Bug#769183: marked as done (unblock: nova/2014.1.3-6)

To: Jonathan Wiltshire <jmw@debian.org>
Subject: Bug#769183: marked as done (unblock: nova/2014.1.3-6)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 12 Nov 2014 19:00:11 +0000
Message-id: <[🔎] handler.769183.D769183.141581867727744.ackdone@bugs.debian.org>
References: <20141112185753.GY21455@lupin.home.powdarrmonkey.net> <[🔎] 20141111224950.22947.57831.reportbug@buzig.gplhost.com>

Your message dated Wed, 12 Nov 2014 18:57:53 +0000
with message-id <20141112185753.GY21455@lupin.home.powdarrmonkey.net>
and subject line Re: Bug#769183: unblock: nova/2014.1.3-6
has caused the Debian Bug report #769183,
regarding unblock: nova/2014.1.3-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
769183: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769183
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: nova/2014.1.3-6
From: Thomas Goirand <zigo@debian.org>
Date: Wed, 12 Nov 2014 06:49:50 +0800
Message-id: <[🔎] 20141111224950.22947.57831.reportbug@buzig.gplhost.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

My last upload of nova fixes:
- CVE-2014-3708: Nova network DoS through API filtering (upstream patch).
- VM live migration over an NFS-based volume (fix from Mehdi who is a DM, and
does is a very active upstream contributors too).

Note also that this last upload fixes the last unit test failures at package
build time (these appeared after the CEPH patches were rebased against the
last point release). It is quite nice and conforting to see these problems
are now gone with this last upload.

Debdiff attached.

Please unblock nova/2014.1.3-6.

Cheers,

Thomas Goirand (zigo)

diff -Nru nova-2014.1.3/debian/changelog nova-2014.1.3/debian/changelog
--- nova-2014.1.3/debian/changelog	2014-10-17 14:07:02.000000000 +0000
+++ nova-2014.1.3/debian/changelog	2014-11-11 20:52:52.000000000 +0000
@@ -1,3 +1,14 @@
+nova (2014.1.3-6) unstable; urgency=high
+
+  [ Mehdi Abaakouk ]
+  * Fix a issue into fix-live-migraton-nfs.patch.
+
+  [ Thomas Goirand ]
+  * CVE-2014-3708: Nova network DoS through API filtering. Applied upstream
+    patch: Fixes_DOS_issue_in_instance_list_ip_filter (Closes: #769163).
+
+ -- Thomas Goirand <zigo@debian.org>  Wed, 12 Nov 2014 04:42:15 +0800
+
 nova (2014.1.3-5) unstable; urgency=high
 
