diff options
| author |   Matthew Thode <prometheanfire@gentoo.org> | 2014-01-20 05:41:12 +0000 |
|---|---|---|
| committer | Matthew Thode <prometheanfire@gentoo.org> | 2014-01-20 05:41:12 +0000 |
| commit | b32adb402a2bc61a47ce5314ea3bb79657bb02f2 (patch) | |
| tree | 88e1510aa965679dc47064b69872875864d2b56b /sys-cluster/swift | |
| parent | [net-libs/libmbim] Initial import as modemmanager dep (diff) | |
| download | gentoo-2-b32adb402a2bc61a47ce5314ea3bb79657bb02f2.tar.gz gentoo-2-b32adb402a2bc61a47ce5314ea3bb79657bb02f2.tar.bz2 gentoo-2-b32adb402a2bc61a47ce5314ea3bb79657bb02f2.zip | |
update for bug 498544 CVE-2014-0006 and fixing testing
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
Diffstat (limited to 'sys-cluster/swift')
| -rw-r--r-- | sys-cluster/swift/ChangeLog | 11 | ||||
| -rw-r--r-- | sys-cluster/swift/files/CVE-2014-0006-havana.diff | 51 | ||||
| -rw-r--r-- | sys-cluster/swift/files/CVE-2014-0006-master.diff | 28 | ||||
| -rw-r--r-- | sys-cluster/swift/swift-1.10.0-r1.ebuild (renamed from sys-cluster/swift/swift-1.10.0.ebuild) | 7 | ||||
| -rw-r--r-- | sys-cluster/swift/swift-1.11.0-r1.ebuild (renamed from sys-cluster/swift/swift-1.11.0.ebuild) | 9 |
5 files changed, 100 insertions, 6 deletions
diff --git a/sys-cluster/swift/ChangeLog b/sys-cluster/swift/ChangeLog index 6060c9d7d62c..7dbd395f73f6 100644 --- a/sys-cluster/swift/ChangeLog +++ b/sys-cluster/swift/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for sys-cluster/swift # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/swift/ChangeLog,v 1.23 2014/01/08 05:59:48 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/swift/ChangeLog,v 1.24 2014/01/20 05:41:12 prometheanfire Exp $ + +*swift-1.10.0-r1 (20 Jan 2014) +*swift-1.11.0-r1 (20 Jan 2014) + + 20 Jan 2014; Matthew Thode <prometheanfire@gentoo.org> + +files/CVE-2014-0006-havana.diff, +files/CVE-2014-0006-master.diff, + +swift-1.10.0-r1.ebuild, +swift-1.11.0-r1.ebuild, -swift-1.10.0.ebuild, + -swift-1.11.0.ebuild: + update for bug 498544 CVE-2014-0006 and fixing testing 08 Jan 2014; Mike Frysinger <vapier@gentoo.org> swift-1.10.0.ebuild, swift-1.11.0.ebuild, swift-2013.1.9999.ebuild, swift-2013.2.9999.ebuild, diff --git a/sys-cluster/swift/files/CVE-2014-0006-havana.diff b/sys-cluster/swift/files/CVE-2014-0006-havana.diff new file mode 100644 index 000000000000..e0c0634f6e1c --- /dev/null +++ b/sys-cluster/swift/files/CVE-2014-0006-havana.diff @@ -0,0 +1,51 @@ +commit 6c378b4b65524ea3b485c47d829ed0aebbdb86c0 +Author: Samuel Merritt <sam@swiftstack.com> +Date: Fri Jan 3 09:26:11 2014 -0800 + + Backported tempurl const time compare for 1.10.0 + + Change-Id: I6db8f9a568dab8403ed74a83ba0c9548f06425e1 + +diff --git a/swift/common/middleware/tempurl.py b/swift/common/middleware/tempurl.py +index ffc1431..ae2f4a1 100644 +--- a/swift/common/middleware/tempurl.py ++++ b/swift/common/middleware/tempurl.py +@@ -98,7 +98,7 @@ from urlparse import parse_qs + + from swift.proxy.controllers.base import get_account_info + from swift.common.swob import HeaderKeyDict +-from swift.common.utils import split_path ++from swift.common.utils import split_path, streq_const_time + + + #: Default headers to remove from incoming requests. Simply a whitespace +@@ -267,17 +267,20 @@ class TempURL(object): + if not keys: + return self._invalid(env, start_response) + if env['REQUEST_METHOD'] == 'HEAD': +- hmac_vals = self._get_hmacs(env, temp_url_expires, keys, +- request_method='GET') +- if temp_url_sig not in hmac_vals: +- hmac_vals = self._get_hmacs(env, temp_url_expires, keys, +- request_method='PUT') +- if temp_url_sig not in hmac_vals: +- return self._invalid(env, start_response) ++ hmac_vals = (self._get_hmacs(env, temp_url_expires, keys, ++ request_method='GET') + ++ self._get_hmacs(env, temp_url_expires, keys, ++ request_method='PUT')) + else: + hmac_vals = self._get_hmacs(env, temp_url_expires, keys) +- if temp_url_sig not in hmac_vals: +- return self._invalid(env, start_response) ++ ++ # While it's true that any() will short-circuit, this doesn't affect ++ # the timing-attack resistance since the only way this will ++ # short-circuit is when a valid signature is passed in. ++ is_valid_hmac = any(streq_const_time(temp_url_sig, h) ++ for h in hmac_vals) ++ if not is_valid_hmac: ++ return self._invalid(env, start_response) + self._clean_incoming_headers(env) + env['swift.authorize'] = lambda