- bsc#1253059 - libnbd: Unsanitized hostnames in nbd+ssh URIs allow

remote execution
  uri-Sanitize-user-provided-hostnames.patch

_service

@@ -1,7 +1,7 @@
 <services>
   <service name="tar_scm" mode="manual">
     <param name="filename">libnbd</param>
-    <param name="revision">v1.18.4</param>
+    <param name="revision">v1.22.2</param>
     <param name="scm">git</param>
     <param name="submodules">disable</param>
     <param name="url">https://gitlab.com/nbdkit/libnbd.git</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.com/nbdkit/libnbd.git</param>
-              <param name="changesrevision">d2e14942c87901db13f99c56e5a93eab7d79617c</param></service></servicedata>
+              <param name="changesrevision">5f55a26f3a776c11049a27154b1f2b59b8c335da</param></service></servicedata>

libnbd-1.18.4.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c5d129ec5cbb189ca454218bf2283d2de684788300a0485f7f4378eaac95db58
-size 440557

libnbd.changes

@@ -1,3 +1,287 @@
+-------------------------------------------------------------------
+Wed Nov  5 11:03:52 MST 2025 - carnold@suse.com
+
+- bsc#1253059 - libnbd: Unsanitized hostnames in nbd+ssh URIs allow
+  remote execution
+  uri-Sanitize-user-provided-hostnames.patch
+
+-------------------------------------------------------------------
+Tue May 06 22:48:02 UTC 2025 - jfehlig@suse.com
+
+- Update to version 1.22.2:
+  * Version 1.22.2.
+  * copy: Test --allocated + --destination-is-zero options together
+  * copy: Test --destination-is-zero option
+  * copy: Test --allocated option more thoroughly
+  * copy: Add a test of the --flush option
+  * copy: Remove output file in a few tests
+  * build: Print rustc version in ./configure output
+  * rust: Use nbd.is_uri in examples
+  * ci: Skip go on FreeBSD 14
+  * ci: Update to latest
+  * copy: Fix file allocation when using --allocated
+  * copy: Fix file_sync_zero when allocate == true
+  * copy: Consider options when zeroing in synch mode
+  * copy: Hard error if sync_file_range fails
+  * info/info-uri-nbds.sh: Fix test if compiled without GnuTLS
+  * copy: Set the total size in bytes copied
+  * copy: progress: Add a comment about size and pipes
+  * info: Use magenta for export headings, instead of black
+  * Version 1.22.1.
+  * ocaml/{examples,tests}: Don't try to run OCAMLFIND if --disable-ocaml
+  * docs/libnbd-release-notes-1.22.pod: Set release date
+  * Version 1.22.0.
+  * ci: Update FreeBSD builds
+  * copy: Include pthread.h
+  * docs: Small revisions to the release notes
+  * golang: Replace () with correct argument decl, for GCC 15
+  * docs: Add outline release notes for libnbd 1.22
+  * ci: Update to latest
+  * dump: Add a test of --length and --offset
+  * dump: Add --offset for further limiting the dump
+  * dump: Document --length
+  * examples: Add simple program to benchmark connections
+  * Version 1.21.6.
+  * build: Use 'tar ztf' instead of 'zcat | tar'
+  * Revert "ci: Skip maintainer-check-extra-dist test on macOS"
+  * ci: Skip maintainer-check-extra-dist test on macOS
+  * ci: Install bash (from homebrew) in the CI environment
+  * configure: Check that bash is sufficiently new
+  * ci: Dump out failed log files when the tests fail
+  * golang, rust: Use env bash for FreeBSD
+  * python: Skip Python tests on macOS
+  * tests/newstyle-limited.c: Check truncate is GNU truncate before using
+  * ocaml/tests/test_220_opt_list.ml: Use correct nbdkit binary
+  * ocaml/tests/test_580_aio_connect.ml: Skip this test on macOS
+  * build: Test for GnuTLS certtool on macOS
+  * build: Use GNU alternatives on macOS and FreeBSD
+  * copy/copy-file-to-nbd.sh: Remove test for 'truncate'
+  * lib/test-fork-safe-execvpe.sh: Skip this test on macOS
+  * ci/build.sh: Set os_id on macOS which lacks /etc/os-release
+  * ci: Don't skip tests on non-Linux
+  * Version 1.21.5.
+  * interop: Skip nbd-server test on Alpine
