commit: 4c6618086e16e704df31113b279e7ea4395bd41a
Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Thu Jun 30 23:52:50 2016 +0000
Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Thu Jun 30 23:52:50 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c661808
sys-cluster/ceph: Revision bump to 9.2.1-r2 and 10.2.2-r1 for CVE-2016-5009
(bug #587568)
Package-Manager: portage-2.3.0
sys-cluster/ceph/ceph-10.2.2-r1.ebuild | 263 ++++++++++++++++++++++++
sys-cluster/ceph/ceph-9.2.1-r2.ebuild | 193 +++++++++++++++++
sys-cluster/ceph/files/ceph-CVE-2016-5009.patch | 87 ++++++++
3 files changed, 543 insertions(+)
diff --git a/sys-cluster/ceph/ceph-10.2.2-r1.ebuild
b/sys-cluster/ceph/ceph-10.2.2-r1.ebuild
new file mode 100644
index 0000000..276f496
--- /dev/null
+++ b/sys-cluster/ceph/ceph-10.2.2-r1.ebuild
@@ -0,0 +1,263 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+PYTHON_COMPAT=( python{2_7,3_{4,5}} )
+
+inherit check-reqs autotools eutils python-r1 udev user \
+ readme.gentoo-r1 systemd versionator flag-o-matic
+
+if [[ ${PV} == *9999* ]]; then
+ inherit git-r3
+ EGIT_REPO_URI="
+ git://github.com/ceph/ceph.git
+ https://github.com/ceph/ceph.git";
+ SRC_URI=""
+else
+ SRC_URI="http://ceph.com/download/${P}.tar.gz";
+ KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
+fi
+
+DESCRIPTION="Ceph distributed filesystem"
+HOMEPAGE="http://ceph.com/";
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+
+IUSE="babeltrace cephfs cryptopp debug fuse gtk jemalloc ldap +libaio"
+IUSE+=" libatomic lttng +nss +radosgw static-libs tcmalloc test xfs zfs"
+
+# unbundling code commented out pending bugs 584056 and 584058
+#>=dev-libs/jerasure-2.0.0-r1
+#>=dev-libs/gf-complete-2.0.0
+COMMON_DEPEND="
+ app-arch/snappy
+ app-arch/lz4:=
+ app-arch/bzip2
+ dev-libs/boost:=[threads]
+ dev-libs/libaio
+ dev-libs/leveldb[snappy]
+ nss? ( dev-libs/nss )
+ libatomic? ( dev-libs/libatomic_ops )
+ cryptopp? ( dev-libs/crypto++ )
+ sys-apps/keyutils
+ sys-apps/util-linux
+ dev-libs/libxml2
+ radosgw? ( dev-libs/fcgi )
+ ldap? ( net-nds/openldap )
+ babeltrace? ( dev-util/babeltrace )
+ fuse? ( sys-fs/fuse )
+ xfs? ( sys-fs/xfsprogs )
+ zfs? ( sys-fs/zfs )
+ gtk? (
+ x11-libs/gtk+:2
+ dev-cpp/gtkmm:2.4
+ gnome-base/librsvg
+ )
+ radosgw? (
+ dev-libs/fcgi
+ dev-libs/expat
+ net-misc/curl
+ )
+ jemalloc? ( dev-libs/jemalloc )
+ !jemalloc? ( dev-util/google-perftools )
+ lttng? ( dev-util/lttng-ust )
+ ${PYTHON_DEPS}
+ "
+DEPEND="${COMMON_DEPEND}
+ dev-python/cython[${PYTHON_USEDEP}]
+ app-arch/cpio
+ sys-apps/lsb-release
+ virtual/pkgconfig
+ dev-python/sphinx
+ test? (
+ sys-fs/btrfs-progs
+ sys-apps/grep[pcre]
+ dev-python/tox[${PYTHON_USEDEP}]
+ dev-python/virtualenv[${PYTHON_USEDEP}]
+ )"
+RDEPEND="${COMMON_DEPEND}
+ sys-apps/hdparm
+ sys-block/parted
+ sys-fs/cryptsetup
+ sys-apps/gptfdisk
+ dev-python/flask[${PYTHON_USEDEP}]
+ dev-python/requests[${PYTHON_USEDEP}]
+ "
+REQUIRED_USE="
+ $(python_gen_useflags 'python2*')
+ ${PYTHON_REQUIRED_USE}
+ ^^ ( nss cryptopp )
+ ?? ( jemalloc tcmalloc )
+ "
+
+# work around bug in ceph compilation (rgw/ceph_dencoder-rgw_dencoder.o...