   * CVE-2014-7230 & CVE-2014-7231: Potential leak of passwords into log files.
diff -Nru nova-2014.1.3/debian/patches/CVE-2014-3708_Fixes_DOS_issue_in_instance_list_ip_filter.patch nova-2014.1.3/debian/patches/CVE-2014-3708_Fixes_DOS_issue_in_instance_list_ip_filter.patch
--- nova-2014.1.3/debian/patches/CVE-2014-3708_Fixes_DOS_issue_in_instance_list_ip_filter.patch	1970-01-01 00:00:00.000000000 +0000
+++ nova-2014.1.3/debian/patches/CVE-2014-3708_Fixes_DOS_issue_in_instance_list_ip_filter.patch	2014-11-11 20:52:52.000000000 +0000
@@ -0,0 +1,184 @@
+Description: Fixes DOS issue in instance list ip filter
+ Converts the ip filtering to filter the list locally based on the network info
+ cache instead of making an extremely expensive call over to nova network where
+ it attempts to retrieve a list of every instance in the system.
+Author: Vishvananda Ishaya <vishvananda@gmail.com>
+Origin: upstream, https://review.openstack.org/#/c/131461/
+Date: Tue, 23 Sep 2014 06:31:07 +0000 (-0700)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commitdiff_plain;h=b6a080bbdaf1a5d8534e8e0519e150f55c46d18c
+Change-Id: I455f6ab4acdecacc5152b11a183027f933dc4475
+Bug-Ubuntu: https://bugs.launchpad.net/nova/+bug/1358583
+Bug-Debian: https://bugs.debian.org/769163
+Last-Update: 2014-11-12
+
+Index: nova/nova/compute/api.py
+===================================================================
+--- nova.orig/nova/compute/api.py	2014-10-29 19:54:53.000000000 +0800
++++ nova/nova/compute/api.py	2014-11-12 04:42:04.000000000 +0800
+@@ -1885,6 +1885,9 @@
+                 sort_key, sort_dir, limit=limit, marker=marker,
+                 expected_attrs=expected_attrs)
+ 
++        if 'ip6' in filters or 'ip' in filters:
++            inst_models = self._ip_filter(inst_models, filters)
++
+         if want_objects:
+             return inst_models
+ 
+@@ -1895,18 +1898,29 @@
+ 
+         return instances
+ 
++    @staticmethod
++    def _ip_filter(inst_models, filters):
++        ipv4_f = re.compile(str(filters.get('ip')))
++        ipv6_f = re.compile(str(filters.get('ip6')))
++        result_objs = []
++        for instance in inst_models:
++            nw_info = compute_utils.get_nw_info_for_instance(instance)
++            for vif in nw_info:
++                for fixed_ip in vif.fixed_ips():
++                    address = fixed_ip.get('address')
++                    if not address:
++                        continue
++                    version = fixed_ip.get('version')
++                    if ((version == 4 and ipv4_f.match(address)) or
++                        (version == 6 and ipv6_f.match(address))):
++                        result_objs.append(instance)
++                        continue
++        return instance_obj.InstanceList(objects=result_objs)
++
+     def _get_instances_by_filters(self, context, filters,
+                                   sort_key, sort_dir,
+                                   limit=None,
+                                   marker=None, expected_attrs=None):
+-        if 'ip6' in filters or 'ip' in filters:
+-            res = self.network_api.get_instance_uuids_by_ip_filter(context,
+-                                                                   filters)
+-            # NOTE(jkoelker) It is possible that we will get the same
+-            #                instance uuid twice (one for ipv4 and ipv6)
+-            uuids = set([r['instance_uuid'] for r in res])
+-            filters['uuid'] = uuids
+-
+         fields = ['metadata', 'system_metadata', 'info_cache',
+                   'security_groups']
+         if expected_attrs:
+Index: nova/nova/tests/compute/test_compute.py
+===================================================================
+--- nova.orig/nova/tests/compute/test_compute.py	2014-11-12 04:41:35.000000000 +0800
++++ nova/nova/tests/compute/test_compute.py	2014-11-12 04:42:04.000000000 +0800
+@@ -58,6 +58,7 @@
+ from nova.objects import block_device as block_device_obj
+ from nova.objects import instance as instance_obj
+ from nova.objects import instance_group as instance_group_obj
++from nova.objects import instance_info_cache as cache_obj
+ from nova.objects import migration as migration_obj
+ from nova.objects import quotas as quotas_obj
+ from nova.openstack.common.gettextutils import _
+@@ -81,7 +82,6 @@
+ from nova.tests import matchers
+ from nova.tests.objects import test_flavor
+ from nova.tests.objects import test_migration
+-from nova.tests.objects import test_network
+ from nova import utils
+ from nova.virt import block_device as driver_block_device
+ from nova.virt import event
+@@ -6722,6 +6722,35 @@
+         self.assertIsNone(instance['task_state'])
+         return instance, instance_uuid
+ 
++    def test_ip_filtering(self):
++        info = [{
++            'address': 'aa:bb:cc:dd:ee:ff',
++            'id': 1,
++            'network': {
++                'bridge': 'br0',
++                'id': 1,
++                'label': 'private',
++                'subnets': [{
++                    'cidr': '192.168.0.0/24',
++                    'ips': [{