+  * ci: Update CI files
+  * vsock: Document limitations and reserved vsock port numbers
+  * rust: Parse perlpod L<https://...> (external links) to rust markup
+  * generator: connect_uri: Document differences with qemu parsing
+  * podwrapper: Add some simple checks for cross-references within manual pages.
+  * docs/libnbd-release-notes-1.10.pod: Remove broken link to "nbd_connect(3)"
+  * docs/nbd_create.pod: Cross-reference nbd_shutdown(3)
+  * Version 1.21.4.
+  * docs: Use "oldstyle servers" in preference to "older servers"
+  * docs: Mention newstyle and oldstyle servers in main docs
+  * docs: Mention nbd_is_uri under "Connecting to an NBD URI" in main docs
+  * README: Fix bold markdown
+  * README: Mention 'make install DESTDIR=...'
+  * README: Mention the ./run script
+  * lib: Add nbd_get_subprocess_pid to return h->pid
+  * docs/libnbd-security.pod: Assign CVE-2024-7383
+  * Version 1.21.3.
+  * build: Prefer "for developers" in ./configure --help output
+  * build: Fix ./configure --help output for --enable-python-code-style
+  * copy: Fix URI detection
+  * lib: Add new nbd_is_uri API
+  * tests/requires.c: Don't fail to compile if NBDKIT is not defined
+  * Version 1.21.2.
+  * lib: Implement nbd+ssh:// and nbds+ssh:// URIs
+  * tests/connect-uri.c: Replace -DREQUIRES_NBDKIT_TLS_VERIFY_PEER=1
+  * lib/uri.c: Change socket required boolean into an enum
+  * generator/states-newstyle.c: Don't sign extend escaped chars
+  * rust: Add os-ext feature to get mio::unix
+  * generator/states-newstyle.c: Quote untrusted string from the server
+  * generator: Restore assignment to local 'err'
+  * .gitignore: Remove unused line
+  * lib: Don't overwrite error in nbd_opt_{go,info}
+  * generator: Print full error in handle_reply_error
+  * ci: Drop Alma Linux 8
+  * lib/crypto.c: Check <gnutls/socket.h> works before including it
+  * lib/uri.c: Append tls-hostname and tls-verify-peer when getting URI
+  * Version 1.21.1.
+  * docs: security: Add link to TLS server certificate checking announcement
+  * lib/uri.c: Allow tls-hostname to be overridden in URIs
+  * lib/uri.c: Allow tls-verify-peer to be overridden in URIs
+  * lib/crypto.c: Add API functions to get/set TLS hostname
+
+-------------------------------------------------------------------
+Fri Oct 18 16:42:38 UTC 2024 - jfehlig@suse.com
+
+- Update to version 1.20.3:
+  * Version 1.20.3.
+  * interop: Skip nbd-server test on Alpine
+  * ci: Update CI files
+  * rust: Parse perlpod L<https://...> (external links) to rust markup
+  * podwrapper: Add some simple checks for cross-references within manual pages.
+  * docs/libnbd-release-notes-1.10.pod: Remove broken link to "nbd_connect(3)"
+  * docs/nbd_create.pod: Cross-reference nbd_shutdown(3)
+  * docs: Use "oldstyle servers" in preference to "older servers"
+  * docs: Mention newstyle and oldstyle servers in main docs
+  * README: Fix bold markdown
+  * README: Mention 'make install DESTDIR=...'
+  * README: Mention the ./run script
+  * build: Prefer "for developers" in ./configure --help output
+  * build: Fix ./configure --help output for --enable-python-code-style
+  * .gitignore: Remove unused line
+  * ci: Drop Alma Linux 8
+  * lib/crypto.c: Check <gnutls/socket.h> works before including it
+  * docs/libnbd-security.pod: Assign CVE-2024-7383
+  * jsc#PED-8910
+
+-------------------------------------------------------------------
+Mon Aug 05 16:08:37 UTC 2024 - jfehlig@suse.com
+
+- Update to version 1.20.2:
+  * CVE-2024-7383 (bsc#1228872)
+  * Version 1.20.2.
+  * docs: security: Add link to TLS server certificate checking announcement
+  * lib/uri.c: Allow tls-verify-peer to be overridden in URIs
+  * interop: Test interop with a bad system CA
+  * interop: Add -DEXPECT_FAIL=1 where we expect the test to fail
+  * interop: Pass -DCERTS and -DPSK as strings
+  * lib/crypto.c: Allow CA verification even if h->hostname is not set
