From fb9f82446d95a2ce3b14b1106d3fc47870bae50a692ec8441fa67d77b9cc2b14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 9 Aug 2024 18:36:41 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main libnbd revision b51af95e7a5b33021ebf2926287d929a --- 4451e5b6-CVE-2023-5871.patch | 82 ------------------------------- _service | 8 +-- _servicedata | 2 +- libnbd-1.18.1.tar.bz2 | 3 -- libnbd-1.18.5.tar.bz2 | 3 ++ libnbd.changes | 94 ++++++++++++++++++++++++++++++++++++ libnbd.spec | 3 +- 7 files changed, 103 insertions(+), 92 deletions(-) delete mode 100644 4451e5b6-CVE-2023-5871.patch delete mode 100644 libnbd-1.18.1.tar.bz2 create mode 100644 libnbd-1.18.5.tar.bz2 diff --git a/4451e5b6-CVE-2023-5871.patch b/4451e5b6-CVE-2023-5871.patch deleted file mode 100644 index 982939e..0000000 --- a/4451e5b6-CVE-2023-5871.patch +++ /dev/null @@ -1,82 +0,0 @@ -commit 4451e5b61ca07771ceef3e012223779e7a0c7701 -Author: Eric Blake -Date: Mon Oct 30 12:50:53 2023 -0500 - - generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871 - - Another round of fuzz testing revealed that when a server negotiates - extended headers and replies with a 64-bit flag value where the client - used the 32-bit API command, we were correctly flagging the server's - response as being an EOVERFLOW condition, but then immediately failing - in an assertion failure instead of reporting it to the application. - - The following one-byte change to qemu.git at commit fd9a38fd43 allows - the creation of an intentionally malicious server: - - | diff --git i/nbd/server.c w/nbd/server.c - | index 859c163d19f..32e1e771a95 100644 - | --- i/nbd/server.c - | +++ w/nbd/server.c - | @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea) - | - | for (i = 0; i < ea->count; i++) { - | ea->extents[i].length = cpu_to_be64(ea->extents[i].length); - | - ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags); - | + ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags); - | } - | } - - and can then be detected with the following command line: - - $ nbdsh -c - <<\EOF - > def f(a,b,c,d): - > pass - > - > h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd", - > "-r", "-f", "raw", "TODO"]) - > h.block_staus(h.get_size(), 0, f) - > EOF - nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed. - Aborted (core dumped) - - whereas a fixed libnbd will give: - - nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type - - We can either relax the assertion (by changing to 'assert ((len | - flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags - to make the existing assertion reliable. This patch goes with the - latter approach. - - Sadly, this crash is possible in all existing 1.18.x stable releases, - if they were built with assertions enabled (most distros do this by - default), meaning a malicious server has an easy way to cause a Denial - of Service attack by triggering the assertion failure in vulnerable - clients, so we have assigned this CVE-2023-5871. Mitigating factors: - the crash only happens for a server that sends a 64-bit status block - reply (no known production servers do so; qemu 8.2 will be the first - known server to support extended headers, but it is not yet released); - and as usual, a client can use TLS to guarantee it is connecting only - to a known-safe server. If libnbd is compiled without assertions, - there is no crash or other mistaken behavior; and when assertions are - enabled, the attacker cannot accomplish anything more than a denial of - service. - - Reported-by: Richard W.M. Jones - Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4) - Signed-off-by: Eric Blake - (cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6) - Signed-off-by: Eric Blake - -Index: libnbd-1.18.1/generator/states-reply-chunk.c -=================================================================== ---- libnbd-1.18.1.orig/generator/states-reply-chunk.c -+++ libnbd-1.18.1/generator/states-reply-chunk.c -@@ -600,6 +600,7 @@ STATE_MACHINE { - break; /* Skip this and later extents; we already made progress */ - /* Expose this extent as an error; we made no progress */ - cmd->error = cmd->error ? : EOVERFLOW; -+ flags = (uint32_t)flags; - } - } - diff --git a/_service b/_service index 33b7879..43fee65 100644 --- a/_service +++ b/_service @@ -1,7 +1,7 @@ - + libnbd - v1.18.1 + v1.18.5 git disable https://gitlab.com/nbdkit/libnbd.git @@ -10,9 +10,9 @@ \1 enable - + *.tar bz2 - + diff --git a/_servicedata b/_servicedata index 6ec303e..e04615d 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://gitlab.com/nbdkit/libnbd.git - ebadf0df2122edb99361c66f78ac1f90f1500f96 \ No newline at end of file + dcd1fc77f129cde770b8bf0a18ce23f72ed5c903 \ No newline at end of file diff --git a/libnbd-1.18.1.tar.bz2 b/libnbd-1.18.1.tar.bz2 deleted file mode 100644 index 5cc61b8..0000000 --- a/libnbd-1.18.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9e2526fdb4ab4b18b877b539fdd560a56fc2b46acea5b8077270ea78abb91dc6 -size 438122 diff --git a/libnbd-1.18.5.tar.bz2 b/libnbd-1.18.5.tar.bz2 new file mode 100644 index 0000000..a2c97a3 --- /dev/null +++ b/libnbd-1.18.5.