++                        'address': '192.168.0.10',
++                        'type': 'fixed',
++                    }]
++                }]
++            }
++        }]
++
++        info1 = cache_obj.InstanceInfoCache(network_info=jsonutils.dumps(info))
++        inst1 = instance_obj.Instance(id=1, info_cache=info1)
++        info[0]['network']['subnets'][0]['ips'][0]['address'] = '192.168.0.20'
++        info2 = cache_obj.InstanceInfoCache(network_info=jsonutils.dumps(info))
++        inst2 = instance_obj.Instance(id=2, info_cache=info2)
++        instances = instance_obj.InstanceList(objects=[inst1, inst2])
++
++        instances = self.compute_api._ip_filter(instances, {'ip': '.*10'})
++        self.assertEqual(len(instances), 1)
++        self.assertEqual(instances[0].id, 1)
++
+     def test_create_with_too_little_ram(self):
+         # Test an instance type with too little memory.
+ 
+@@ -7526,33 +7555,47 @@
+         db.instance_destroy(c, instance2['uuid'])
+         db.instance_destroy(c, instance3['uuid'])
+ 
+-    @mock.patch('nova.db.network_get')
+-    @mock.patch('nova.db.fixed_ips_by_virtual_interface')
+-    def test_get_all_by_multiple_options_at_once(self, fixed_get, network_get):
++    def test_get_all_by_multiple_options_at_once(self):
+         # Test searching by multiple options at once.
+         c = context.get_admin_context()
+-        network_manager = fake_network.FakeNetworkManager(self.stubs)
+-        fixed_get.side_effect = (
+-            network_manager.db.fixed_ips_by_virtual_interface)
+-        network_get.return_value = (
+-            dict(test_network.fake_network,
+-                 **network_manager.db.network_get(None, 1)))
+-        self.stubs.Set(self.compute_api.network_api,
+-                       'get_instance_uuids_by_ip_filter',
+-                       network_manager.get_instance_uuids_by_ip_filter)
++
++        def fake_network_info(ip):
++            info = [{
++                'address': 'aa:bb:cc:dd:ee:ff',
++                'id': 1,
++                'network': {
++                    'bridge': 'br0',
++                    'id': 1,
++                    'label': 'private',
++                    'subnets': [{
++                        'cidr': '192.168.0.0/24',
++                        'ips': [{
++                            'address': ip,
++                            'type': 'fixed',
++                        }]
++                    }]
++                }
++            }]
++            return jsonutils.dumps(info)
+ 
+         instance1 = self._create_fake_instance({
+                 'display_name': 'woot',
+                 'id': 1,
+-                'uuid': '00000000-0000-0000-0000-000000000010'})
++                'uuid': '00000000-0000-0000-0000-000000000010',
++                'info_cache': {'network_info':
++                    fake_network_info('192.168.0.1')}})
+         instance2 = self._create_fake_instance({
+                 'display_name': 'woo',
+                 'id': 20,
+-                'uuid': '00000000-0000-0000-0000-000000000020'})
++                'uuid': '00000000-0000-0000-0000-000000000020',
++                'info_cache': {'network_info':
++                    fake_network_info('192.168.0.2')}})
+         instance3 = self._create_fake_instance({
+                 'display_name': 'not-woot',
+                 'id': 30,
+-                'uuid': '00000000-0000-0000-0000-000000000030'})
++                'uuid': '00000000-0000-0000-0000-000000000030',
++                'info_cache': {'network_info':
++                    fake_network_info('192.168.0.3')}})
+ 
+         # ip ends up matching 2nd octet here.. so all 3 match ip
+         # but 'name' only matches one
diff -Nru nova-2014.1.3/debian/patches/fix-live-migraton-nfs.patch nova-2014.1.3/debian/patches/fix-live-migraton-nfs.patch
--- nova-2014.1.3/debian/patches/fix-live-migraton-nfs.patch	2014-10-17 14:07:02.000000000 +0000
+++ nova-2014.1.3/debian/patches/fix-live-migraton-nfs.patch	2014-11-11 20:52:52.000000000 +0000
@@ -26,7 +26,7 @@
          is_volume_backed = self.compute_api.is_volume_backed_instance(ctxt,
                                                                        instance)
          dest_check_data['is_volume_backed'] = is_volume_backed
-+        block_device_info = self._get_instance_volume_block_device_info(
++        block_device_info = self._get_instance_block_device_info(
 +                            ctxt, instance, refresh_conn_info=True)
          return self.driver.check_can_live_migrate_source(ctxt, instance,
 -                                                         dest_check_data)
@@ -44,14 +44,14 @@
          self.mox.StubOutWithMock(self.compute.compute_api,
                                   'is_volume_backed_instance')
 +        self.mox.StubOutWithMock(self.compute,
-+                                 '_get_instance_volume_block_device_info')
++                                 '_get_instance_block_device_info')
          self.mox.StubOutWithMock(self.compute.driver,
                                   'check_can_live_migrate_source')
  