+  * lib/crypto.c: Check server certificate even when using system CA
+  * build: Move to minimum gnutls >= 3.5.18
+  * nbdfuse: Can't use ?tls-certificates or ?tls-psk-file
+  * ci: Fix MacOS builds
+  * tests: Fix CI on Fedora 40
+  * Version 1.20.1.
+  * tests: Add some code quality checks (mainly for maintainers)
+  * common/utils/device-size.c: Include <stdint.h>
+  * copy: Use device_size to get size of block devices
+  * copy: Refactor the internal file_create API
+  * common/utils: Add a function to find the size of a file or block device
+  * Include <stdint.h> in code which uses standard C int types
+  * common/include, ublk: Include <inttypes.h> in code which uses PRI* or SCN*
+  * Include <stdbool.h> in code which uses bool/true/false
+  * copy: Detect <sys/ioctl.h>
+  * copy: Detect <linux/fs.h> at configure time
+  * configure.ac: Indent AC_CHECK_HEADERS consistent with nbdkit
+  * ublk/nbdublk.c: Include <errno.h>
+  * copy, lib, ublk: Include <assert.h> which was missing in a few places
+  * tests: Remove extra whitespace
+  * copy/copy-nbd-to-small-block-error.sh: Use different pidfiles
+  * copy: Use verbose nbdcopy in test
+  * copy: Fix "destination size is smaller than source size" error
+  * ci: refresh with latest 'lcitool manifest'
+  * ci: import lcitool project package list definitions
+  * podwrapper: nbd-server(1), nbd-client(8) are not local man pages
+  * Version 1.20.0.
+  * tests/connect-uri.c: Don't call strlen on each loop iteration
+  * tests/connect-uri: Remove -DPIDFILE, generate it implicitly
+  * lib/uri: Make parsing URIs more case insensitive
+  * rust: Make the struct Cookie internal field fully public
+  * interop/block-status-64.c: Fix skip path under valgrind
+  * Revert "valgrind: Add suppression for liblzma bug"
+  * docs: Add outline release notes for forthcoming libnbd 1.20
+  * lib/handle.c: Invalidate h->magic field just before freeing
+  * Version 1.19.11.
+  * ocaml: Add ocamlfind -package to ocamldoc invocation
+  * ocaml: Mention bigstring and bigstringaf libraries
+  * ocaml/tests: Add a test of the buffer lifecycle
+  * ocaml: Update META so we link programs with bigarray on OCaml < 5
+  * ocaml: Use Bigarray to link examples and tests on OCaml < 5
+  * ocaml/tests: Modify the tests to use the new NBD.Buffer.t
+  * ocaml: Add NBD.Buffer to/from string functions
+  * ocaml: Reimplement NBD.Buffer.t using Bigarray for zero-copy
+  * Version 1.19.10.
+  * info: Add --isnt & --cannot to --help output
+  * info: Implement --cannot and synonyms
+  * info/can.c: Assert that 'can' variable is set
+  * info: Fix error message
+  * info: Add note that --can/--is/--has are synonyms
+  * Version 1.19.9.
+  * info: --uri: Free URI after printing it
+  * lib/uri.c: Add better comments to nbd_get_uri function
+  * info: Add --uri parameter
+  * docs: Link from nbd_get_size to nbdinfo --size option
+  * info: Handle failure of call to file
+  * copy, fuse: Use vector_reserve_exactly in a few places
+  * common/utils: Make vector_reserve_page_aligned allocate exactly
+  * common/utils: Add vector_reserve_exactly function
+  * fuzzing: Add a comment that the libfuzzer test is unmaintained
+  * Version 1.19.8.
+  * tests/opt-info.c: Free string returned by nbd_get_export_name
+  * valgrind: Add suppression for liblzma bug
+  * info: Try harder to report contents from nbd-server
+  * copy: Add test for server without meta context support
+  * api: Fix nbd_can_meta_context for server that lacks meta contexts
+  * copy, info: Treat can_meta_context failures as unsupported
+  * configure: Copy bash-completions test from nbdkit
+  * Version 1.19.7.
+  * podwrapper: Ignore check on older versions of Perl
+  * podwrapper: Allow = (POD directive) followed by bare URL
+  * podwrapper: Check for bare URLs and suggest replacement with L<> links
+  * podwrapper: Move long lines and cross-reference checks earlier
