0]
+         action_name = action_node.tagName
+ 
+diff --git a/cinder/api/openstack/volume/volumes.py b/cinder/api/openstack/volume/volumes.py
+index 2c6852b..675c51f 100644
+--- a/cinder/api/openstack/volume/volumes.py
++++ b/cinder/api/openstack/volume/volumes.py
+@@ -17,7 +17,6 @@
+ 
+ from webob import exc
+ import webob
+-from xml.dom import minidom
+ 
+ from cinder.api.openstack import common
+ from cinder.api.openstack import wsgi
+@@ -194,7 +193,7 @@ class CreateDeserializer(CommonDeserializer):
+ 
+     def default(self, string):
+         """Deserialize an xml-formatted volume create request."""
+-        dom = minidom.parseString(string)
++        dom = utils.safe_minidom_parse_string(string)
+         volume = self._extract_volume(dom)
+         return {'body': {'volume': volume}}
+ 
+diff --git a/cinder/api/openstack/wsgi.py b/cinder/api/openstack/wsgi.py
+index fa0baea..6a19e02 100644
+--- a/cinder/api/openstack/wsgi.py
++++ b/cinder/api/openstack/wsgi.py
+@@ -24,6 +24,7 @@ from cinder import exception
+ from cinder import wsgi
+ from cinder.openstack.common import log as logging
+ from cinder.openstack.common import jsonutils
++from cinder import utils
+ 
+ from lxml import etree
+ from xml.dom import minidom
+@@ -151,7 +152,7 @@ class XMLDeserializer(TextDeserializer):
+         plurals = set(self.metadata.get('plurals', {}))
+ 
+         try:
+-            node = minidom.parseString(datastring).childNodes[0]
++            node = utils.safe_minidom_parse_string(datastring).childNodes[0]
+             return {node.nodeName: self._from_xml_node(node, plurals)}
+         except expat.ExpatError:
+             msg = _("cannot understand XML")
+@@ -548,7 +549,7 @@ def action_peek_json(body):
+ def action_peek_xml(body):
+     """Determine action to invoke."""
+ 
+-    dom = minidom.parseString(body)
++    dom = utils.safe_minidom_parse_string(body)
+     action_node = dom.childNodes[0]
+ 
+     return action_node.tagName
+diff --git a/cinder/tests/test_utils.py b/cinder/tests/test_utils.py
+index 92be797..c7cf47d 100644
+--- a/cinder/tests/test_utils.py
++++ b/cinder/tests/test_utils.py
+@@ -423,6 +423,39 @@ class GenericUtilsTestCase(test.TestCase):
+         result = utils.service_is_up(service)
+         self.assertFalse(result)
+ 
++    def test_safe_parse_xml(self):
++
++        normal_body = ("""
++                 <?xml version="1.0" ?><foo>
++                    <bar>
++                        <v1>hey</v1>
++                        <v2>there</v2>
++                    </bar>
++                </foo>""").strip()
++
++        def killer_body():
++            return (("""<!DOCTYPE x [
++                    <!ENTITY a "%(a)s">
++                    <!ENTITY b "%(b)s">
++                    <!ENTITY c "%(c)s">]>
++                <foo>
++                    <bar>
++                        <v1>%(d)s</v1>
++                    </bar>
++                </foo>""") % {
++                'a': 'A' * 10,
++                'b': '&a;' * 10,
++                'c': '&b;' * 10,
++                'd': '&c;' * 9999,
++            }).strip()
++
++        dom = utils.safe_minidom_parse_string(normal_body)
++        self.assertEqual(normal_body, str(dom.toxml()))
++
++        self.assertRaises(ValueError,
++                          utils.safe_minidom_parse_string,
++                          killer_body())
++
+     def test_xhtml_escape(self):
+         self.assertEqual('&quot;foo&quot;', utils.xhtml_escape('"foo"'))
+         self.assertEqual('&apos;foo&apos;', utils.xhtml_escape("'foo'"))
+diff --git a/cinder/utils.py b/cinder/utils.py
+index 100bbd6..6733369 100644
+--- a/cinder/utils.py
++++ b/cinder/utils.py
+@@ -42,6 +42,10 @@ import time
+ import types
+ import uuid
+ import warnings
++from xml.dom import minidom
++from xml.parsers import expat
++from xml import sax
++from xml.sax import expatreader
+ from xml.sax import saxutils
+ 
+ from eventlet import event
+@@ -542,6 +546,46 @@ class LoopingCall(object):
+         return self.done.wait()
+ 
+ 
++class ProtectedExpatParser(expatreader.ExpatParser):
++    """An expat parser which disables DTD's and entities by default."""
++
++    def __init__(self, forbid_dtd=True, forbid_entities=True,
++                 *args, **kwargs):
++        # Python 2.x old style class
++        expatreader.ExpatParser.__init__(self, *args, **kwargs)
++        self.forbid_dtd = forbid_dtd
++        self.forbid_entities = forbid_entities
++
++    def start_doctype_decl(self, name, sysid, pubid, has_internal_subset):
++        raise ValueError("Inline DTD forbidden")
++
++    def entity_decl(self, entityName, is_parameter_entity, value, base,
++                    systemId, publicId, notationName):
++        raise ValueError("<!ENTITY> forbidden")
++
++    def unparsed_entity_decl(self, name, base, sysid, pubid, notation_name):
++        # expat 1.2
++        raise ValueError("<!ENTITY> forbidden")
++
++    def reset(self):
++        expatreader.ExpatParser.reset(self)
++        if self.forbid_dtd:
++            self._parser.StartDoctypeDeclHandler = self.start_doctype_decl
++        if self.forbid_entities:
++            self._parser.EntityDeclHandler = self.entity_decl
++            self._parser.UnparsedEntityDeclHandler = self.unparsed_entity_decl
++
++
++def safe_minidom_parse_string(xml_string):
++    """Parse an XML string using minidom safely.
++
++    """
++    try:
++        return minidom.parseString(xml_string, parser=ProtectedExpatParser())
++    except sax.SAXParseException as se:
++        raise expat.ExpatError()
++
++
+ def xhtml_escape(value):
+     """Escapes a string so it is valid within XML or XHTML.
author	Matt Thode <prometheanfire@gentoo.org>	2013-02-20 05:57:22 +0000
committer	Matt Thode <prometheanfire@gentoo.org>	2013-02-20 05:57:22 +0000
commit	72b9c620e4983e503967dea6e112cb5605af9e77 (patch)
tree	bfb60327f4570503660fc48db1f2305a573c5976 /sys-cluster
parent	updating nova and addressing CVE-2013-1664 from bug 458330 (diff)
download	historical-72b9c620e4983e503967dea6e112cb5605af9e77.tar.gz historical-72b9c620e4983e503967dea6e112cb5605af9e77.tar.bz2 historical-72b9c620e4983e503967dea6e112cb5605af9e77.zip