sys-cluster/ceph: Revision bump to 9.2.1-r2 and 10.2.2-r1 for CVE-2016-5009 (bug #587568)

Package-Manager: portage-2.3.0
author: Patrick McLean <chutzpah@gentoo.org> 2016-06-30 16:52:50 -0700
committer: Patrick McLean <chutzpah@gentoo.org> 2016-06-30 16:52:50 -0700
commit: 4c6618086e16e704df31113b279e7ea4395bd41a (patch)
tree: 3b14386cbbbfe9368b97190828e269b95d2c7b3a /sys-cluster
parent: www-apps/icingaweb2-module-director: adding for bug 582568 (diff)
download: gentoo-4c6618086e16e704df31113b279e7ea4395bd41a.tar.gz
gentoo-4c6618086e16e704df31113b279e7ea4395bd41a.tar.bz2
gentoo-4c6618086e16e704df31113b279e7ea4395bd41a.zip
3 files changed, 543 insertions, 0 deletions
diff --git a/sys-cluster/ceph/ceph-10.2.2-r1.ebuild b/sys-cluster/ceph/ceph-10.2.2-r1.ebuild
new file mode 100644
index 000000000000..276f4961f7ac
--- /dev/null
+++ b/sys-cluster/ceph/ceph-10.2.2-r1.ebuild
@@ -0,0 +1,263 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+PYTHON_COMPAT=( python{2_7,3_{4,5}} )
+
+inherit check-reqs autotools eutils python-r1 udev user \
+	readme.gentoo-r1 systemd versionator flag-o-matic
+
+if [[ ${PV} == *9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="
+		git://github.com/ceph/ceph.git
+		https://github.com/ceph/ceph.git"
+	SRC_URI=""
+else
+	SRC_URI="http://ceph.com/download/${P}.tar.gz"
+	KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
+fi
+
+DESCRIPTION="Ceph distributed filesystem"
+HOMEPAGE="http://ceph.com/"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+
+IUSE="babeltrace cephfs cryptopp debug fuse gtk jemalloc ldap +libaio"
+IUSE+=" libatomic lttng +nss +radosgw static-libs tcmalloc test xfs zfs"
+
+# unbundling code commented out pending bugs 584056 and 584058
+#>=dev-libs/jerasure-2.0.0-r1
+#>=dev-libs/gf-complete-2.0.0
+COMMON_DEPEND="
+	app-arch/snappy
+	app-arch/lz4:=
+	app-arch/bzip2
+	dev-libs/boost:=[threads]
+	dev-libs/libaio
+	dev-libs/leveldb[snappy]
+	nss? ( dev-libs/nss )
+	libatomic? ( dev-libs/libatomic_ops )
+	cryptopp? ( dev-libs/crypto++ )
+	sys-apps/keyutils
+	sys-apps/util-linux
+	dev-libs/libxml2
+	radosgw? ( dev-libs/fcgi )
+	ldap? ( net-nds/openldap )
+	babeltrace? ( dev-util/babeltrace )
+	fuse? ( sys-fs/fuse )
+	xfs? ( sys-fs/xfsprogs )
+	zfs? ( sys-fs/zfs )
+	gtk? (
+		x11-libs/gtk+:2
+		dev-cpp/gtkmm:2.4
+		gnome-base/librsvg
+	)
+	radosgw? (
+		dev-libs/fcgi
+		dev-libs/expat
+		net-misc/curl
+	)
+	jemalloc? ( dev-libs/jemalloc )
+	!jemalloc? ( dev-util/google-perftools )
+	lttng? ( dev-util/lttng-ust )
+	${PYTHON_DEPS}
+	"
+DEPEND="${COMMON_DEPEND}
+	dev-python/cython[${PYTHON_USEDEP}]
+	app-arch/cpio
+	sys-apps/lsb-release
+	virtual/pkgconfig
+	dev-python/sphinx
+	test? (
+		sys-fs/btrfs-progs
+		sys-apps/grep[pcre]
+		dev-python/tox[${PYTHON_USEDEP}]
+		dev-python/virtualenv[${PYTHON_USEDEP}]
+	)"
+RDEPEND="${COMMON_DEPEND}
+	sys-apps/hdparm
+	sys-block/parted
+	sys-fs/cryptsetup
+	sys-apps/gptfdisk
+	dev-python/flask[${PYTHON_USEDEP}]
+	dev-python/requests[${PYTHON_USEDEP}]
+	"
+REQUIRED_USE="
+	$(python_gen_useflags 'python2*')
+	${PYTHON_REQUIRED_USE}
+	^^ ( nss cryptopp )