undefined reference to `vtable for RGWZoneGroup')
+REQUIRED_USE+=" radosgw"
+
+RESTRICT="test? ( userpriv )"
+
+# distribution tarball does not include everything needed for tests
+RESTRICT+=" test"
+
+STRIP_MASK="/usr/lib*/rados-classes/*"
+
+UNBUNDLE_LIBS=(
+ src/erasure-code/jerasure/jerasure
+ src/erasure-code/jerasure/gf-complete
+)
+
+PATCHES=(
+ "${FILESDIR}/ceph-10.2.0-dont-use-virtualenvs.patch"
+ #"${FILESDIR}/ceph-10.2.1-unbundle-jerasure.patch"
+ "${FILESDIR}/${PN}-10.2.1-libzfs.patch"
+
"${FILESDIR}/${PN}-10.2.1-armv7l-doesnt-support-momit-leaf-frame-pointer.patch"
+ "${FILESDIR}/${PN}-CVE-2016-5009.patch"
+)
+
+check-reqs_export_vars() {
+ if use debug; then
+ CHECKREQS_DISK_BUILD="23G"
+ CHECKREQS_DISK_USR="7G"
+ elif use amd64; then
+ CHECKREQS_DISK_BUILD="12G"
+ CHECKREQS_DISK_USR="450M"
+ else
+ CHECKREQS_DISK_BUILD="1400M"
+ CHECKREQS_DISK_USR="450M"
+ fi
+
+ export CHECKREQS_DISK_BUILD CHECKREQS_DISK_USR
+}
+
+user_setup() {
+ enewgroup ceph
+ enewuser ceph -1 -1 /var/lib/ceph ceph
+}
+
+emake_python_bindings() {
+ local action="${1}" params binding
+ shift
+ params=("${@}")
+
+ __emake_python_bindings_do_impl() {
+ emake "${params[@]}" PYTHON="${EPYTHON}"
"${binding}-pybind-${action}"
+
+ # these don't work and aren't needed on python3
+ if [[ ${EBUILD_PHASE} == install ]] && python_is_python3; then
+ rm -f
"${ED}/$(python_get_sitedir)"/ceph_{argparse,volume_client}.py
+ fi
+ }
+
+ pushd "${S}/src"
+ for binding in rados rbd $(use cephfs && echo cephfs); do
+ python_foreach_impl __emake_python_bindings_do_impl
+ done
+ popd
+
+ unset __emake_python_bindings_do_impl
+}
+
+pkg_pretend() {
+ check-reqs_export_vars
+ check-reqs_pkg_pretend
+}
+
+pkg_setup() {
+ python_setup
+ check-reqs_export_vars
+ check-reqs_pkg_setup
+ user_setup
+}
+
+src_prepare() {
+ default
+
+ # remove tests that need root access
+ rm src/test/cli/ceph-authtool/cap*.t
+
+ #rm -rf "${UNBUNDLE_LIBS[@]}"
+
+ append-flags -fPIC
+ eautoreconf
+}
+
+src_configure() {
+ local myeconfargs=(
+ --without-hadoop
+ --includedir=/usr/include
+ $(use_with cephfs)
+ $(use_with debug)
+ $(use_with fuse)
+ $(use_with libaio)
+ $(use_with libatomic libatomic-ops)
+ $(use_with nss)
+ $(use_with cryptopp)
+ $(use_with radosgw)
+ $(use_with gtk gtk2)
+ $(use_enable static-libs static)
+ $(use_with jemalloc)
+ $(use_with xfs libxfs)
+ $(use_with zfs libzfs)
+ $(use_with lttng )
+ $(use_with babeltrace)
+ $(use_with ldap openldap)
+ $(use jemalloc || usex tcmalloc " --with-tcmalloc" "
--with-tcmalloc-minimal")
+ --with-mon
+ --with-eventfd
+ --with-cython
+ --without-kinetic
+ --without-librocksdb
+ --with-systemdsystemunitdir="$(systemd_get_systemunitdir)"
+ )
+
+ # we can only use python2.7 for building at the moment
+ python_export python2.7 PYTHON EPYTHON
+ econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+ emake
+ emake_python_bindings all
