fixing CVE-2015-3221 no badness remaining

Package-Manager: portage-2.2.18/cvs/Linux x86_64 Manifest-Sign-Key: 0x33ED3FD25AFC78BA
author: Matt Thode <prometheanfire@gentoo.org> 2015-07-02 05:43:36 +0000
committer: Matt Thode <prometheanfire@gentoo.org> 2015-07-02 05:43:36 +0000
commit: f93ab13eb574a20e8b277f76cd381b4c56e154bf (patch)
tree: 58c57f81c6e299b4c11772207288f22d80c94a80 /sys-cluster
parent: Version bump. (diff)
download: historical-f93ab13eb574a20e8b277f76cd381b4c56e154bf.tar.gz
historical-f93ab13eb574a20e8b277f76cd381b4c56e154bf.tar.bz2
historical-f93ab13eb574a20e8b277f76cd381b4c56e154bf.zip
6 files changed, 312 insertions, 23 deletions
diff --git a/sys-cluster/neutron/ChangeLog b/sys-cluster/neutron/ChangeLog
index a06d9a4a01fc..a04b6b542d15 100644
--- a/sys-cluster/neutron/ChangeLog
+++ b/sys-cluster/neutron/ChangeLog
@@ -1,6 +1,16 @@
 # ChangeLog for sys-cluster/neutron
 # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.64 2015/05/17 23:25:00 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/ChangeLog,v 1.65 2015/07/02 05:43:05 prometheanfire Exp $
+
+*neutron-2014.2.3-r1 (02 Jul 2015)
+*neutron-2015.1.0-r2 (02 Jul 2015)
+*cve-2015-3221_2014.2.3 (02 Jul 2015)
+
+  02 Jul 2015; Matthew Thode <prometheanfire@gentoo.org>
+  +files/cve-2015-3221_2014.2.3.ebuild, +files/cve-2015-3221_2015.1.0.patch,
+  +neutron-2014.2.3-r1.ebuild, +neutron-2015.1.0-r2.ebuild,
+  -neutron-2014.2.3.ebuild, -neutron-2015.1.0-r1.ebuild:
+  fixing CVE-2015-3221 no badness remaining
 
 *neutron-2015.1.0-r1 (17 May 2015)
 
diff --git a/sys-cluster/neutron/Manifest b/sys-cluster/neutron/Manifest
index 4678216aef9c..f95f6c2af25d 100644
--- a/sys-cluster/neutron/Manifest
+++ b/sys-cluster/neutron/Manifest
@@ -1,9 +1,11 @@
 -----BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA512
+Hash: SHA256
 
 AUX 0001-Fixes-bug-in-interface-handling-of-ip_lib.py.patch 3346 SHA256 f9c382ff3a90653c0356c84847b53b677719ecb37ceb3ee60fd61e72a3c64dbe SHA512 5d99f94b003042d9ee676cad00d051335db72e351842a8ce876740cec556282ac1936ebf3c7355ca785907e745eb0de03bc00fa4b727106afd43632cc54bce0e WHIRLPOOL 28f086275d41d36699286a0e5f8295801cdae8acd37ac3b24c06137cc061f88b5c6cf5d166f1ddafd8b96d7eff51aea4a52fa819d582eb5d854edb5583c4e77a
 AUX 0002-moving-vxlan-module-check-to-sanity-checks-and-makin.patch 9421 SHA256 554ba93fedfd892191ee980f90832aef45d02f639422b6c08bed21e8eb6fdbe1 SHA512 57db212fa09d86e224568822d5f162143b3ac5cd5f27be199fd1c2f89fa25e856e24b09a90c566457ad14beabdc934b3282a3d20dc330377ea6464d45b056ab7 WHIRLPOOL 2a2daf0cbfb298fdf64e328883ef42110c9541de7087b087778fc3ca37c5090da1a25eb73b8fca24bfd78e2166704c5cc0442f92b58756e3b28008be0512a53f