+	?? ( jemalloc tcmalloc )
+	"
+
+# work around bug in ceph compilation (rgw/ceph_dencoder-rgw_dencoder.o... undefined reference to `vtable for RGWZoneGroup')
+REQUIRED_USE+="	radosgw"
+
+RESTRICT="test? ( userpriv )"
+
+# distribution tarball does not include everything needed for tests
+RESTRICT+=" test"
+
+STRIP_MASK="/usr/lib*/rados-classes/*"
+
+UNBUNDLE_LIBS=(
+	src/erasure-code/jerasure/jerasure
+	src/erasure-code/jerasure/gf-complete
+)
+
+PATCHES=(
+	"${FILESDIR}/ceph-10.2.0-dont-use-virtualenvs.patch"
+	#"${FILESDIR}/ceph-10.2.1-unbundle-jerasure.patch"
+	"${FILESDIR}/${PN}-10.2.1-libzfs.patch"
+	"${FILESDIR}/${PN}-10.2.1-armv7l-doesnt-support-momit-leaf-frame-pointer.patch"
+	"${FILESDIR}/${PN}-CVE-2016-5009.patch"
+)
+
+check-reqs_export_vars() {
+	if use debug; then
+		CHECKREQS_DISK_BUILD="23G"
+		CHECKREQS_DISK_USR="7G"
+	elif use amd64; then
+		CHECKREQS_DISK_BUILD="12G"
+		CHECKREQS_DISK_USR="450M"
+	else
+		CHECKREQS_DISK_BUILD="1400M"
+		CHECKREQS_DISK_USR="450M"
+	fi
+
+	export CHECKREQS_DISK_BUILD CHECKREQS_DISK_USR
+}
+
+user_setup() {
+	enewgroup ceph
+	enewuser ceph -1 -1 /var/lib/ceph ceph
+}
+
+emake_python_bindings() {
+	local action="${1}" params binding
+	shift
+	params=("${@}")
+
+	__emake_python_bindings_do_impl() {
+		emake "${params[@]}" PYTHON="${EPYTHON}" "${binding}-pybind-${action}"
+
+		# these don't work and aren't needed on python3
+		if [[ ${EBUILD_PHASE} == install ]] && python_is_python3; then
+			rm -f "${ED}/$(python_get_sitedir)"/ceph_{argparse,volume_client}.py
+		fi
+	}
+
+	pushd "${S}/src"
+	for binding in rados rbd $(use cephfs && echo cephfs); do
+		python_foreach_impl __emake_python_bindings_do_impl
+	done
+	popd
+
+	unset __emake_python_bindings_do_impl
+}
+
+pkg_pretend() {
+	check-reqs_export_vars
+	check-reqs_pkg_pretend
+}
+
+pkg_setup() {
+	python_setup
+	check-reqs_export_vars
+	check-reqs_pkg_setup
+	user_setup
+}
+
+src_prepare() {
+	default
+
+	# remove tests that need root access
+	rm src/test/cli/ceph-authtool/cap*.t
+
+	#rm -rf "${UNBUNDLE_LIBS[@]}"
+
+	append-flags -fPIC
+	eautoreconf
+}
+
+src_configure() {
+	local myeconfargs=(
+		--without-hadoop
+		--includedir=/usr/include
+		$(use_with cephfs)
+		$(use_with debug)
+		$(use_with fuse)
+		$(use_with libaio)
+		$(use_with libatomic libatomic-ops)
+		$(use_with nss)
+		$(use_with cryptopp)
+		$(use_with radosgw)
+		$(use_with gtk gtk2)
+		$(use_enable static-libs static)
+		$(use_with jemalloc)
+		$(use_with xfs libxfs)
+		$(use_with zfs libzfs)
+		$(use_with lttng )
+		$(use_with babeltrace)
+		$(use_with ldap openldap)
+		$(use jemalloc || usex tcmalloc " --with-tcmalloc" " --with-tcmalloc-minimal")
+		--with-mon
+		--with-eventfd
+		--with-cython
+		--without-kinetic
+		--without-librocksdb
+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)"
+	)
+
+	# we can only use python2.7 for building at the moment
+	python_export python2.7 PYTHON EPYTHON
+	econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+	emake
+	emake_python_bindings all
+
+	use test && emake check-local
+}
+
+src_test() {
