commit: 6a0cecccd4cde2ac81dd8a2409467dcc291133b5
Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 27 21:31:02 2016 +0000
Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Thu Oct 27 21:31:02 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a0ceccc
sys-cluster/ceph: Revision bump to 10.2.3-r1 for CVE-2016-8626
Gentoo-Bug: 598206
Package-Manager: portage-2.3.2
sys-cluster/ceph/ceph-10.2.3-r1.ebuild | 263 +++++++++++++++++++++
.../ceph/files/ceph-10.2.3-CVE-2016-8626.patch | 33 +++
2 files changed, 296 insertions(+)
diff --git a/sys-cluster/ceph/ceph-10.2.3-r1.ebuild
b/sys-cluster/ceph/ceph-10.2.3-r1.ebuild
new file mode 100644
index 00000000..5f40c53
--- /dev/null
+++ b/sys-cluster/ceph/ceph-10.2.3-r1.ebuild
@@ -0,0 +1,263 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+PYTHON_COMPAT=( python{2_7,3_{4,5}} )
+
+inherit check-reqs autotools eutils python-r1 udev user \
+ readme.gentoo-r1 systemd versionator flag-o-matic
+
+if [[ ${PV} == *9999* ]]; then
+ inherit git-r3
+ EGIT_REPO_URI="
+ git://github.com/ceph/ceph.git
+ https://github.com/ceph/ceph.git";
+ SRC_URI=""
+else
+ SRC_URI="http://ceph.com/download/${P}.tar.gz";
+ KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
+fi
+
+DESCRIPTION="Ceph distributed filesystem"
+HOMEPAGE="http://ceph.com/";
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+
+IUSE="babeltrace cephfs cryptopp debug fuse gtk jemalloc ldap +libaio"
+IUSE+=" libatomic lttng +nss +radosgw static-libs +tcmalloc test xfs zfs"
+
+# unbundling code commented out pending bugs 584056 and 584058
+#>=dev-libs/jerasure-2.0.0-r1
+#>=dev-libs/gf-complete-2.0.0
+COMMON_DEPEND="
+ app-arch/snappy
+ app-arch/lz4:=
+ app-arch/bzip2
+ dev-libs/boost:=[threads]
+ dev-libs/libaio
+ dev-libs/leveldb[snappy]
+ nss? ( dev-libs/nss )
+ libatomic? ( dev-libs/libatomic_ops )
+ cryptopp? ( dev-libs/crypto++:= )
+ sys-apps/keyutils
+ sys-apps/util-linux
+ dev-libs/libxml2
+ radosgw? ( dev-libs/fcgi )
+ ldap? ( net-nds/openldap )
+ babeltrace? ( dev-util/babeltrace )
+ fuse? ( sys-fs/fuse )
+ xfs? ( sys-fs/xfsprogs )
+ zfs? ( sys-fs/zfs )
+ gtk? (
+ x11-libs/gtk+:2
+ dev-cpp/gtkmm:2.4
+ gnome-base/librsvg
+ )
+ radosgw? (
+ dev-libs/fcgi
+ dev-libs/expat
+ net-misc/curl
+ )
+ jemalloc? ( dev-libs/jemalloc )
+ !jemalloc? ( dev-util/google-perftools )
+ lttng? ( dev-util/lttng-ust )
+ ${PYTHON_DEPS}
+ "
+DEPEND="${COMMON_DEPEND}
+ dev-python/cython[${PYTHON_USEDEP}]
+ app-arch/cpio
+ sys-apps/lsb-release
+ virtual/pkgconfig
+ dev-python/sphinx
+ test? (
+ sys-fs/btrfs-progs
+ sys-apps/grep[pcre]
+ dev-python/tox[${PYTHON_USEDEP}]
+ dev-python/virtualenv[${PYTHON_USEDEP}]
+ )"
+RDEPEND="${COMMON_DEPEND}
+ sys-apps/hdparm
+ sys-block/parted
+ sys-fs/cryptsetup
+ sys-apps/gptfdisk
+ dev-python/flask[${PYTHON_USEDEP}]
+ dev-python/requests[${PYTHON_USEDEP}]
+ "
+REQUIRED_USE="
+ $(python_gen_useflags 'python2*')
+ ${PYTHON_REQUIRED_USE}
+ ^^ ( nss cryptopp )
+ ?? ( jemalloc tcmalloc )
+ "
+
+# work around bug in ceph compilation (rgw/ceph_dencoder-rgw_dencoder.o...