 AUX 0003-fixes-error-logging-to-use-the-right-exception-paren.patch 954 SHA256 b7db04721a0a0322575623678cd33d3852f16fa3770af4aa12b8cecf7101291d SHA512 ea7e96bb22ac2636da7dbc5b5ead7954fa6d87a2e49998e66e1e0e126d30e3091dbecc8c6ac49b27e9da8edb3b4ca3556923911628f7affd53b9096f44f4da2d WHIRLPOOL 11c3b0a65620d31d652abc2736db2fa22181846191f1a7bf7ae8ed8db3553cb70177965c7689447e73bc0f1ede0724fae8e45eb204ee3d5f6ae9f141099ddaa8
+AUX cve-2015-3221_2014.2.3.ebuild 6463 SHA256 9e622fc01b8e2c0ea39d6d66080e244aa20d3a1a850985b33e13bf1a43f10bea SHA512 d6e7277c067c87bc25d757c5648f65ded3bd2bd532cb132e67fa64802d2a77276892d569f4d818a00d3fbac5ee6c2a3df4b084bd6a0a1fcd9c0af59c8dffddbe WHIRLPOOL 88062fc6cc8d1e6bca24d7b8c6e47410caaeef7736e79e287ffedbe25747a3d79afad290260a732bade9142a4ea80f5ae18e1cdc4b4b9fb4fea2143e9f87e4a7
+AUX cve-2015-3221_2015.1.0.patch 5245 SHA256 95e2ec047ed2f2b04a2c4d0730237804fd33149b1579877c17ad16d2e78526e4 SHA512 46a9f355ca37bbcbc5a424f4da7061de498863f6b6c5adc137bdbb312261f6d49fb8f425d050c41171d7d647206c80d99af046e37808c46c1251028dd2ff2964 WHIRLPOOL 612b78705b3d7edb5fb7824d24e8a37db25842c285878d4582f71b4b190df654590c95013a777effbd6af41ebae6974c93d1a542a5a10243eef954828561b0bb
 AUX neutron-dhcp-agent.confd 75 SHA256 e36fe3d370ad2b4c82ccf1f4caac60882334d93e3abd7e0e6e268d23cb069d71 SHA512 94cf300c9a9d0275e4fcab4ffdb7e29ca26b73c120d6ff683b48ea0e9c21e46123289522aedd295e4d5d28307133b50084541a90a48db456802d675eed6c2d3e WHIRLPOOL 9e77fe1ef65fa8ef46f8272ddea7213a46e71c6f2884eab20f09eaddc977f5cc202c8529c1a75347132c667e4e2d39d5bdd3ab2c94812c4b1f95f398af75c38c
 AUX neutron-l3-agent.confd 73 SHA256 560997f3e40d90ef885483e4bd02728bf88720378238fc5e6b3b2abb2ba9dd0e SHA512 4a902c5621abc124424bdad97de8959f63f7c846b4c7b9b3ccaab5522ff3e6938acf748df269980484228d4fc13d2f1e3e3670619207e3c88ea5dd5373699e0a WHIRLPOOL 653156dbbff34606fa0694bab622eb40c2ead171b1ad0a0c934285a50f15db4d8927e40ebff8d2ffe64078a8a079d48a2834e68b049c11a68417dc3945374cb8
 AUX neutron-linuxbridge-agent.confd 140 SHA256 1eff0c9c6adb37abf3064a8d035a9d8042bc1151106ed790397d1cca1463c718 SHA512 f49db80c48488b86eb55077fae61202bbe29eaef0f2fa212c44c9b42f41c5f3cc31bdd48c9c405c0e0c51e7d7c3910169a6cc08e36a2be98f9d032b3a11a0a5a WHIRLPOOL 9b9f8932e7a72cdfd241d86b0063d660499c52de62ca6cda09ed6a74649587ef674fca72a0b80f82141e8d0db6fe3c3cf6c28739775230ae7bdf83afcd1fa694
@@ -15,28 +17,25 @@ AUX neutron.initd 792 SHA256 2170e60f05a3f41b47b80def27195fc3b67517adcdf8c6d5376
 AUX neutron.sudoersd 117 SHA256 b40ea04a95deedbb66fe504df61b55905cbd746e5ba26321c01cd25b5cc9dcbe SHA512 143f8a1faa7650bc66b2566d0bd62f71eb743231b9efc4c7df265e53d664418b23182e3f271b86845ed76c537b7f60157e87af59413cf659379f367924d14366 WHIRLPOOL bb0e35d7b7471fab424f86f181601bc87d4bba98f4fbc282cc6302a05128992613097afe1fea159e9c718cd688a03c280b53d72bfe47fc91bd24967a4b4618da