+	make check || die "make check failed"
+}
+
+src_install() {
+	default
+	emake_python_bindings install-exec "DESTDIR=\"${D}\""
+
+	prune_libtool_files --all
+
+	exeinto /usr/$(get_libdir)/ceph
+	newexe src/init-ceph ceph_init.sh
+
+	insinto /etc/logrotate.d/
+	newins "${FILESDIR}"/ceph.logrotate ${PN}
+
+	keepdir /var/lib/${PN}{,/tmp} /var/log/${PN}/stat
+
+	fowners ceph:ceph /var/lib/ceph
+
+	newinitd "${FILESDIR}/rbdmap.initd" rbdmap
+	newinitd "${FILESDIR}/${PN}.initd-r2" ${PN}
+	newconfd "${FILESDIR}/${PN}.confd-r1" ${PN}
+
+	systemd_install_serviced "${FILESDIR}/ceph-mds_at.service.conf" "ceph-mds@.service"
+	systemd_install_serviced "${FILESDIR}/ceph-osd_at.service.conf" "ceph-osd@.service"
+	systemd_install_serviced "${FILESDIR}/ceph-mon_at.service.conf" "ceph-mon@.service"
+
+	python_fix_shebang "${ED}"/usr/{,s}bin/
+
+	udev_dorules udev/*.rules
+
+	readme.gentoo_create_doc
+}
+
+pkg_postinst() {
+	readme.gentoo_print_elog
+}
diff --git a/sys-cluster/ceph/ceph-9.2.1-r2.ebuild b/sys-cluster/ceph/ceph-9.2.1-r2.ebuild
new file mode 100644
index 000000000000..494094e8e251
--- /dev/null
+++ b/sys-cluster/ceph/ceph-9.2.1-r2.ebuild
@@ -0,0 +1,193 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+PYTHON_COMPAT=( python2_7 )
+
+if [[ $PV = *9999* ]]; then
+	scm_eclass=git-r3
+	EGIT_REPO_URI="
+		git://github.com/ceph/ceph.git
+		https://github.com/ceph/ceph.git"
+	SRC_URI=""
+else
+	SRC_URI="http://ceph.com/download/${P}.tar.gz"
+fi
+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
+
+inherit check-reqs autotools eutils multilib python-single-r1 udev user readme.gentoo systemd versionator ${scm_eclass}
+
+DESCRIPTION="Ceph distributed filesystem"
+HOMEPAGE="http://ceph.com/"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+IUSE="babeltrace cryptopp debug fuse gtk libatomic +libaio lttng +nss radosgw static-libs jemalloc tcmalloc xfs zfs"
+
+COMMON_DEPEND="
+	app-arch/snappy
+	dev-libs/boost:=[threads]
+	dev-libs/fcgi
+	dev-libs/libaio
+	dev-libs/libedit
+	dev-libs/leveldb[snappy]
+	nss? ( dev-libs/nss )
+	cryptopp? ( dev-libs/crypto++ )
+	sys-apps/keyutils
+	sys-apps/util-linux
+	dev-libs/libxml2
+	babeltrace? ( dev-util/babeltrace )
+	fuse? ( sys-fs/fuse )
+	libatomic? ( dev-libs/libatomic_ops )
+	xfs? ( sys-fs/xfsprogs )
+	zfs? ( sys-fs/zfs )
+	gtk? (
+		x11-libs/gtk+:2
+		dev-cpp/gtkmm:2.4
+		gnome-base/librsvg
+	)
+	radosgw? (
+		dev-libs/fcgi
+		dev-libs/expat
+		net-misc/curl
+	)
+	jemalloc? ( dev-libs/jemalloc )
+	!jemalloc? ( dev-util/google-perftools )
+	lttng? ( dev-util/lttng-ust )
+	${PYTHON_DEPS}
+	"
+DEPEND="${COMMON_DEPEND}
+	virtual/pkgconfig"
+RDEPEND="${COMMON_DEPEND}
+	sys-apps/hdparm
+	dev-python/flask[${PYTHON_USEDEP}]
+	dev-python/requests[${PYTHON_USEDEP}]
+	"
+REQUIRED_USE="
+	${PYTHON_REQUIRED_USE}
+	^^ ( nss cryptopp )
+	?? ( jemalloc tcmalloc )
+	"
+
+STRIP_MASK="/usr/lib*/rados-classes/*"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-0.79-libzfs.patch
+	"${FILESDIR}"/${P}-libxfs.patch
+)
+
+check-reqs_export_vars() {
+	# check-reqs does not support use flags, and there is a lot of variability
+	# in Ceph.