undefined reference to `vtable for RGWZoneGroup')
+REQUIRED_USE+=" radosgw"
+
+RESTRICT="test? ( userpriv )"
+
+# distribution tarball does not include everything needed for tests
+RESTRICT+=" test"
+
+STRIP_MASK="/usr/lib*/rados-classes/*"
+
+UNBUNDLE_LIBS=(
+ src/erasure-code/jerasure/jerasure
+ src/erasure-code/jerasure/gf-complete
+)
+
+PATCHES=(
+ "${FILESDIR}/ceph-10.2.0-dont-use-virtualenvs.patch"
+ #"${FILESDIR}/ceph-10.2.1-unbundle-jerasure.patch"
+ "${FILESDIR}/${PN}-10.2.1-libzfs.patch"
+ "${FILESDIR}/${PN}-10.2.3-build-without-openldap.patch"
+ "${FILESDIR}/${PN}-10.2.3-CVE-2016-8626.patch"
+)
+
+check-reqs_export_vars() {
+ if use debug; then
+ CHECKREQS_DISK_BUILD="23G"
+ CHECKREQS_DISK_USR="7G"
+ elif use amd64; then
+ CHECKREQS_DISK_BUILD="12G"
+ CHECKREQS_DISK_USR="450M"
+ else
+ CHECKREQS_DISK_BUILD="1400M"
+ CHECKREQS_DISK_USR="450M"
+ fi
+
+ export CHECKREQS_DISK_BUILD CHECKREQS_DISK_USR
+}
+
+user_setup() {
+ enewgroup ceph ${CEPH_GID}
+ enewuser ceph "${CEPH_UID:--1}" -1 /var/lib/ceph ceph
+}
+
+emake_python_bindings() {
+ local action="${1}" params binding
+ shift
+ params=("${@}")
+
+ __emake_python_bindings_do_impl() {
+ emake "${params[@]}" PYTHON="${EPYTHON}"
"${binding}-pybind-${action}"
+
+ # these don't work and aren't needed on python3
+ if [[ ${EBUILD_PHASE} == install ]] && python_is_python3; then
+ rm -f
"${ED}/$(python_get_sitedir)"/ceph_{argparse,volume_client}.py
+ fi
+ }
+
+ pushd "${S}/src"
+ for binding in rados rbd $(use cephfs && echo cephfs); do
+ python_foreach_impl __emake_python_bindings_do_impl
+ done
+ popd
+
+ unset __emake_python_bindings_do_impl
+}
+
+pkg_pretend() {
+ check-reqs_export_vars
+ check-reqs_pkg_pretend
+}
+
+pkg_setup() {
+ python_setup
+ check-reqs_export_vars
+ check-reqs_pkg_setup
+ user_setup
+}
+
+src_prepare() {
+ default
+
+ # remove tests that need root access
+ rm src/test/cli/ceph-authtool/cap*.t
+
+ #rm -rf "${UNBUNDLE_LIBS[@]}"
+
+ append-flags -fPIC
+ eautoreconf
+}
+
+src_configure() {
+ local myeconfargs=(
+ --without-hadoop
+ --includedir=/usr/include
+ $(use_with cephfs)
+ $(use_with debug)
+ $(use_with fuse)
+ $(use_with libaio)
+ $(use_with libatomic libatomic-ops)
+ $(use_with nss)
+ $(use_with cryptopp)
+ $(use_with radosgw)
+ $(use_with gtk gtk2)
+ $(use_enable static-libs static)
+ $(use_with jemalloc)
+ $(use_with xfs libxfs)
+ $(use_with zfs libzfs)
+ $(use_with lttng )
+ $(use_with babeltrace)
+ $(use_with ldap openldap)
+ $(use jemalloc || usex tcmalloc " --with-tcmalloc" "
--with-tcmalloc-minimal")
+ --with-mon
+ --with-eventfd
+ --with-cython
+ --without-kinetic