          instance_p = obj_base.obj_to_primitive(instance)
          self.compute.compute_api.is_volume_backed_instance(
                  self.context, instance).AndReturn(is_volume_backed)
-+        self.compute._get_instance_volume_block_device_info(
++        self.compute._get_instance_block_device_info(
 +                self.context, instance, refresh_conn_info=True
 +                ).AndReturn('fake-block-device-info')
          self.compute.driver.check_can_live_migrate_source(
diff -Nru nova-2014.1.3/debian/patches/series nova-2014.1.3/debian/patches/series
--- nova-2014.1.3/debian/patches/series	2014-10-17 14:07:02.000000000 +0000
+++ nova-2014.1.3/debian/patches/series	2014-11-11 20:52:52.000000000 +0000
@@ -21,3 +21,4 @@
 fix-live-migraton-nfs.patch
 9990_update_german_programm_messages.patch
 CVE-2014-7230_CVE-2014-7231_Sync_process_utils_from_oslo.patch
+CVE-2014-3708_Fixes_DOS_issue_in_instance_list_ip_filter.patch

--- End Message ---

--- Begin Message ---

To: Thomas Goirand <zigo@debian.org>, 769183-done@bugs.debian.org

Subject: Re: Bug#769183: unblock: nova/2014.1.3-6

From: Jonathan Wiltshire <jmw@debian.org>

Date: Wed, 12 Nov 2014 18:57:53 +0000

Message-id: <20141112185753.GY21455@lupin.home.powdarrmonkey.net>

In-reply-to: <[🔎] 20141111224950.22947.57831.reportbug@buzig.gplhost.com>

References: <[🔎] 20141111224950.22947.57831.reportbug@buzig.gplhost.com>
On Wed, Nov 12, 2014 at 06:49:50AM +0800, Thomas Goirand wrote:
> My last upload of nova fixes:
> - CVE-2014-3708: Nova network DoS through API filtering (upstream patch).
> - VM live migration over an NFS-based volume (fix from Mehdi who is a DM, and
> does is a very active upstream contributors too).
> 
> Note also that this last upload fixes the last unit test failures at package
> build time (these appeared after the CEPH patches were rebased against the
> last point release). It is quite nice and conforting to see these problems
> are now gone with this last upload.


Unblocked, with a required age of 5 since the fixes are a little large
for my comfort.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
Attachment: signature.asc
Description: Digital signature

--- End Message ---

Reply to:

References:
- Bug#769183: unblock: nova/2014.1.3-6
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Bug#769181: unblock: python-django-pyscss/1.0.3-3
Next by Date: Bug#769185: marked as done (unblock: horizon/2014.1.3-5)
Previous by thread: Bug#769183: unblock: nova/2014.1.3-6
Next by thread: Bug#769185: unblock: horizon/2014.1.3-5
Index(es):
- Date
- Thread