net-misc/openvswitch: 2.7.0-r3 bup for CVE-2017-9214 bug 620200

Package-Manager: Portage-2.3.5, Repoman-2.3.2

2 files changed, 180 insertions, 0 deletions

diff --git a/net-misc/openvswitch/files/CVE-2017-9214.patch b/net-misc/openvswitch/files/CVE-2017-9214.patch
new file mode 100644
index 000000000000..33686df3acfa
--- /dev/null
+++ b/net-misc/openvswitch/files/CVE-2017-9214.patch
@@ -0,0 +1,27 @@
+Fix buffer overrread in ofputil_pull_queue_get_config_reply10()
+
+msg->size isn't the relevant measurement here because we're only supposed
+to read 'len' bytes.  Reading more than that causes 'len' to underflow to a
+large number at the end of the loop.
+
+Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
+Signed-off-by: Ben Pfaff <blp at ovn.org>
+---
+ lib/ofp-util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ofp-util.c b/lib/ofp-util.c
+index bdf89b6c3017..f05ca398c13e 100644
+--- a/lib/ofp-util.c
++++ b/lib/ofp-util.c
+@@ -2610,7 +2610,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg,
+
+         hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr);
+         prop_len = ntohs(hdr->len);
+-        if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) {
++        if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) {
+             return OFPERR_OFPBRC_BAD_LEN;
+         }
+
+--
+2.10.2
diff --git a/net-misc/openvswitch/openvswitch-2.7.0-r3.ebuild b/net-misc/openvswitch/openvswitch-2.7.0-r3.ebuild
new file mode 100644
index 000000000000..a3809b7fa0ea
--- /dev/null
+++ b/net-misc/openvswitch/openvswitch-2.7.0-r3.ebuild
@@ -0,0 +1,153 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python{2_7,3_4,3_5} )
+
+inherit autotools eutils linux-info linux-mod python-r1 systemd
+
+DESCRIPTION="Production quality, multilayer virtual switch"
+HOMEPAGE="http://openvswitch.org"
+SRC_URI="http://openvswitch.org/releases/${P}.tar.gz"
+
+LICENSE="Apache-2.0 GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~x86"
+IUSE="debug modules monitor +ssl"
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+
+RDEPEND="
+	|| (
+		>=sys-apps/openrc-0.10.5
+		sys-apps/systemd
+	)
+	ssl? ( dev-libs/openssl:0= )
+	${PYTHON_DEPS}
+	~dev-python/ovs-${PV}[${PYTHON_USEDEP}]
+	dev-python/twisted[conch,${PYTHON_USEDEP}]
+	dev-python/zope-interface[${PYTHON_USEDEP}]
+	debug? ( dev-lang/perl )"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig"
+
+PATCHES="${FILESDIR}/xcp-interface-reconfigure-2.3.2.patch ${FILESDIR}/doc-fix.patch"
+
+CONFIG_CHECK="~NET_CLS_ACT ~NET_CLS_U32 ~NET_SCH_INGRESS ~NET_ACT_POLICE ~IPV6 ~TUN"
+MODULE_NAMES="openvswitch(net:${S}/datapath/linux)"
+BUILD_TARGETS="all"
+
+pkg_setup() {
+	if use modules ; then
+		CONFIG_CHECK+=" ~!OPENVSWITCH"
+		kernel_is ge 3 10 0 || die "Linux >= 3.10.0 and <= 4.8 required for userspace modules"
+		kernel_is le 4 9 999 || die "Linux >= 3.10.0 and <= 4.8 required for userspace modules"
+		linux-mod_pkg_setup
+	else
+		CONFIG_CHECK+=" ~OPENVSWITCH"
+		linux-info_pkg_setup
+	fi
+}
+
+src_prepare() {
+	# Never build kernelmodules, doing this manually
+	epatch "${FILESDIR}/CVE-2017-9214.patch"