+
+ use test && emake check-local
+}
+
+src_test() {
+ make check || die "make check failed"
+}
+
+src_install() {
+ default
+ emake_python_bindings install-exec "DESTDIR=\"${D}\""
+
+ prune_libtool_files --all
+
+ exeinto /usr/$(get_libdir)/ceph
+ newexe src/init-ceph ceph_init.sh
+
+ insinto /etc/logrotate.d/
+ newins "${FILESDIR}"/ceph.logrotate ${PN}
+
+ keepdir /var/lib/${PN}{,/tmp} /var/log/${PN}/stat
+
+ fowners ceph:ceph /var/lib/ceph
+
+ newinitd "${FILESDIR}/rbdmap.initd" rbdmap
+ newinitd "${FILESDIR}/${PN}.initd-r2" ${PN}
+ newconfd "${FILESDIR}/${PN}.confd-r1" ${PN}
+
+ systemd_install_serviced "${FILESDIR}/ceph-mds_at.service.conf"
"ceph-mds@.service"
+ systemd_install_serviced "${FILESDIR}/ceph-osd_at.service.conf"
"ceph-osd@.service"
+ systemd_install_serviced "${FILESDIR}/ceph-mon_at.service.conf"
"ceph-mon@.service"
+
+ python_fix_shebang "${ED}"/usr/{,s}bin/
+
+ udev_dorules udev/*.rules
+
+ readme.gentoo_create_doc
+}
+
+pkg_postinst() {
+ readme.gentoo_print_elog
+}
diff --git a/sys-cluster/ceph/ceph-9.2.1-r2.ebuild
b/sys-cluster/ceph/ceph-9.2.1-r2.ebuild
new file mode 100644
index 0000000..494094e
--- /dev/null
+++ b/sys-cluster/ceph/ceph-9.2.1-r2.ebuild
@@ -0,0 +1,193 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+PYTHON_COMPAT=( python2_7 )
+
+if [[ $PV = *9999* ]]; then
+ scm_eclass=git-r3
+ EGIT_REPO_URI="
+ git://github.com/ceph/ceph.git
+ https://github.com/ceph/ceph.git";
+ SRC_URI=""
+else
+ SRC_URI="http://ceph.com/download/${P}.tar.gz";
+fi
+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
+
+inherit check-reqs autotools eutils multilib python-single-r1 udev user
readme.gentoo systemd versionator ${scm_eclass}
+
+DESCRIPTION="Ceph distributed filesystem"
+HOMEPAGE="http://ceph.com/";
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+IUSE="babeltrace cryptopp debug fuse gtk libatomic +libaio lttng +nss radosgw
static-libs jemalloc tcmalloc xfs zfs"
+
+COMMON_DEPEND="
+ app-arch/snappy
+ dev-libs/boost:=[threads]
+ dev-libs/fcgi
+ dev-libs/libaio
+ dev-libs/libedit
+ dev-libs/leveldb[snappy]
+ nss? ( dev-libs/nss )
+ cryptopp? ( dev-libs/crypto++ )
+ sys-apps/keyutils
+ sys-apps/util-linux
+ dev-libs/libxml2
+ babeltrace? ( dev-util/babeltrace )
+ fuse? ( sys-fs/fuse )
+ libatomic? ( dev-libs/libatomic_ops )
+ xfs? ( sys-fs/xfsprogs )
+ zfs? ( sys-fs/zfs )
+ gtk? (
+ x11-libs/gtk+:2
+ dev-cpp/gtkmm:2.4
+ gnome-base/librsvg
+ )
+ radosgw? (
+ dev-libs/fcgi
+ dev-libs/expat
+ net-misc/curl
+ )
+ jemalloc? ( dev-libs/jemalloc )
+ !jemalloc? ( dev-util/google-perftools )
+ lttng? ( dev-util/lttng-ust )
+ ${PYTHON_DEPS}
+ "
+DEPEND="${COMMON_DEPEND}
+ virtual/pkgconfig"
+RDEPEND="${COMMON_DEPEND}
+ sys-apps/hdparm
+ dev-python/flask[${PYTHON_USEDEP}]
+ dev-python/requests[${PYTHON_USEDEP}]
+ "
+REQUIRED_USE="
+ ${PYTHON_REQUIRED_USE}
+ ^^ ( nss cryptopp )
