From 8460e86aa62b22cb9a30d8da053cdd45118ea549 Mon Sep 17 00:00:00 2001 From: Matthew Thode Date: Thu, 21 Aug 2014 20:59:43 +0000 Subject: bup, fix for bug 520420 CVE-2014-3594 (Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3) --- www-apps/horizon/ChangeLog | 9 +- .../horizon/files/2014.1.1-CVE-2014-3473.patch | 163 --------------------- .../horizon/files/2014.1.2-CVE-2014-3594.patch | 53 +++++++ www-apps/horizon/horizon-2014.1.1-r1.ebuild | 69 --------- www-apps/horizon/horizon-2014.1.2.ebuild | 70 +++++++++ 5 files changed, 131 insertions(+), 233 deletions(-) delete mode 100644 www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch create mode 100644 www-apps/horizon/files/2014.1.2-CVE-2014-3594.patch delete mode 100644 www-apps/horizon/horizon-2014.1.1-r1.ebuild create mode 100644 www-apps/horizon/horizon-2014.1.2.ebuild (limited to 'www-apps') diff --git a/www-apps/horizon/ChangeLog b/www-apps/horizon/ChangeLog index a43d99ba1a49..f4ea88310b07 100644 --- a/www-apps/horizon/ChangeLog +++ b/www-apps/horizon/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for www-apps/horizon # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.32 2014/08/10 20:13:31 slyfox Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.33 2014/08/21 20:59:43 prometheanfire Exp $ + +*horizon-2014.1.2 (21 Aug 2014) + + 21 Aug 2014; Matthew Thode + +files/2014.1.2-CVE-2014-3594.patch, +horizon-2014.1.2.ebuild, + -files/2014.1.1-CVE-2014-3473.patch, -horizon-2014.1.1-r1.ebuild: + bup, fix for bug 520420 CVE-2014-3594 10 Aug 2014; Sergei Trofimovich horizon-2014.1.1-r1.ebuild, horizon-2014.1.9999.ebuild, horizon-9999.ebuild: diff --git a/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch b/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch deleted file mode 100644 index 7ab9bebb3364..000000000000 --- a/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch +++ /dev/null @@ -1,163 +0,0 @@ -From 32a7b713468161282f2ea01d5e2faff980d924cd Mon Sep 17 00:00:00 2001 -From: Julie Pichon -Date: Thu, 22 May 2014 16:45:03 +0100 -Subject: [PATCH] Fix multiple Cross-Site Scripting (XSS) vulnerabilities. - - * Ensure user emails are properly escaped - -User emails in the Users and Groups panel are being passed through the -urlize filter to transform them into clickable links. However, urlize -expects input to be already escaped and safe. We should make sure to -escape the strings first as email addresses are not validated and can -contain any type of string. - -Closes-Bug: #1320235 - - * Ensure network names are properly escaped in the Launch Instance menu - -Closes-Bug: #1322197 - - * Escape the URLs generated for the Horizon tables - -When generating the Horizon tables, there was an assumption that only -the anchor text needed to be escaped. However some URLs are generated -based on user-provided data and should be escaped as well. Also escape -the link attributes for good measure. - - * Use 'reverse' to generate the Resource URLs in the stacks tables - -Closes-Bug: #1308727 - -Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e ---- - horizon/static/horizon/js/horizon.instances.js | 9 ++++++++- - horizon/tables/base.py | 4 +++- - openstack_dashboard/dashboards/admin/groups/tables.py | 3 ++- - openstack_dashboard/dashboards/admin/users/tables.py | 4 +++- - openstack_dashboard/dashboards/project/stacks/tables.py | 9 +++++++-- - openstack_dashboard/dashboards/project/stacks/tabs.py | 6 ++++++ - 6 files changed, 29 insertions(+), 6 deletions(-) - -diff --git a/horizon/static/horizon/js/horizon.instances.js b/horizon/static/horizon/js/horizon.instances.js -index e8e9353..d4ef8a0 100644 ---- a/horizon/static/horizon/js/horizon.instances.js -+++ b/horizon/static/horizon/js/horizon.instances.js -@@ -51,8 +51,15 @@ horizon.instances = { - $(this.get_network_element("")).each(function(){ - var $this = $(this); - var $input = $this.children("input"); -+ var name = $this.text().replace(/^\s+/,"") -+ .replace(/&/g, '&') -+ .replace(//g, '>') -+ .replace(/"/g, '"') -+ .replace(/'/g, ''') -+ .replace(/\//g, '/'); - var network_property = { -- name:$this.text().replace(/^\s+/,""), -+ name:name, - id:$input.attr("id"), - value:$input.attr("value") - }; -diff --git a/horizon/tables/base.py b/horizon/tables/base.py -index 10aaa98..4aceb81 100644 ---- a/horizon/tables/base.py -+++ b/horizon/tables/base.py -@@ -676,7 +676,9 @@ class Cell(html.HTMLElement): - link_classes = ' '.join(self.column.link_classes) - # Escape the data inside while allowing our HTML to render - data = mark_safe('%s' % -- (self.url, link_classes, escape(unicode(data)))) -+ (escape(self.url), -+ escape(link_classes), -+ escape(unicode(data)))) - return data - - @property -diff --git a/openstack_dashboard/dashboards/admin/groups/tables.py b/openstack_dashboard/dashboards/admin/groups/tables.py -index 1f32da2..286c22b 100644 ---- a/openstack_dashboard/dashboards/admin/groups/tables.py -+++ b/openstack_dashboard/dashboards/admin/groups/tables.py -@@ -161,7 +161,8 @@ class AddMembersLink(tables.LinkAction): - class UsersTable(tables.DataTable): - name = tables.Column('name', verbose_name=_('User Name')) - email = tables.Column('email', verbose_name=_('Email'), -- filters=[defaultfilters.urlize]) -+ filters=[defaultfilters.escape, -+ defaultfilters.urlize]) - id = tables.Column('id', verbose_name=_('User ID')) - enabled = tables.Column('enabled', verbose_name=_('Enabled'), - status=True, -diff --git a/openstack_dashboard/dashboards/admin/users/tables.py b/openstack_dashboard/dashboards/admin/users/tables.py -index b2032c4..9c6dc04 100644 ---- a/openstack_dashboard/dashboards/admin/users/tables.py -+++ b/openstack_dashboard/dashboards/admin/users/tables.py -@@ -131,7 +131,9 @@ class UsersTable(tables.DataTable): - email = tables.Column('email', verbose_name=_('Email'), - filters=(lambda v: defaultfilters - .default_if_none(v, ""), -- defaultfilters.urlize)) -+ defaultfilters.escape, -+ defaultfilters.urlize) -+ ) - # Default tenant is not returned from Keystone currently. - #default_tenant = tables.Column('default_tenant', - # verbose_name=_('Default Project')) -diff --git a/openstack_dashboard/dashboards/project/stacks/tables.py b/openstack_dashboard/dashboards/project/stacks/tables.py -index e5f829a..1174746 100644 ---- a/openstack_dashboard/dashboards/project/stacks/tables.py -+++ b/openstack_dashboard/dashboards/project/stacks/tables.py -@@ -114,11 +114,16 @@ class StacksTable(tables.DataTable): - ChangeStackTemplate) - - -+def get_resource_url(obj): -+ return urlresolvers.reverse('horizon:project:stacks:resource', -+ args=(obj.stack_id, obj.resource_name)) -+ -+ - class EventsTable(tables.DataTable): - - logical_resource = tables.Column('resource_name', - verbose_name=_("Stack Resource"), -- link=lambda d: d.resource_name,) -+ link=get_resource_url) - physical_resource = tables.Column('physical_resource_id', - verbose_name=_("Resource"), - link=mappings.resource_to_url) -@@ -163,7 +168,7 @@ class ResourcesTable(tables.DataTable): - - logical_resource = tables.Column('resource_name', - verbose_name=_("Stack Resource"), -- link=lambda d: d.resource_name) -+ link=get_resource_url) - physical_resource = tables.Column('physical_resource_id', - verbose_name=_("Resource"), - link=mappings.resource_to_url) -diff --git a/openstack_dashboard/dashboards/project/stacks/tabs.py b/openstack_dashboard/dashboards/project/stacks/tabs.py -index c68464a..976541a 100644 ---- a/openstack_dashboard/dashboards/project/stacks/tabs.py -+++ b/openstack_dashboard/dashboards/project/stacks/tabs.py -@@ -79,6 +79,9 @@ class StackEventsTab(tabs.Tab): - stack_identifier = '%s/%s' % (stack.stack_name, stack.id) - events = api.heat.events_list(self.request, stack_identifier) - LOG.debug('got events %s' % events) -+ # The stack id is needed to generate the resource URL. -+ for event in events: -+ event.stack_id = stack.id - except Exception: - events = [] - messages.error(request, _( -@@ -99,6 +102,9 @@ class StackResourcesTab(tabs.Tab): - stack_identifier = '%s/%s' % (stack.stack_name, stack.id) - resources = api.heat.resources_list(self.request, stack_identifier) - LOG.debug('got resources %s' % resources) -+ # The stack id is needed to generate the resource URL. -+ for r in resources: -+ r.stack_id = stack.id - except Exception: - resources = [] - messages.error(request, _( --- -1.8.5.5 - diff --git a/www-apps/horizon/files/2014.1.2-CVE-2014-3594.patch b/www-apps/horizon/files/2014.1.2-CVE-2014-3594.patch new file mode 100644 index 000000000000..564e53b0d634 --- /dev/null +++ b/www-apps/horizon/files/2014.1.2-CVE-2014-3594.patch @@ -0,0 +1,53 @@ +From ba908ae88d5925f4f6783eb234cc4ea95017472b Mon Sep 17 00:00:00 2001 +From: Julie Pichon +Date: Tue, 29 Jul 2014 16:17:44 +0100 +Subject: Fix XSS issue with the unordered_list filter + +When using the unordered_list filter in a Horizon table (as opposed to +a template directly), autoescaping is not set by default and the input +wasn't sanitised. + +Closes-Bug: #1349491 +Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec + +diff --git a/openstack_dashboard/dashboards/admin/aggregates/tables.py b/openstack_dashboard/dashboards/admin/aggregates/tables.py +index 5cefae1..f0c2122 100644 +--- a/openstack_dashboard/dashboards/admin/aggregates/tables.py ++++ b/openstack_dashboard/dashboards/admin/aggregates/tables.py +@@ -93,6 +93,10 @@ def get_zone_hosts(zone): + return host_details + + ++def safe_unordered_list(value): ++ return filters.unordered_list(value, autoescape=True) ++ ++ + class