+	sed -i \
+		-e '/^SUBDIRS/d' \
+		datapath/Makefile.in || die "sed failed"
+	eautoreconf
+	default
+}
+
+src_configure() {
+	set_arch_to_kernel
+	# monitor is statically enabled for bug 596206
+	use monitor || export ovs_cv_python="no"
+	# pyside is staticly disabled
+	export ovs_cv_pyuic4="no"
+
+	local linux_config
+	use modules && linux_config="--with-linux=${KV_OUT_DIR}"
+
+	econf ${linux_config} \
+		--with-rundir=/var/run/openvswitch \
+		--with-logdir=/var/log/openvswitch \
+		--with-pkidir=/etc/ssl/openvswitch \
+		--with-dbdir=/var/lib/openvswitch \
+		$(use_enable ssl) \
+		$(use_enable !debug ndebug)
+}
+
+src_compile() {
+	default
+
+	use modules && linux-mod_src_compile
+}
+
+src_install() {
+	default
+
+	local SCRIPT
+	if use monitor; then
+		for SCRIPT in ovs-{pcap,parse-backtrace,dpctl-top,l3ping,tcpdump,tcpundump,test,vlan-test} bugtool/ovs-bugtool; do
+			sed -e '1s|^.*$|#!/usr/bin/python|' -i utilities/"${SCRIPT}"
+			python_foreach_impl python_doscript utilities/"${SCRIPT}"
+		done
+		rm -r "${ED%/}"/usr/share/openvswitch/python || die
+	fi
+
+	keepdir /var/{lib,log}/openvswitch
+	keepdir /etc/ssl/openvswitch
+	fperms 0750 /etc/ssl/openvswitch
+
+	rm -rf "${ED%/}"/var/run || die
+
+	newconfd "${FILESDIR}/ovsdb-server_conf2" ovsdb-server
+	newconfd "${FILESDIR}/ovs-vswitchd_conf" ovs-vswitchd
+	newinitd "${FILESDIR}/ovsdb-server-r1" ovsdb-server
+	newinitd "${FILESDIR}/ovs-vswitchd-r1" ovs-vswitchd
+
+	systemd_dounit "${FILESDIR}/ovsdb-server.service"
+	systemd_dounit "${FILESDIR}/ovs-vswitchd.service"
+	systemd_newtmpfilesd "${FILESDIR}/openvswitch.tmpfiles" openvswitch.conf
+
+	insinto /etc/logrotate.d
+	newins rhel/etc_logrotate.d_openvswitch openvswitch
+
+	use modules && linux-mod_src_install
+}
+
+pkg_postinst() {
+	use modules && linux-mod_pkg_postinst
+
+	local pv
+	for pv in ${REPLACING_VERSIONS}; do
+		if ! version_is_at_least 1.9.0 ${pv} ; then
+			ewarn "The configuration database for Open vSwitch got moved in version 1.9.0 from"
+			ewarn "    /etc/openvswitch"
+			ewarn "to"
+			ewarn "    /var/lib/openvswitch"
+			ewarn "Please copy/move the database manually before running the schema upgrade."
+			ewarn "The PKI files are now supposed to go to /etc/ssl/openvswitch"
+		fi
+	done
+
+	elog "Use the following command to create an initial database for ovsdb-server:"
+	elog "   emerge --config =${CATEGORY}/${PF}"
+	elog "(will create a database in /var/lib/openvswitch/conf.db)"
+	elog "or to convert the database to the current schema after upgrading."
+}
+
+pkg_config() {
+	local db="${EROOT%/}"/var/lib/openvswitch/conf.db
+	if [[ -e "${db}" ]] ; then
+		einfo "Database '${db}' already exists, doing schema migration..."
+		einfo "(if the migration fails, make sure that ovsdb-server is not running)"
+		ovsdb-tool convert "${db}" \
+			"${EROOT%/}"/usr/share/openvswitch/vswitch.ovsschema || die "converting database failed"
+	else
+		einfo "Creating new database '${db}'..."
+		ovsdb-tool create "${db}" \
+			"${EROOT%/}"/usr/share/openvswitch/vswitch.ovsschema || die "creating database failed"
+	fi
+}