+	# 16G     /var/tmp/portage/sys-cluster/ceph-9999-r1/work/ceph-9999
+	# 6.7G    /var/tmp/portage/sys-cluster/ceph-9999-r1/image/usr
+	# 23G     /var/tmp/portage/sys-cluster/ceph-9999-r1
+	# Size requirements tested for Hammer & Jewel releases
+	if use debug; then
+		export CHECKREQS_DISK_BUILD="23G"
+		export CHECKREQS_DISK_USR="7G"
+	else
+		export CHECKREQS_DISK_BUILD="9G"
+		export CHECKREQS_DISK_USR="450M"
+	fi
+
+	export CHECKREQS_MEMORY="7G"
+}
+
+user_setup() {
+	enewgroup ceph
+	enewuser ceph -1 -1 /var/lib/ceph ceph
+}
+
+pkg_setup() {
+	python_setup
+	check-reqs_export_vars
+	check-reqs_pkg_setup
+	user_setup
+}
+
+src_prepare() {
+	[[ ${PATCHES[@]} ]] && epatch "${PATCHES[@]}"
+
+	epatch_user
+	eautoreconf
+}
+
+pkg_pretend() {
+	check-reqs_export_vars
+	check-reqs_pkg_pretend
+}
+
+src_configure() {
+	local myeconfargs=(
+		--without-hadoop
+		--docdir="${EPREFIX}/usr/share/doc/${PF}"
+		--includedir=/usr/include
+		$(use_with debug)
+		$(use_with fuse)
+		$(use_with libaio)
+		$(use_with libatomic libatomic-ops)
+		$(use_with nss)
+		$(use_with cryptopp)
+		$(use_with radosgw)
+		$(use_with gtk gtk2)
+		$(use_enable static-libs static)
+		$(use_with jemalloc)
+		$(use_with xfs libxfs)
+		$(use_with zfs libzfs)
+		$(use_with lttng )
+		$(use_with babeltrace)
+		--without-kinetic
+		--without-librocksdb
+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)"
+	)
+
+	use jemalloc || \
+		myeconfargs+=( $(usex tcmalloc " --with-tcmalloc" " --with-tcmalloc-minimal") )
+
+	PYTHON="${EPYTHON}" \
+		econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	default
+
+	prune_libtool_files --all
+
+	exeinto /usr/$(get_libdir)/ceph
+	newexe src/init-ceph ceph_init.sh
+
+	insinto /etc/logrotate.d/
+	newins "${FILESDIR}"/ceph.logrotate ${PN}
+
+	chmod 644 "${ED}"/usr/share/doc/${PF}/sample.*
+
+	keepdir /var/lib/${PN}
+	keepdir /var/lib/${PN}/tmp
+	keepdir /var/log/${PN}/stat
+
+	fowners ceph:ceph /var/lib/ceph
+
+	newinitd "${FILESDIR}/rbdmap.initd" rbdmap
+	newinitd "${FILESDIR}/${PN}.initd-r2" ${PN}
+	newconfd "${FILESDIR}/${PN}.confd-r1" ${PN}
+
+	systemd_install_serviced "${FILESDIR}/ceph-mds_at.service.conf" "ceph-mds@.service"
+	systemd_install_serviced "${FILESDIR}/ceph-osd_at.service.conf" "ceph-osd@.service"
+	systemd_install_serviced "${FILESDIR}/ceph-mon_at.service.conf" "ceph-mon@.service"
+
+	python_fix_shebang \
+		"${ED}"/usr/sbin/{ceph-disk,ceph-create-keys} \
+		"${ED}"/usr/bin/{ceph,ceph-rest-api,ceph-detect-init,ceph-brag}
+
+	#install udev rules
+	udev_dorules udev/50-rbd.rules
+	udev_dorules udev/95-ceph-osd.rules
+
+	readme.gentoo_create_doc
+}
+
+pkg_postinst() {
+	readme.gentoo_print_elog
+}
diff --git a/sys-cluster/ceph/files/ceph-CVE-2016-5009.patch b/sys-cluster/ceph/files/ceph-CVE-2016-5009.patch
new file mode 100644
index 000000000000..1528dadbe9d1
--- /dev/null