 DIST neutron-2014.2.3.tar.gz 2077226 SHA256 1af8df2a2ef4294e76546325a16ccb8ede001eee0392b877b80cfd04a48862dc SHA512 51eb9e6319a5368b77ef187210d0bcb76fe587e41f4a55bbb677ba940eda084fd93b186de95813b38fcf0d101f10b62b4d558bb342ef42850a417bb611d04295 WHIRLPOOL c536a6937bd4b88e9a6ba84d52fdddcd481791d34982878eab51d95ac0bd78aa79f37751283ebc3613db91bb3b648b3190b93ad697281bc33baf88f365a6df9f
 DIST neutron-2015.1.0.tar.gz 2038600 SHA256 02672a5316e637d122bb13cd2e18ee4df0df279ddd70262fa7d4102943ec33b6 SHA512 205181228a34469b2f079135fd871adfc5156d9c046f59d1347798015403530131b6f790346be31349333acd6d3f00dd818876b1c7a73a675214387482d0715d WHIRLPOOL 558a16b3c84425ac9e14960895cc7d67f26f618f47e6b24e53592555e282d49fbd52feed3da616cb576942fabef36b54fb979273071605ecbd32ba980c28f5a3
-EBUILD neutron-2014.2.3.ebuild 7522 SHA256 597ba6828e67bcb479d1b1ebb6c3284a605caa80da0a58f30d0bc5b78295fedf SHA512 36363f11aba6a9099962752a66d69b42c65bbef7bc6805833ce84210889d2b775825c626b4b573a5554f86a54b15ad7c8336aadec8e6b54fc3448d512cb19421 WHIRLPOOL 777e3923cff07cc923c934f19a11d61fc3fa245406dfe7056e74b0e30440fd6b3ddd28015c3f739112b4e31e49b7351b829033a0d2c40551bceeb9e7c921b3b1
+EBUILD neutron-2014.2.3-r1.ebuild 7570 SHA256 516461098ffdafbfb4ae9accb3548629bcccecf32a62404e8b1d5cb199474dcf SHA512 3eea5574336b9adf5b8a5458c990b6d942ad6ca61413bbbb2c819cc02750d2e710b7d472cd9f22abd4de5d0fe279097a70f2662bf89580b2f802f367cfd9929b WHIRLPOOL 25b25992fd325c406fe16faa3a15d6c9bf99793e6fa18b0b69502007bc83f8c185191c40c5cafd2365d5c5cec32755599c8fd3d22b3f48f03ceee96e4400c2a8
 EBUILD neutron-2014.2.9999.ebuild 7534 SHA256 a6bbe0d0c069645b7c31fd8e9913314e51f30ef4d9d344ca8d2f454fbb9a7272 SHA512 630c812b041f66052c6de41f682a42d67746d218e81ddde1d9b0f2b9dc1824d4bb80a7b4f7c011d39b15e2f3f468ebacdbf03c50d3b4bca1140e881b0b2b61b1 WHIRLPOOL 28d17074d7b3e0173827884a0b56fca04c1b53c410bbbf366cb9e69f03149d036d02933841d35ad289a55d9a66220ba24af8a60ca3e1f4f81a9a0148e1300802
-EBUILD neutron-2015.1.0-r1.ebuild 9160 SHA256 e663151f2a2eb3eb47fd737d33a746a8e3a46b385110e03e113665826204c951 SHA512 4f1b90a3ffb07bbd0539f5ffa4b855f92a6cd607bf78ea51d7d21da2999c13271b328b36096b7ad7cb846632338066fe27b540b7fd5e9cb8b653a430c71056e0 WHIRLPOOL 62f56705d7a5f626d9546f437fb27ee520e13098412a81e2ed237b966151798838c880d8ac63e700a8bcd578751584e983dc634a7bf721f370ea09eaccb143a3
+EBUILD neutron-2015.1.0-r2.ebuild 9205 SHA256 65a26fa0e86d5c5d1c756abc12adc2d3f4886cd8c8359a716090b7999562aab2 SHA512 84a41a94c8d5b1c5e2ae1b3ed97d38431b42278e9441a9e14189326c2de49ddb3d04cacc62a0ddd2fab99067c7af60df37e32be22cc7ce1d744eb792cbddf7bf WHIRLPOOL f4df2c8431345a0bbd84fc84317df42b57465336e286f8316fe6949c6e3038005e08a1d9576abbbc5fd88603d4156fc7501127538ef0713b3d9dccf462a69019