+ ?? ( jemalloc tcmalloc )
+ "
+
+STRIP_MASK="/usr/lib*/rados-classes/*"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-0.79-libzfs.patch
+ "${FILESDIR}"/${P}-libxfs.patch
+)
+
+check-reqs_export_vars() {
+ # check-reqs does not support use flags, and there is a lot of
variability
+ # in Ceph.
+ # 16G /var/tmp/portage/sys-cluster/ceph-9999-r1/work/ceph-9999
+ # 6.7G /var/tmp/portage/sys-cluster/ceph-9999-r1/image/usr
+ # 23G /var/tmp/portage/sys-cluster/ceph-9999-r1
+ # Size requirements tested for Hammer & Jewel releases
+ if use debug; then
+ export CHECKREQS_DISK_BUILD="23G"
+ export CHECKREQS_DISK_USR="7G"
+ else
+ export CHECKREQS_DISK_BUILD="9G"
+ export CHECKREQS_DISK_USR="450M"
+ fi
+
+ export CHECKREQS_MEMORY="7G"
+}
+
+user_setup() {
+ enewgroup ceph
+ enewuser ceph -1 -1 /var/lib/ceph ceph
+}
+
+pkg_setup() {
+ python_setup
+ check-reqs_export_vars
+ check-reqs_pkg_setup
+ user_setup
+}
+
+src_prepare() {
+ [[ ${PATCHES[@]} ]] && epatch "${PATCHES[@]}"
+
+ epatch_user
+ eautoreconf
+}
+
+pkg_pretend() {
+ check-reqs_export_vars
+ check-reqs_pkg_pretend
+}
+
+src_configure() {
+ local myeconfargs=(
+ --without-hadoop
+ --docdir="${EPREFIX}/usr/share/doc/${PF}"
+ --includedir=/usr/include
+ $(use_with debug)
+ $(use_with fuse)
+ $(use_with libaio)
+ $(use_with libatomic libatomic-ops)
+ $(use_with nss)
+ $(use_with cryptopp)
+ $(use_with radosgw)
+ $(use_with gtk gtk2)
+ $(use_enable static-libs static)
+ $(use_with jemalloc)
+ $(use_with xfs libxfs)
+ $(use_with zfs libzfs)
+ $(use_with lttng )
+ $(use_with babeltrace)
+ --without-kinetic
+ --without-librocksdb
+ --with-systemdsystemunitdir="$(systemd_get_systemunitdir)"
+ )
+
+ use jemalloc || \
+ myeconfargs+=( $(usex tcmalloc " --with-tcmalloc" "
--with-tcmalloc-minimal") )
+
+ PYTHON="${EPYTHON}" \
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ default
+
+ prune_libtool_files --all
+
+ exeinto /usr/$(get_libdir)/ceph
+ newexe src/init-ceph ceph_init.sh
+
+ insinto /etc/logrotate.d/
+ newins "${FILESDIR}"/ceph.logrotate ${PN}
+
+ chmod 644 "${ED}"/usr/share/doc/${PF}/sample.*
+
+ keepdir /var/lib/${PN}
+ keepdir /var/lib/${PN}/tmp
+ keepdir /var/log/${PN}/stat
+
+ fowners ceph:ceph /var/lib/ceph
+
+ newinitd "${FILESDIR}/rbdmap.initd" rbdmap
+ newinitd "${FILESDIR}/${PN}.initd-r2" ${PN}
+ newconfd "${FILESDIR}/${PN}.confd-r1" ${PN}
+
+ systemd_install_serviced "${FILESDIR}/ceph-mds_at.service.conf"
"ceph-mds@.service"
+ systemd_install_serviced "${FILESDIR}/ceph-osd_at.service.conf"
"ceph-osd@.service"
+ systemd_install_serviced "${FILESDIR}/ceph-mon_at.service.conf"
"ceph-mon@.service"
+
+ python_fix_shebang \
+ "${ED}"/usr/sbin/{ceph-disk,ceph-create-keys} \
+ "${ED}"/usr/bin/{ceph,ceph-rest-api,ceph-detect-init,ceph-brag}
+
+ #install udev rules
+ udev_dorules udev/50-rbd.rules
+ udev_dorules udev/95-ceph-osd.rules
+
+ readme.gentoo_create_doc