+++ b/sys-cluster/ceph/files/ceph-CVE-2016-5009.patch
@@ -0,0 +1,87 @@
+diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
+index 10c8bfc..98843d7 100644
+--- a/src/mon/Monitor.cc
++++ b/src/mon/Monitor.cc
+@@ -2631,7 +2631,19 @@ void Monitor::handle_command(MonOpRequestRef op)
+     return;
+   }
+ 
+-  cmd_getval(g_ceph_context, cmdmap, "prefix", prefix);
++  // check return value. If no prefix parameter provided,
++  // return value will be false, then return error info.
++  if(!cmd_getval(g_ceph_context, cmdmap, "prefix", prefix)) {
++    reply_command(op, -EINVAL, "command prefix not found", 0);
++    return;
++  }
++
++  // check prefix is empty
++  if (prefix.empty()) {
++    reply_command(op, -EINVAL, "command prefix must not be empty", 0);
++    return;
++  }
++
+   if (prefix == "get_command_descriptions") {
+     bufferlist rdata;
+     Formatter *f = Formatter::create("json");
+@@ -2652,6 +2664,15 @@ void Monitor::handle_command(MonOpRequestRef op)
+   boost::scoped_ptr<Formatter> f(Formatter::create(format));
+ 
+   get_str_vec(prefix, fullcmd);
++
++  // make sure fullcmd is not empty.
++  // invalid prefix will cause empty vector fullcmd.
++  // such as, prefix=";,,;"
++  if (fullcmd.empty()) {
++    reply_command(op, -EINVAL, "command requires a prefix to be valid", 0);
++    return;
++  }
++
+   module = fullcmd[0];
+ 
+   // validate command is in leader map
+diff --git a/src/test/librados/cmd.cc b/src/test/librados/cmd.cc
+index 9261fb5..878a8af 100644
+--- a/src/test/librados/cmd.cc
++++ b/src/test/librados/cmd.cc
+@@ -48,6 +48,41 @@ TEST(LibRadosCmd, MonDescribe) {
+   rados_buffer_free(buf);
+   rados_buffer_free(st);
+ 
++  cmd[0] = (char *)"";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "{}", 2, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"abc\":\"something\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\"\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\"    \"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\";;;,,,;;,,\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
++  cmd[0] = (char *)"{\"prefix\":\"extra command\"}";
++  ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++  rados_buffer_free(buf);
++  rados_buffer_free(st);
++
+   cmd[0] = (char *)"{\"prefix\":\"mon_status\"}";
+   ASSERT_EQ(0, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
+   ASSERT_LT(0u, buflen);
author	Patrick McLean <chutzpah@gentoo.org>	2016-06-30 16:52:50 -0700
committer	Patrick McLean <chutzpah@gentoo.org>	2016-06-30 16:52:50 -0700
commit	4c6618086e16e704df31113b279e7ea4395bd41a (patch)
tree	3b14386cbbbfe9368b97190828e269b95d2c7b3a /sys-cluster
parent	www-apps/icingaweb2-module-director: adding for bug 582568 (diff)
download	gentoo-4c6618086e16e704df31113b279e7ea4395bd41a.tar.gz gentoo-4c6618086e16e704df31113b279e7ea4395bd41a.tar.bz2 gentoo-4c6618086e16e704df31113b279e7ea4395bd41a.zip