+ --without-librocksdb
+ --with-systemdsystemunitdir="$(systemd_get_systemunitdir)"
+ )
+
+ # we can only use python2.7 for building at the moment
+ python_export python2.7 PYTHON EPYTHON
+ econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+ emake
+ emake_python_bindings all
+
+ use test && emake check-local
+}
+
+src_test() {
+ make check || die "make check failed"
+}
+
+src_install() {
+ default
+ emake_python_bindings install-exec "DESTDIR=\"${D}\""
+
+ prune_libtool_files --all
+
+ exeinto /usr/$(get_libdir)/ceph
+ newexe src/init-ceph ceph_init.sh
+
+ insinto /etc/logrotate.d/
+ newins "${FILESDIR}"/ceph.logrotate ${PN}
+
+ keepdir /var/lib/${PN}{,/tmp} /var/log/${PN}/stat
+
+ fowners ceph:ceph /var/lib/ceph
+
+ newinitd "${FILESDIR}/rbdmap.initd" rbdmap
+ newinitd "${FILESDIR}/${PN}.initd-r2" ${PN}
+ newconfd "${FILESDIR}/${PN}.confd-r1" ${PN}
+
+ systemd_install_serviced "${FILESDIR}/ceph-mds_at.service.conf"
"ceph-mds@.service"
+ systemd_install_serviced "${FILESDIR}/ceph-osd_at.service.conf"
"ceph-osd@.service"
+ systemd_install_serviced "${FILESDIR}/ceph-mon_at.service.conf"
"ceph-mon@.service"
+
+ python_fix_shebang "${ED}"/usr/{,s}bin/
+
+ udev_dorules udev/*.rules
+
+ readme.gentoo_create_doc
+}
+
+pkg_postinst() {
+ readme.gentoo_print_elog
+}
diff --git a/sys-cluster/ceph/files/ceph-10.2.3-CVE-2016-8626.patch
b/sys-cluster/ceph/files/ceph-10.2.3-CVE-2016-8626.patch
new file mode 100644
index 00000000..d767d81
--- /dev/null
+++ b/sys-cluster/ceph/files/ceph-10.2.3-CVE-2016-8626.patch
@@ -0,0 +1,33 @@
+commit dc2ffda7819d2ebeed3526d9e6da8f53221818de
+Author: Yehuda Sadeh <yeh...@redhat.com>
+Date: Thu Oct 20 10:17:36 2016 -0700
+
+ rgw: handle empty POST condition
+
+ Fixes: http://tracker.ceph.com/issues/17635
+
+ Before accessing json entity, need to check that iterator is valid.
+ If there is no entry return appropriate error code.
+
+ Signed-off-by: Yehuda Sadeh <yeh...@redhat.com>
+ (cherry picked from commit 23cb642243e09ca4a8e104f62a3bb7b2cbb6ea12)
+
+diff --git a/src/rgw/rgw_policy_s3.cc b/src/rgw/rgw_policy_s3.cc
+index 3843511..8af70a8 100644
+--- a/src/rgw/rgw_policy_s3.cc
++++ b/src/rgw/rgw_policy_s3.cc
+@@ -286,11 +286,13 @@ int RGWPolicy::from_json(bufferlist& bl, string& err_msg)
+ int r = add_condition(v[0], v[1], v[2], err_msg);
+ if (r < 0)
+ return r;
+- } else {
++ } else if (!citer.end()) {
+ JSONObj *c = *citer;
+ dout(0) << "adding simple_check: " << c->get_name() << " : " <<
c->get_data() << dendl;
+
+ add_simple_check(c->get_name(), c->get_data());
++ } else {
++ return -EINVAL;
+ }
+ }
+ return 0;