 EBUILD neutron-2015.1.9999.ebuild 9168 SHA256 53b178d87ef7c2c6506d1a806cad8eeb21963210ba1861d8e97d4f7ff03205e6 SHA512 f8b9a6b856bfaa32dad67dfb59f30abfc6eaeb93378847ef8abaa2c371b3c0625bd4b605def025817bb859b80b1992c9982d665c8e22c1a6cdbb195a4590912d WHIRLPOOL 5dbab2ac82c0840a07f7b82f78d130c1f42665c19ca89be8cef6dc21a8d8a13859a4492772908fab8b493d79ea06ffd048299f34177e40a6b94fd19575ae4985
-MISC ChangeLog 17520 SHA256 7eaaac748241da4156acb1c926cbe97408832e9b0f05505a0f7d937523dfd44a SHA512 ba84d435df645e9e6f6b1bc46ede8532ebf97e8339ece0641907b70a9a8a9facd8560d4f25d22b923172b1f8ff70c323b22dcef384cd2ff94d1cba150a777e2d WHIRLPOOL 70c7b1ebb258892030df664f69c759014d1e2febe13d3ca32c2abf25d3beab11ff7c3259bb8819fa78ba6fb41df62f1763c7bfadab6ac18e65f769af812f7c52
+MISC ChangeLog 17925 SHA256 51ce827e9dc66b56b83686515d470b673706fbbc292b19d1482cf70dc456d80c SHA512 31ce0ce7d27096e23a29ff643be0266d85a4019816800a656ac1251e4c0a9ce5d538c99a69c12cb1cb443e16027086a6ba43ef6b9b7ef27abc229e8f4083ad8c WHIRLPOOL 8c2323c34eb28d16a0f37fa152b32c72d5e0aee5a1e08d977ceaf03163c015bcd8a70349ac1c39a0bcf46ef0ab2b414adc6090c55c1fe840f5589e43e6b25053
 MISC metadata.xml 1456 SHA256 d106fe0b2c0065842dba18c09e7197e6929e3f828fc438b598ae43adfa93d97b SHA512 e52b4e877e4136940bb86c7097aa68943aff48a53ee87bf0e447f8219c5831bdcce503eaf5bfec01ac3cc637a3f1fcfe693130e077d24bc96c63a0456bd8e36a WHIRLPOOL 37a64b4b88e3d51bc0265c02a8e17c0831d3d32facb7b4308c8bf00d1d4d3413b43ea10e982af6b6d837c4f7afb89c92947e51dc2bf664f4422310765d9b45d2
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0
 
-iQJ8BAEBCgBmBQJVf8ACXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
-ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0QUU0N0I4NzFERUI0MTJFN0EyODE0NUFF
-OTQwMkE3OUIwMzUyOUEyAAoJEOlAKnmwNSmiCVgQALW5Ii5aJUSpFl4aPINqsn6/
-KWfqgMwZAQEjJt/DWViJdz8VhK6/+jbxtAkuErSsH4W11opDywtRf1cXCXKp3LFT
-AiZMoG8Ye9Z6k/4Pag/qZmvKtluk9E8/GcmarBpyAn4EI7KguFv6WjngmimoUwqe
-Xld9hSYCdTebWnEOqYHnDRjgnNHeoO5uaqOlSeIqBP2serrNY273SdQ4TnlBIPJK
-+aBHu//2JsxFfDyRlTYwd+j2tKoY7mGP+pnP8LvWMYXTDA0FrQsui1+1eKlLQLoM
-ZmDeQ9fMSARAKL1N1I9Oz2epL9PIJVZUkI3wD6ADZbdEvELdehmvOQCS41Q6WF4N
-QM82zie+7NZqxhZ+n7RMBIZQwrPeV4pCa23wQGs3REf8v4oGc75uISJb4IUQjRHm
-VP6FQv727tYmVvSgJ5uibZcMyu+SqTGdExF8XaxLhOEg7/k5+QBJv64aE5ci0bgp
-CIBuxSN6r7v7i6HqyHcbAM3KtSAK0N49AdLGjXoNJjC6mJXrTnNFLa4tuW/QTg8l
-bPZahZswkeRV09o1p55uGuNte76DN46/OTiMj31hpiIiTEjo9hYdzFP9ddrZSsLw
-0r3QxvVSuSRLHVe8FQkX1aPeDRHVFXDxyLTglB1Sk58ctIRxTyn1UKbV2zsZNYsY
-DZXQTaRLMydVzmjK792T
-=EPup
+iQIcBAEBCAAGBQJVlM+cAAoJEGSje+quGaToFxEQAKwz6LAo5VNjguS7hRnBRkom
+WsN/QZA08G+KA7E4MwdrT3NW/OyO6lmEpOnuJD+oHONbBh3OuoM7e9VvCNSr9c7W
+79uQiiXoaEjt+2wxNx2rNgUviTNX/r0i7P1nV96F1f/0zJe0wArwtwCr8Fq94qvr
+4DCf/+eZCQBwo6hlrVYnZ73FvhnRw44MPInn4IbNM+1WgHh4Hoqauh8PwbZ7MNbW
+zciBbTZvLMEyZAQzTezik40EChfNP96SsGAiF+e/2LKLPqU0Lbajupq7JQ95me6i
+xHEDom0k94Y9PCrWSyjO9e5rRtFCg2XWZxmx2gNCQMEzfyD+nBZmAhHW/5IY12lO
+w7Omksg9T2/gTgsWiUIe0QB3AD4oz2LzbwXCblS5sZCmTYaeDpPzAoJb61D0xE+/