req: None + env['swift.authorize_override'] = True diff --git a/sys-cluster/swift/files/CVE-2014-0006-master.diff b/sys-cluster/swift/files/CVE-2014-0006-master.diff new file mode 100644 index 000000000000..bf545908434b --- /dev/null +++ b/sys-cluster/swift/files/CVE-2014-0006-master.diff @@ -0,0 +1,28 @@ +diff --git a/swift/common/middleware/tempurl.py b/swift/common/middleware/tempurl.py +index c9b9d94..5748694 100644 +--- a/swift/common/middleware/tempurl.py ++++ b/swift/common/middleware/tempurl.py +@@ -106,7 +106,7 @@ from urlparse import parse_qs + from swift.proxy.controllers.base import get_account_info + from swift.common.swob import HeaderKeyDict, HTTPUnauthorized + from swift.common.utils import split_path, get_valid_utf8_str, \ +- register_swift_info, get_hmac ++ register_swift_info, get_hmac, streq_const_time + + + #: Default headers to remove from incoming requests. Simply a whitespace +@@ -284,7 +284,13 @@ class TempURL(object): + request_method='PUT')) + else: + hmac_vals = self._get_hmacs(env, temp_url_expires, keys) +- if temp_url_sig not in hmac_vals: ++ ++ # While it's true that any() will short-circuit, this doesn't affect ++ # the timing-attack resistance since the only way this will ++ # short-circuit is when a valid signature is passed in. ++ is_valid_hmac = any(streq_const_time(temp_url_sig, hmac) ++ for hmac in hmac_vals) ++ if not is_valid_hmac: + return self._invalid(env, start_response) + self._clean_incoming_headers(env) + env['swift.authorize'] = lambda req: None diff --git a/sys-cluster/swift/swift-1.10.0.ebuild b/sys-cluster/swift/swift-1.10.0-r1.ebuild index 1747ea78b10f..6e44a87e9042 100644 --- a/sys-cluster/swift/swift-1.10.0.ebuild +++ b/sys-cluster/swift/swift-1.10.0-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/swift/swift-1.10.0.ebuild,v 1.4 2014/01/08 05:59:48 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/swift/swift-1.10.0-r1.ebuild,v 1.1 2014/01/20 05:41:12 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -49,6 +49,8 @@ CONFIG_CHECK="~EXT3_FS_XATTR ~SQUASHFS_XATTR ~CIFS_XATTR ~JFFS2_FS_XATTR ~TMPFS_XATTR ~UBIFS_FS_XATTR ~EXT2_FS_XATTR ~REISERFS_FS_XATTR ~EXT4_FS_XATTR ~ZFS" +PATCHES=( "${FILESDIR}/CVE-2014-0006-havana.diff" ) + pkg_setup() { enewuser swift enewgroup swift @@ -57,12 +59,13 @@ pkg_setup() { src_prepare() { sed -i 's/xattr/pyxattr/g' "${S}/swift.egg-info/requires.txt" sed -i 's/xattr/pyxattr/g' "${S}/requirements.txt" + distutils-r1_python_prepare_all } src_test () { # https://bugs.launchpad.net/swift/+bug/1249727 find . \( -name test_wsgi.py -o -name test_locale.py \) -delete || die - sh .unittests || die + SKIP_PIP_INSTALL=1 PBR_VERSION=0.5.23 sh .unittests || die } python_install() { diff --git a/sys-cluster/swift/swift-1.11.0.ebuild b/sys-cluster/swift/swift-1.11.0-r1.ebuild index 8800b9f22215..b2bc8d26c74c 100644 --- a/sys-cluster/swift/swift-1.11.0.ebuild +++ b/sys-cluster/swift/swift-1.11.0-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/swift/swift-1.11.0.ebuild,v 1.2 2014/01/08 05:59:48 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/swift/swift-1.11.0-r1.ebuild,v 1.1 2014/01/20 05:41:12 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -49,6 +49,8 @@ CONFIG_CHECK="~EXT3_FS_XATTR ~SQUASHFS_XATTR ~CIFS_XATTR ~JFFS2_FS_XATTR ~TMPFS_XATTR ~UBIFS_FS_XATTR ~EXT2_FS_XATTR ~REISERFS_FS_XATTR ~EXT4_FS_XATTR ~ZFS" +PATCHES=( "${FILESDIR}/CVE-2014-0006-master.diff" ) + pkg_setup() { enewuser swift enewgroup swift @@ -57,12 +59,13 @@ pkg_setup() { src_prepare() { sed -i 's/xattr/pyxattr/g' "${S}/swift.egg-info/requires.txt" sed -i 's/xattr/pyxattr/g' "${S}/requirements.txt" + distutils-r1_python_prepare_all } src_test () { # https://bugs.launchpad.net/swift/+bug/1249727 find . \( -name test_wsgi.py -o -name test_locale.py \) -delete || die - sh .unittests || die + SKIP_PIP_INSTALL=1 PBR_VERSION=0.5.23 sh .unittests || die } python_install() { @@ -71,7 +74,7 @@ python_install() { insinto /etc/swift newins "etc/swift.conf-sample" "swift.conf" - newins "etc/swift-bench.conf-sample" "swift-bench.conf-sample" +# newins "etc/swift-bench.conf-sample" "swift-bench.conf-sample" newins "etc/rsyncd.conf-sample" "rsyncd.conf" newins "etc/mime.types-sample" "mime.types-sample" newins "etc/memcache.conf-sample" "memcache.conf-sample" |