HostAggregatesTable(tables.DataTable): + name = tables.Column('name', verbose_name=_('Name')) + availability_zone = tables.Column('availability_zone', +@@ -100,11 +104,11 @@ class HostAggregatesTable(tables.DataTable): + hosts = tables.Column(get_aggregate_hosts, + verbose_name=_("Hosts"), + wrap_list=True, +- filters=(filters.unordered_list,)) ++ filters=(safe_unordered_list,)) + metadata = tables.Column(get_metadata, + verbose_name=_("Metadata"), + wrap_list=True, +- filters=(filters.unordered_list,)) ++ filters=(safe_unordered_list,)) + + class Meta: + name = "host_aggregates" +@@ -123,7 +127,7 @@ class AvailabilityZonesTable(tables.DataTable): + hosts = tables.Column(get_zone_hosts, + verbose_name=_('Hosts'), + wrap_list=True, +- filters=(filters.unordered_list,)) ++ filters=(safe_unordered_list,)) + available = tables.Column(get_available, + verbose_name=_('Available'), + status=True, +-- +cgit v0.10.1 + diff --git a/www-apps/horizon/horizon-2014.1.1-r1.ebuild b/www-apps/horizon/horizon-2014.1.1-r1.ebuild deleted file mode 100644 index f3eb1ed1820c..000000000000 --- a/www-apps/horizon/horizon-2014.1.1-r1.ebuild +++ /dev/null @@ -1,69 +0,0 @@ -# Copyright 1999-2014 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2014.1.1-r1.ebuild,v 1.2 2014/08/10 20:13:31 slyfox Exp $ - -EAPI=5 -PYTHON_COMPAT=( python2_7 ) - -inherit distutils-r1 - -DESCRIPTION="A Django-based project aimed at providing a complete OpenStack Dashboard" -HOMEPAGE="https://launchpad.net/horizon" -SRC_URI="http://launchpad.net/${PN}/icehouse/${PV}/+download/${P}.tar.gz" - -LICENSE="Apache-2.0" -SLOT="0" -KEYWORDS="~amd64 ~x86" -IUSE="test" - -DEPEND="dev-python/setuptools[${PYTHON_USEDEP}] - >=dev-python/pbr-0.6.0[${PYTHON_USEDEP}] - =dev-python/hacking-0.8.0[${PYTHON_USEDEP}] - =dev-python/coverage-3.6[${PYTHON_USEDEP}] - dev-python/django-nose[${PYTHON_USEDEP}] - ~dev-python/docutils-0.9.1[${PYTHON_USEDEP}] - >=dev-python/mox-0.5.3[${PYTHON_USEDEP}] - dev-python/nose[${PYTHON_USEDEP}] - dev-python/nose-exclude[${PYTHON_USEDEP}] - >=dev-python/nosehtmloutput-0.0.3[${PYTHON_USEDEP}] - dev-python/nosexcover[${PYTHON_USEDEP}] - >=dev-python/openstack-nose-plugin-0.7[${PYTHON_USEDEP}] - dev-python/oslo-sphinx[${PYTHON_USEDEP}] - dev-python/selenium[${PYTHON_USEDEP}] - >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}] - =dev-python/testtools-0.9.34[${PYTHON_USEDEP}] - )" -RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}] - =dev-python/django-compressor-1.3[${PYTHON_USEDEP}] - >=dev-python/django-openstack-auth-1.1.4[${PYTHON_USEDEP}] - >=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}] - >=dev-python/httplib2-0.7.5[${PYTHON_USEDEP}] - >=dev-python/iso8601-0.1.9[${PYTHON_USEDEP}] - >=dev-python/kombu-2.4.8[${PYTHON_USEDEP}] - >=dev-python/lesscpy-0.9j[${PYTHON_USEDEP}] - >=dev-python/lockfile-0.8[${PYTHON_USEDEP}] - >=dev-python/netaddr-0.7.6[${PYTHON_USEDEP}] - >=dev-python/python-ceilometerclient-1.0.6[${PYTHON_USEDEP}] - >=dev-python/python-cinderclient-1.0.6[${PYTHON_USEDEP}] - >=dev-python/python-glanceclient-0.9.0[${PYTHON_USEDEP}] - >=dev-python/python-heatclient-0.2.3[${PYTHON_USEDEP}] - >=dev-python/python-keystoneclient-0.7.0[${PYTHON_USEDEP}] - >=dev-python/python-neutronclient-2.3.4[${PYTHON_USEDEP}] - =dev-python/python-novaclient-2.17.0[${PYTHON_USEDEP}] - >=dev-python/python-swiftclient-1.6[${PYTHON_USEDEP}] - >=dev-python/python-troveclient-1.0.3[${PYTHON_USEDEP}] - >=dev-python/pytz-2010h[${PYTHON_USEDEP}] - >=dev-python/six-1.5.2[${PYTHON_USEDEP}]" - -PATCHES=( - "${FILESDIR}/2014.1.1-CVE-2014-3473.patch" -) - -src_test() { - ./run_tests.sh -N --coverage -} diff --git a/www-apps/horizon/horizon-2014.1.2.ebuild b/www-apps/horizon/horizon-2014.1.2.ebuild new file mode 100644 index 000000000000..9a3db8afb733 --- /dev/null +++ b/www-apps/horizon/horizon-2014.1.2.ebuild @@ -0,0 +1,70 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2014.1.2.ebuild,v 1.1 2014/08/21 20:59:43 prometheanfire Exp $ + +EAPI=5 +PYTHON_COMPAT=( python2_7 ) + +inherit distutils-r1 + +DESCRIPTION="A Django-based project aimed at providing a complete OpenStack Dashboard" +HOMEPAGE="https://launchpad.net/horizon" +SRC_URI="http://launchpad.net/${PN}/icehouse/${PV}/+download/${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="test" + +DEPEND="dev-python/setuptools[${PYTHON_USEDEP}] + >=dev-python/pbr-0.6.0[${PYTHON_USEDEP}] + =dev-python/hacking-0.8.0[${PYTHON_USEDEP}] + =dev-python/coverage-3.6[${PYTHON_USEDEP}] + dev-python/django-nose[${PYTHON_USEDEP}] + ~dev-python/docutils-0.9.1[${PYTHON_USEDEP}] + >=dev-python/mox-0.5.3[${PYTHON_USEDEP}] + dev-python/nose[${PYTHON_USEDEP}] + dev-python/nose-exclude[${PYTHON_USEDEP}] + >=dev-python/nosehtmloutput-0.0.3[${PYTHON_USEDEP}] + dev-python/nosexcover[${PYTHON_USEDEP}] + >=dev-python/openstack-nose-plugin-0.7[${PYTHON_USEDEP}] + dev-python/oslo-sphinx[${PYTHON_USEDEP}] + dev-python/selenium[${PYTHON_USEDEP}] + >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}] + =dev-python/testtools-0.9.34[${PYTHON_USEDEP}] + )" +RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}] + =dev-python/django-compressor-1.3[${PYTHON_USEDEP}] + >=dev-python/django-openstack-auth-1.1.4[${PYTHON_USEDEP}] + !~dev-python/django-openstack-auth-1.1.6[${PYTHON_USEDEP}] + >=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}] + >=dev-python/httplib2-0.7.5[${PYTHON_USEDEP}] + >=dev-python/iso8601-0.1.9[${PYTHON_USEDEP}] + >=dev-python/kombu-2.4.8[${PYTHON_USEDEP}] + >=dev-python/lesscpy-0.9j[${PYTHON_USEDEP}] + >=dev-python/lockfile-0.8[${PYTHON_USEDEP}] + >=dev-python/netaddr-0.7.6[${PYTHON_USEDEP}] + >=dev-python/python-ceilometerclient-1.0.6[${PYTHON_USEDEP}] + >=dev-python/python-cinderclient-1.0.6[${PYTHON_USEDEP}] + >=dev-python/python-glanceclient-0.9.0[${PYTHON_USEDEP}] + >=dev-python/python-heatclient-0.2.3[${PYTHON_USEDEP}] + >=dev-python/python-keystoneclient-0.7.0[${PYTHON_USEDEP}] + >=dev-python/python-neutronclient-2.3.4[${PYTHON_USEDEP}] + =dev-python/python-novaclient-2.17.0[${PYTHON_USEDEP}] + >=dev-python/python-swiftclient-1.6[${PYTHON_USEDEP}] + >=dev-python/python-troveclient-1.0.3[${PYTHON_USEDEP}] + >=dev-python/pytz-2010h[${PYTHON_USEDEP}] + >=dev-python/six-1.6.0[${PYTHON_USEDEP}]" + +PATCHES=( + "${FILESDIR}/2014.1.2-CVE-2014-3594.patch" +) + +src_test() { + ./run_tests.sh -N --coverage +} -- cgit v1.2.3-65-gdbad