+Rxm5Avz7OFqh36QWwV52bhtvhb490lyG/NKcHugPavgmoij8IElLYjwbMf10Nk6U
+PgqHb6P6JN/Owwh7JNXoJZxnZuodKQoC+KQZyX8iXdWwNfj6wf54aEZ23UFl1VZk
+dW400u4G8J94uMql1RrT32Drv/8yWu7PpNdAICNOsqBDW3oTyIHx8gdm/jBtVX/0
+lltuXpOmOpcbUKI2iIynV1k547H1x8vCOBuYVN/vU98oNI7a2VnBmAhl+1N8N6xd
+2XaIbsmEvfPcee/UVJMe
+=Y/u+
 -----END PGP SIGNATURE-----
diff --git a/sys-cluster/neutron/files/cve-2015-3221_2014.2.3.ebuild b/sys-cluster/neutron/files/cve-2015-3221_2014.2.3.ebuild
new file mode 100644
index 000000000000..18cf37d92d40
--- /dev/null
+++ b/sys-cluster/neutron/files/cve-2015-3221_2014.2.3.ebuild
@@ -0,0 +1,151 @@
+From ac8fb28a920c7a6284d41f7cce054ea1b2e73cb1 Mon Sep 17 00:00:00 2001
+From: Aaron Rosen <aaronorosen@gmail.com>
+Date: Thu, 11 Jun 2015 13:58:16 -0700
+Subject: [PATCH] Disable allowed_address_pair ip 0.0.0.0/0 ::/0 for ipset
+
+Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if
+these addresses were inputted as allowed address pairs. This causes
+ipset to raise an error as it does not work with zero prefix sizes.
+To solve this problem we use two ipset rules to represent this.
+
+This was correctly fixed in a backport to kilo though we did not have the
+cycles to backport this exact fix to juno as in juno additional work needs to
+be done because the iptable and ipset code are interleaved together. This
+patch fixes this issue by disabling one from creating an address pair of
+zero lenght. This patch also provides a small tool which one should run:
+tools/fix_zero_length_ip_prefix.py which changes all zero length address_pair
+rules into two address pair rules of:
+
+Ipv4: 0.0.0.0/1 and 128.0.0.1/1
+IPv6: ::/1' and '8000::/1
+
+to avoid the problem.
+After this patch is merged into juno it will be easier for us to apply
+a better change to allow /0 addresses again in juno.
+
+Closes-bug: 1461054
+Co-Authored-by: Darragh O'Reilly <darragh.oreilly@hp.com>
+---
+ neutron/extensions/allowedaddresspairs.py          |  9 +++-
+ .../unit/test_extension_allowedaddresspairs.py     |  5 ++
+ tools/fix_zero_length_ip_prefix.py                 | 59 ++++++++++++++++++++++
+ 3 files changed, 72 insertions(+), 1 deletion(-)
+ create mode 100755 tools/fix_zero_length_ip_prefix.py
+
+diff --git a/neutron/extensions/allowedaddresspairs.py b/neutron/extensions/allowedaddresspairs.py
+index 6588d5f..a773a17 100644
+--- a/neutron/extensions/allowedaddresspairs.py
++++ b/neutron/extensions/allowedaddresspairs.py
+@@ -12,6 +12,7 @@
+ #    License for the specific language governing permissions and limitations
+ #    under the License.
+ 
++import netaddr
+ import webob.exc
+ 
+ from neutron.api.v2 import attributes as attr
+@@ -46,6 +47,10 @@ class AllowedAddressPairExhausted(nexception.BadRequest):
+                 "exceeds the maximum %(quota)s.")