+  * contrib: Add suggested autoconf CHECK_LIBNBD macro
+  * Version 1.19.6.
+  * tests: Missed another C test which didn't use NBDKIT
+  * tests: Use $NBDKIT instead of plain 'nbdkit'
+  * tests: Use 'source ./function.sh' consistently in this directory
+  * ocaml/tests: Add replacement for Bytes.set_int64_be
+  * ocaml/tests: Add explicit dependency on ocaml_test_config.cm{o,x}
+  * build: Define the minimum required version of OCaml as 4.05
+  * generator: Remove definition of sort_uniq
+  * configure: Annotate OCaml tests by version of OCaml
+  * ci: Skip certain deadlocking nbd-server tests on Alpine 3.19
+  * docs: Clarify description of block size constraints
+  * ocaml: tests: Compute srcdir centrally in Ocaml_test_config module
+  * ocaml: tests: Use @NBDKIT@ instead of hard coding nbdkit
+  * python: tests: Use $NBDKIT instead of hard coding nbdkit
+  * python: Various fixes to the Python tests and test wrapper
+  * Version 1.19.5.
+  * tests: Use wait_for_pidfile instead of open-coded loops
+  * tests: Define NBD_SERVER in config.h and use it for requires tests
+  * tests: Define QEMU_NBD in config.h and use it for requires tests
+  * maint: Be more consistent about using ./configure-defined @NBDKIT@
+  * maint: Be more consistent about using ./configure-defined @QEMU_NBD@
+  * interop: Prefer exporting QEMU_STORAGE_DAEMON through tests/functions.sh
+  * interop: Use nbd-server FORCEDTLS mode
+  * interop: Test write, flush and zero operations
+  * interop: Add nbd-server flush flag
+  * interop: Remove -DNEEDS_TMPFILE
+  * maint: Use @LN_S@ autoconf macro in preference to writing out 'ln -s'
+  * tests: connect-uri: Choose random port for TCP connections at runtime
+  * tests: connect-uri: Change how Unix domain sockets are generated
+  * docs: Fix accidental double line in SECURITY file
+  * Version 1.19.4.
+  * ci: Update to latest lcitool
+  * rust: Avoid compiler warning about unused import
+  * bash: Make nbdfuse and nbdublk installation conditional
+  * generator/Makefile.am: Fix missing continuation backslash
+  * Version 1.19.3.
+  * ocaml: Nullify custom block before releasing runtime lock
+  * ocaml: Use Gc.finalize instead of a C finalizer
+  * Version 1.19.2.
+  * generator: Clarify message about generated files
+  * docs: Mention CVE-2023-5871
+  * docs: Improve handle states documentation
+  * generator: Move docs generation out to a new module
+  * docs: Add comment for api_built, and formatting
+  * docs: Tighten up description of nbd_connect_uri(3)
+  * examples: Add example code for nbd_connect_uri(3)
+  * examples: Rearrange Makefile alphabetically
+  * generator: Make sure man pages are rebuilt if examples change
+  * New mailing list archives
+  * examples/userfault-map.c: Make nbd handle static
+  * example: Using userfaultfd to mmap an NBD-backed drive
+  * tests: Check behavior of nbd_set_strict_mode(STRICT_AUTO_FLAG)
+  * lib: Add dynamic validation of struct nbd_handle
+  * docs: Fix incorrect xref in libnbd-release-notes for 1.18
+  * fuzzing: Remove unnecessary NULL assignments
+  * fuzzing: Change fuzzing approach so we issue asynchronous commands
+  * generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871
+  * fuzzing: We need to disable Rust bindings when building fuzzer version
+  * Version 1.19.1.
+  * rust: Use string_starts_with instead of String.starts_with
+  * rust: Build the examples
+  * rust: Write a custom translator from POD to rustdoc
+  * rust: Add overview documentation
+  * rust: Annotate 'endif' with corresponding label
+  * info: Show human sizes for block_size values
+  * utils: Slightly simplify human_size()
+  * docs: Assign CVE-2023-5215 to nbd_get_size negative result issue
+  * info: Try harder for graceful disconnect from server
+
 -------------------------------------------------------------------
 Thu Apr 18 20:01:31 UTC 2024 - jfehlig@suse.com
 