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c5a4e9fc877378471c02d129a02d5833224f9191c80c5f2cf4f8df1d2ef5c81e +size 443228 diff --git a/libnbd.changes b/libnbd.changes index 71f0b50..e9f57f3 100644 --- a/libnbd.changes +++ b/libnbd.changes @@ -1,3 +1,97 @@ +------------------------------------------------------------------- +Mon Aug 05 17:02:18 UTC 2024 - jfehlig@suse.com + +- Update to version 1.18.5: + * CVE-2024-7383 (bsc#1228872) + * Drop upstream patch 4451e5b6-CVE-2023-5871.patch + * Version 1.18.5. + * docs: security: Add link to TLS server certificate checking announcement + * lib/uri.c: Allow tls-verify-peer to be overridden in URIs + * interop: Test interop with a bad system CA + * interop: Add -DEXPECT_FAIL=1 where we expect the test to fail + * interop: Pass -DCERTS and -DPSK as strings + * lib/crypto.c: Allow CA verification even if h->hostname is not set + * lib/crypto.c: Check server certificate even when using system CA + * build: Move to minimum gnutls >= 3.5.18 + * nbdfuse: Can't use ?tls-certificates or ?tls-psk-file + * ci: Fix MacOS builds + * tests: Fix CI on Fedora 40 + * Include in code which uses standard C int types + * common/include, ublk: Include in code which uses PRI* or SCN* + * Include in code which uses bool/true/false + * ublk/nbdublk.c: Include + * copy, lib, ublk: Include which was missing in a few places + * tests: Remove extra whitespace + * copy/copy-nbd-to-small-block-error.sh: Use different pidfiles + * copy: Use verbose nbdcopy in test + * copy: Fix "destination size is smaller than source size" error + * ci: refresh with latest 'lcitool manifest' + * ci: import lcitool project package list definitions + * podwrapper: nbd-server(1), nbd-client(8) are not local man pages + * Version 1.18.4. + * tests/connect-uri: Remove -DPIDFILE, generate it implicitly + * rust: Make the struct Cookie internal field fully public + * interop/block-status-64.c: Fix skip path under valgrind + * Revert "valgrind: Add suppression for liblzma bug" + * ocaml: Add ocamlfind -package to ocamldoc invocation + * info/can.c: Assert that 'can' variable is set + * info: Fix error message + * info: Add note that --can/--is/--has are synonyms + * info: Handle failure of call to file + * fuzzing: Add a comment that the libfuzzer test is unmaintained + * Version 1.18.3. + * tests/opt-info.c: Free string returned by nbd_get_export_name + * valgrind: Add suppression for liblzma bug + * info: Try harder to report contents from nbd-server + * copy: Add test for server without meta context support + * api: Fix nbd_can_meta_context for server that lacks meta contexts + * copy, info: Treat can_meta_context failures as unsupported + * configure: Copy bash-completions test from nbdkit + * podwrapper: Ignore check on older versions of Perl + * podwrapper: Allow = (POD directive) followed by bare URL + * podwrapper: Check for bare URLs and suggest replacement with L<> links + * podwrapper: Move long lines and cross-reference checks earlier + * tests: Missed another C test which didn't use NBDKIT + * tests: Use $NBDKIT instead of plain 'nbdkit' + * tests: Use 'source ./function.sh' consistently in this directory + * ocaml/tests: Add replacement for Bytes.set_int64_be + * ocaml/tests: Add explicit dependency on ocaml_test_config.cm{o,x} + * build: Define the minimum required version of OCaml as 4.05 + * generator: Remove definition of sort_uniq + * configure: Annotate OCaml tests by version of OCaml + * ci: Skip certain deadlocking nbd-server tests on Alpine 3.19 + * docs: Clarify description of block size constraints + * ocaml: tests: Compute srcdir centrally in Ocaml_test_config module + * ocaml: tests: Use @NBDKIT@ instead of hard coding nbdkit + * python: tests: Use $NBDKIT instead of hard coding nbdkit + * python: Various fixes to the Python tests and test wrapper + * tests: Use wait_for_pidfile instead of open-coded loops + * tests: Define NBD_SERVER in config.h and use it for requires tests + * tests: Define QEMU_NBD in config.h and use it for requires tests + * maint: Be more consistent about using ./configure-defined @NBDKIT@ + * maint: Be more consistent about using ./configure-defined @QEMU_NBD@ + * interop: Prefer exporting QEMU_STORAGE_DAEMON through tests/functions.sh + * interop: Use nbd-server FORCEDTLS mode + * interop: Test write, flush and zero operations + * interop: Add nbd-server flush flag + * interop: Remove -DNEEDS_TMPFILE + * maint: Use @LN_S@ autoconf macro in preference to writing out 'ln -s' + * tests: connect-uri: Choose random port for TCP connections at runtime + * tests: connect-uri: Change how Unix domain sockets are generated + * docs: Fix accidental double line in SECURITY file + * bash: Make nbdfuse and nbdublk installation conditional + * Version 1.18.2. + * ocaml: Nullify custom block before releasing runtime lock + * ocaml: Use Gc.finalize instead of a C finalizer + * ci: Update to latest lcitool + * rust: Avoid compiler warning about unused import + * docs: Mention CVE-2023-5871 + * New mailing list archives + * fuzzing: We need to disable Rust bindings when building fuzzer version + * tests: Check behavior of nbd_set_strict_mode(STRICT_AUTO_FLAG) + * docs: Fix incorrect xref in libnbd-release-notes for 1.18 + * generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871 + ------------------------------------------------------------------- Mon Nov 13 21:15:40 UTC 2023 - James Fehlig diff --git a/libnbd.spec b/libnbd.spec index c663e01..29c339f 100644 --- a/libnbd.spec +++ b/libnbd.spec @@ -19,13 +19,12 @@ %define sover 0 Name: libnbd -Version: 1.18.1 +Version: 1.18.5 Release: 0 Summary: NBD client library in userspace License: LGPL-2.1-or-later URL: https://gitlab.com/nbdkit/libnbd Source0: %{name}-%{version}.tar.bz2 -Patch0: 4451e5b6-CVE-2023-5871.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: fdupes