+ 
+ 
++class AllowedAddressPairsZeroPrefixNotAllowed(nexception.InvalidInput):
++    message = _("AllowedAddressPair CIDR cannot have prefix length zero")
++
++
+ def _validate_allowed_address_pairs(address_pairs, valid_values=None):
+     unique_check = {}
+     if len(address_pairs) > cfg.CONF.max_allowed_address_pair:
+@@ -77,7 +82,9 @@ def _validate_allowed_address_pairs(address_pairs, valid_values=None):
+                              set(['mac_address', 'ip_address'])))
+             raise webob.exc.HTTPBadRequest(msg)
+ 
+-        if '/' in ip_address:
++        if (netaddr.IPNetwork(ip_address).prefixlen == 0):
++            raise AllowedAddressPairsZeroPrefixNotAllowed()
++        elif '/' in ip_address:
+             msg = attr._validate_subnet(ip_address)
+         else:
+             msg = attr._validate_ip_address(ip_address)
+diff --git a/neutron/tests/unit/test_extension_allowedaddresspairs.py b/neutron/tests/unit/test_extension_allowedaddresspairs.py
+index bcaa11b..f15c402 100644
+--- a/neutron/tests/unit/test_extension_allowedaddresspairs.py
++++ b/neutron/tests/unit/test_extension_allowedaddresspairs.py
+@@ -140,6 +140,11 @@ class TestAllowedAddressPairs(AllowedAddressPairDBTestCase):
+             self.deserialize(self.fmt, res)
+             self.assertEqual(res.status_int, 409)
+ 
++    def test_create_port_zero_prefix_ip(self):
++        address_pairs = [{'mac_address': 'invalid_mac',
++                          'ip_address': '0.0.0.0/0'}]
++        self._create_port_with_address_pairs(address_pairs, 400)
++
+     def test_create_port_bad_mac(self):
+         address_pairs = [{'mac_address': 'invalid_mac',
+                           'ip_address': '10.0.0.1'}]
+diff --git a/tools/fix_zero_length_ip_prefix.py b/tools/fix_zero_length_ip_prefix.py
+new file mode 100755
+index 0000000..dbbafb5
+--- /dev/null
++++ b/tools/fix_zero_length_ip_prefix.py
+@@ -0,0 +1,59 @@
++"""
++This script is needed to convert addresses that are zero prefix to be two
++address of one prefix to avoid a bug that exists in juno where the ipset
++manager isn't able to handle zero prefix lenght addresses.
++"""
++
++import os
++import sys
++
++import netaddr
++from neutronclient.v2_0 import client
++
++
++def main():
++    try:
++        username = os.environ['OS_USERNAME']
++        tenant_name = os.environ['OS_TENANT_NAME']
++        password = os.environ['OS_PASSWORD']
++        auth_url = os.environ['OS_AUTH_URL']
++    except KeyError:
++        print("You need to source your openstack creds file first!")
++        sys.exit(1)
++
++    neutron = client.Client(username=username,
++                            tenant_name=tenant_name,
++                            password=password,
++                            auth_url=auth_url)
++
++    ports = neutron.list_ports()
++    for port in ports['ports']:
++        new_address_pairs = []
++        needs_update = False
++        allowed_address_pairs = port.get('allowed_address_pairs')
++        if allowed_address_pairs:
++            for address_pair in allowed_address_pairs:
++                ip = address_pair['ip_address']
++                mac = address_pair['mac_address']
++                if(netaddr.IPNetwork(ip).prefixlen == 0):
++                    needs_update = True
++                    if(netaddr.IPNetwork(ip).version == 4):
++                        new_address_pairs.append({'ip_address': '0.0.0.0/1',
++                                                  'mac_address': mac})
++                        new_address_pairs.append({'ip_address': '128.0.0.0/1',
++                                                  'mac_address': mac})
++                    elif(netaddr.IPNetwork(ip).version == 6):
++                        new_address_pairs.append({'ip_address': '::/1',
++                                                  'mac_address': mac})
++                        new_address_pairs.append({'ip_address': '8000::/1',
++                                                  'mac_address': mac})
++                else:
++                    new_address_pairs.append(address_pair)
++            if needs_update:
++                print ("Updating port %s with new address_pairs %s" %
++                       (port['id'], new_address_pairs))
++                neutron.update_port(
++                    port['id'],
++                    {'port': {'allowed_address_pairs': new_address_pairs}})
++
++main()
+-- 
+1.9.1
diff --git a/sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch b/sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch
new file mode 100644
index 000000000000..c6c2230c9bd3
--- /dev/null
+++ b/sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch
@@ -0,0 +1,127 @@
+From e0c8cbc5dd610b4c580935ea56436495a6d4eb26 Mon Sep 17 00:00:00 2001
+From: Aaron Rosen <aaronorosen@gmail.com>
+Date: Wed, 3 Jun 2015 16:19:39 -0700
+Subject: [PATCH] Provide work around for 0.0.0.0/0 ::/0 for ipset
+
+Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if
+these addresses were inputted as allowed address pairs. This causes
+ipset to raise an error as it does not work with zero prefix sizes.