+}
+
+pkg_postinst() {
+ readme.gentoo_print_elog
+}
diff --git a/sys-cluster/ceph/files/ceph-CVE-2016-5009.patch
b/sys-cluster/ceph/files/ceph-CVE-2016-5009.patch
new file mode 100644
index 0000000..1528dad
--- /dev/null
+++ b/sys-cluster/ceph/files/ceph-CVE-2016-5009.patch
@@ -0,0 +1,87 @@
+diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
+index 10c8bfc..98843d7 100644
+--- a/src/mon/Monitor.cc
++++ b/src/mon/Monitor.cc
+@@ -2631,7 +2631,19 @@ void Monitor::handle_command(MonOpRequestRef op)
+ return;
+ }
+
+- cmd_getval(g_ceph_context, cmdmap, "prefix", prefix);
++ // check return value. If no prefix parameter provided,
++ // return value will be false, then return error info.
++ if(!cmd_getval(g_ceph_context, cmdmap, "prefix", prefix)) {
++ reply_command(op, -EINVAL, "command prefix not found", 0);
++ return;
++ }
++
++ // check prefix is empty
++ if (prefix.empty()) {
++ reply_command(op, -EINVAL, "command prefix must not be empty", 0);
++ return;
++ }
++
+ if (prefix == "get_command_descriptions") {
+ bufferlist rdata;
+ Formatter *f = Formatter::create("json");
+@@ -2652,6 +2664,15 @@ void Monitor::handle_command(MonOpRequestRef op)
+ boost::scoped_ptr<Formatter> f(Formatter::create(format));
+
+ get_str_vec(prefix, fullcmd);
++
++ // make sure fullcmd is not empty.
++ // invalid prefix will cause empty vector fullcmd.
++ // such as, prefix=";,,;"
++ if (fullcmd.empty()) {
++ reply_command(op, -EINVAL, "command requires a prefix to be valid", 0);
++ return;
++ }
++
+ module = fullcmd[0];
+
+ // validate command is in leader map
+diff --git a/src/test/librados/cmd.cc b/src/test/librados/cmd.cc
+index 9261fb5..878a8af 100644
+--- a/src/test/librados/cmd.cc
++++ b/src/test/librados/cmd.cc
+@@ -48,6 +48,41 @@ TEST(LibRadosCmd, MonDescribe) {
+ rados_buffer_free(buf);
+ rados_buffer_free(st);
+
++ cmd[0] = (char *)"";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "{}",
2, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0,
&buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"abc\":\"something\"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0,
&buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"prefix\":\"\"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0,
&buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"prefix\":\" \"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0,
&buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"prefix\":\";;;,,,;;,,\"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0,
&buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"prefix\":\"extra command\"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0,
&buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
+ cmd[0] = (char *)"{\"prefix\":\"mon_status\"}";
+ ASSERT_EQ(0, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf,
&buflen, &st, &stlen));
+ ASSERT_LT(0u, buflen);