@@ -232,6 +516,7 @@ Fri Jul  8 17:59:24 UTC 2022 - James Fehlig <jfehlig@suse.com>
   * python: Plug uninit leak in nbd.Buffer.to_bytearray
   * python: Avoid memleak on (unlikely) module failure
   * python: Accept buffers in nbd.Buffer.from_bytearray()
+  * jsc#ECO-3633
 - Enable building python module and utilities
 
 -------------------------------------------------------------------

libnbd.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libnbd
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,12 +19,13 @@
 %define sover 0
 
 Name:           libnbd
-Version:        1.18.4
+Version:        1.22.2
 Release:        0
 Summary:        NBD client library in userspace
 License:        LGPL-2.1-or-later
 URL:            https://gitlab.com/nbdkit/libnbd
 Source0:        %{name}-%{version}.tar.bz2
+Patch1:         uri-Sanitize-user-provided-hostnames.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  fdupes

uri-Sanitize-user-provided-hostnames.patch

@@ -0,0 +1,66 @@
+Subject: uri: Sanitize user-provided hostnames
+From: Eric Blake eblake@redhat.com Mon Oct 13 10:01:21 2025 -0500
+Date: Tue Oct 21 15:30:19 2025 -0500:
+Git: f461fe64d21fe8a6d32b56ccb50d06489d2e2698
+
+Dan Berrangé ran a free trial of zeropath (http://zeropath.com/) AI
+analysis on libnbd, and it highlighted the following:
+
+ "When using nbd+ssh:// URIs the library constructs an argv array for
+ ssh from parsed URI parts (server, port, user, unix socket, nbd-port)
+ and execs it. The server component is used directly as an ssh
+ argument; if it begins with '-' an attacker can inject ssh options
+ (e.g. -oProxyCommand=...) that cause ssh to run local commands. There
+ is no protection (such as rejecting leading '-' in server or inserting
+ a '--' to stop option parsing), so an attacker who can supply the URI
+ can cause local command execution in the client process."
+
+ eg with this....  "nbdinfo nbd+ssh://-oProxyCommand=rm%20run.in"
+ you'll get a failure to start the NBD connection, but it none the less
+ deletes the file 'run.in' in the local working directory
+
+The RFCs are vague enough that it is not immediately obvious whether
+there is any possibility of a valid hostname with a leading - (see
+https://www.netmeister.org/blog/hostnames.html).  Still, it is better
+to pass the user's string on to ssh's determination of a valid
+hostname (which does appear to reject leading -) rather than trying to
+teach libnbd what patterns to allow, and thereby avoid risking any
+pattern written in libnbd accidentally being too restrictive.  Do this
+by using "--" to end ssh options before the hostname, but that in turn
+must come after any use of -oUser=.  With this in place, we now get a
+sane error rather than spawning a calculator with:
+
+$ nbdinfo nbd+ssh://-oProxyCommand=gnome-calculator
+hostname contains invalid characters
+/home/eblake/libnbd/info/.libs/nbdinfo: nbd_connect_uri: recv: server disconnected unexpectedly
+
+See also Libvirt commit e4cb8500 (Aug 2017), which in turn was
+inspired by GIT security flaws
+(http://blog.recurity-labs.com/2017-08-10/scm-vulns).  We have put out
+a request to Red Hat security on whether this warrants a CVE in
+libnbd; however, as the problem was easy to identify using only free
+AI resources, and the problem itself is relatively low priority (to
+exploit it, an attacker has to convince an admin to run a program that
+will use libnbd on an untrusted URI), so we are publishing this now
+rather than waiting for any embargo.  If a CVE is assigned, it will be
+announced to the mailing list in a followup post.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+CC: Daniel P. Berrangé <berrange@redhat.com>
+
+(cherry picked from commit fffd87a3ba216cf2f9c212e5db96b13b98985edf)
+Conflicts:
+	lib/uri.c - no username override, backport looks different
+Signed-off-by: Eric Blake <eblake@redhat.com>
+
+--- a/lib/uri.c
++++ b/lib/uri.c
+@@ -446,7 +446,7 @@ nbd_unlocked_aio_connect_uri (struct nbd
+   case ssh: {                   /* SSH */
+     char port_str[32];
+     const char *ssh_command[] = {
+-      "ssh", "-p", port_str, uri->server,
++      "ssh", "-p", port_str, "--", uri->server,
+       "nc",
+       NULL,                     /* [5] "-U" or "localhost" */
+       NULL,                     /* [6] socket or "10809" */