+To solve this problem we use two ipset rules to represent this:
+
+Ipv4: 0.0.0.0/1 and 128.0.0.1/1
+IPv6: ::/1' and '8000::/1
+
+All of this logic is handled via _sanitize_addresses() in the ipset_manager
+which is called to convert the input.
+
+Closes-bug: 1461054
+
+Conflicts:
+	neutron/agent/linux/ipset_manager.py
+	neutron/tests/unit/agent/linux/test_ipset_manager.py
+
+(cherry picked from commit 80a0fc3ba063e036b76e05e89b0cc54fc2d47c81)
+---
+ neutron/agent/linux/ipset_manager.py               | 23 ++++++++++++++++++++++
+ .../tests/unit/agent/linux/test_ipset_manager.py   | 19 +++++++++++++++---
+ 2 files changed, 39 insertions(+), 3 deletions(-)
+
+diff --git a/neutron/agent/linux/ipset_manager.py b/neutron/agent/linux/ipset_manager.py
+index 0f76418..af59f1f 100644
+--- a/neutron/agent/linux/ipset_manager.py
++++ b/neutron/agent/linux/ipset_manager.py
+@@ -11,6 +11,8 @@
+ #    See the License for the specific language governing permissions and
+ #    limitations under the License.
+ 
++import netaddr
++
+ from neutron.agent.linux import utils as linux_utils
+ from neutron.common import utils
+ 
+@@ -31,6 +33,26 @@ class IpsetManager(object):
+         self.namespace = namespace
+         self.ipset_sets = {}
+ 
++    def _sanitize_addresses(self, addresses):
++        """This method converts any address to ipset format.
++
++        If an address has a mask of /0 we need to cover to it to a mask of
++        /1 as ipset does not support /0 length addresses. Instead we use two
++        /1's to represent the /0.
++        """
++        sanitized_addresses = []
++        for ip in addresses:
++            if (netaddr.IPNetwork(ip).prefixlen == 0):
++                if(netaddr.IPNetwork(ip).version == 4):
++                    sanitized_addresses.append('0.0.0.0/1')
++                    sanitized_addresses.append('128.0.0.0/1')
++                elif (netaddr.IPNetwork(ip).version == 6):
++                    sanitized_addresses.append('::/1')
++                    sanitized_addresses.append('8000::/1')
++            else:
++                sanitized_addresses.append(ip)
++        return sanitized_addresses
++
+     @staticmethod
+     def get_name(id, ethertype):
+         """Returns the given ipset name for an id+ethertype pair.
+@@ -51,6 +73,7 @@ class IpsetManager(object):
+         add / remove new members, or swapped atomically if
+         that's faster.
+         """
++        member_ips = self._sanitize_addresses(member_ips)
+         set_name = self.get_name(id, ethertype)
+         if not self.set_exists(id, ethertype):
+             # The initial creation is handled with create/refresh to
+diff --git a/neutron/tests/unit/agent/linux/test_ipset_manager.py b/neutron/tests/unit/agent/linux/test_ipset_manager.py
+index 4484008..a1c6dc5 100644
+--- a/neutron/tests/unit/agent/linux/test_ipset_manager.py
++++ b/neutron/tests/unit/agent/linux/test_ipset_manager.py
+@@ -38,7 +38,7 @@ class BaseIpsetManagerTest(base.BaseTestCase):
+     def expect_set(self, addresses):
+         temp_input = ['create NETIPv4fake_sgid-new hash:net family inet']
+         temp_input.extend('add NETIPv4fake_sgid-new %s' % ip
+-                          for ip in addresses)
++                          for ip in self.ipset._sanitize_addresses(addresses))
+         input = '\n'.join(temp_input)
+         self.expected_calls.extend([
+             mock.call(['ipset', 'restore', '-exist'],
+@@ -55,13 +55,16 @@ class BaseIpsetManagerTest(base.BaseTestCase):
+         self.expected_calls.extend(
+             mock.call(['ipset', 'add', '-exist', TEST_SET_NAME, ip],
+                       process_input=None,
+-                      run_as_root=True) for ip in addresses)
++                      run_as_root=True)
++            for ip in self.ipset._sanitize_addresses(addresses))
+ 
+     def expect_del(self, addresses):
++
+         self.expected_calls.extend(
+             mock.call(['ipset', 'del', TEST_SET_NAME, ip],
+                       process_input=None,
+-                      run_as_root=True) for ip in addresses)
++                      run_as_root=True)
++            for ip in self.ipset._sanitize_addresses(addresses))
+ 
+     def expect_create(self):
+         self.expected_calls.append(
+@@ -113,6 +116,16 @@ class IpsetManagerTestCase(BaseIpsetManagerTest):
+         self.ipset.set_members(TEST_SET_ID, ETHERTYPE, FAKE_IPS)
+         self.verify_mock_calls()
+ 
++    def test_set_members_adding_all_zero_ipv4(self):
++        self.expect_set(['0.0.0.0/0'])
++        self.ipset.set_members(TEST_SET_ID, ETHERTYPE, ['0.0.0.0/0'])
++        self.verify_mock_calls()
++
++    def test_set_members_adding_all_zero_ipv6(self):
++        self.expect_set(['::/0'])
++        self.ipset.set_members(TEST_SET_ID, ETHERTYPE, ['::/0'])
++        self.verify_mock_calls()
++
+     def test_destroy(self):
+         self.add_first_ip()
+         self.expect_destroy()
+-- 
+1.9.1
diff --git a/sys-cluster/neutron/neutron-2014.2.3.ebuild b/sys-cluster/neutron/neutron-2014.2.3-r1.ebuild
index ceceadae2b73..eeb68995909e 100644
--- a/sys-cluster/neutron/neutron-2014.2.3.ebuild
+++ b/sys-cluster/neutron/neutron-2014.2.3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2015 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.2.3.ebuild,v 1.1 2015/04/13 03:27:20 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.2.3-r1.ebuild,v 1.1 2015/07/02 05:43:05 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -102,6 +102,7 @@ PATCHES=(
 	"${FILESDIR}/0001-Fixes-bug-in-interface-handling-of-ip_lib.py.patch"
 	"${FILESDIR}/0002-moving-vxlan-module-check-to-sanity-checks-and-makin.patch"
 	"${FILESDIR}/0003-fixes-error-logging-to-use-the-right-exception-paren.patch"
+	"${FILESDIR}/cve-2015-3221_2014.2.3.ebuild"
 )
 
 pkg_setup() {
diff --git a/sys-cluster/neutron/neutron-2015.1.0-r1.ebuild b/sys-cluster/neutron/neutron-2015.1.0-r2.ebuild
index 0a7a4c2e2da8..18d1a9ee18e9 100644
--- a/sys-cluster/neutron/neutron-2015.1.0-r1.ebuild
+++ b/sys-cluster/neutron/neutron-2015.1.0-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2015 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2015.1.0-r1.ebuild,v 1.1 2015/05/17 23:25:00 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2015.1.0-r2.ebuild,v 1.1 2015/07/02 05:43:05 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -129,6 +129,7 @@ RDEPEND="
 	dhcp? ( net-dns/dnsmasq[dhcp-tools] )"
 
 PATCHES=(
+		"${FILESDIR}/cve-2015-3221_2015.1.0.patch"
 )
 
 pkg_setup() {
author	Matt Thode <prometheanfire@gentoo.org>	2015-07-02 05:43:36 +0000
committer	Matt Thode <prometheanfire@gentoo.org>	2015-07-02 05:43:36 +0000
commit	f93ab13eb574a20e8b277f76cd381b4c56e154bf (patch)
tree	58c57f81c6e299b4c11772207288f22d80c94a80 /sys-cluster
parent	Version bump. (diff)
download	historical-f93ab13eb574a20e8b277f76cd381b4c56e154bf.tar.gz historical-f93ab13eb574a20e8b277f76cd381b4c56e154bf.tar.bz2 historical-f93ab13eb574a20e8b277f76cd381b4c56e154bf.zip