- bsc#1253059 - libnbd: Unsanitized hostnames in nbd+ssh URIs allow

remote execution
  uri-Sanitize-user-provided-hostnames.patch

_service

@@ -1,7 +1,7 @@
 <services>
   <service name="tar_scm" mode="manual">
     <param name="filename">libnbd</param>
-    <param name="revision">v1.22.4</param>
+    <param name="revision">v1.22.2</param>
     <param name="scm">git</param>
     <param name="submodules">disable</param>
     <param name="url">https://gitlab.com/nbdkit/libnbd.git</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.com/nbdkit/libnbd.git</param>
-              <param name="changesrevision">caf41ba1847f79ab25e3a73401f8170cbe351908</param></service></servicedata>
+              <param name="changesrevision">5f55a26f3a776c11049a27154b1f2b59b8c335da</param></service></servicedata>

libnbd-1.22.4.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e3fb6a89c7ef6faf9ade7e1a2914215c9d0b5d2236ea70d044ca70f5a64e007b
-size 483984

libnbd.changes

@@ -1,41 +1,9 @@
 -------------------------------------------------------------------
-Fri Sep 05 21:02:25 UTC 2025 - Charles Arnold <carnold@suse.com>
+Wed Nov  5 11:03:52 MST 2025 - carnold@suse.com
 
-- Update to version 1.22.4:
-  * Version 1.22.4.
-  * docs: nbd_connect_uri: Combine export name sections together
-  * docs: nbd_connect_uri: Minor copyedits
-  * docs: nbd_connect_uri: Split up URI parsing section
-  * lib/uri.c: Use uri_query_list functions to free
-  * lib/uri.c: Add static annotation to parse_bool
-  * docs: Clarify documentation for export names in nbd_connect_uri
-  * docs: Add S<...> around qemu versions to avoid distracting linebreak
-  * generator: rust: Parse S<...> (non-breaking spaces) in POD
-  * generator: rust: Allow nested X<..X<..>..> expressions in POD
-  * generator: Don't list nbd_is_uri as a "flag call"
-  * generator: Clarify documentation for nbd_set_private_data
-  * ocaml: Small tweaks to the generated documentation
-  * ci: Remove fedora-40, alpine-320, add fedora-42, alpine-322
-  * common: utils: Add const to <vector>_duplicate variable decls
-  * copy, info: Use new vector_array_append functions in a couple of places
-  * common: utils: vector: Fix vector_uniq prototype and add a test
-  * common: utils: vector: Add range functions for insert, append and remove
-  * common: utils: vector: Prefer vector_reset over free()
-  * common: utils: vector: Add new vector_uniq function
-  * common/utils: Add convenient string_append_format function
-
--------------------------------------------------------------------
-Thu Jul 31 17:01:32 UTC 2025 - Charles Arnold <carnold@suse.com>
-
-- Update to version 1.22.3:
-  * Version 1.22.3.
-  * ublk: Remove unused EXPECTED_VERSION
-  * todo: Remove a couple of minor features that have been implemented
-  * info: Tolerate nbdkit slop on large extents
-  * generator: Avoid const-correctness warnings in golang
-  * maint: Spelling fixes
-  * ci: Disable cross-builds of Rust
-  * rust: Allow cargo build --target $RUST_TARGET to be set
+- bsc#1253059 - libnbd: Unsanitized hostnames in nbd+ssh URIs allow
+  remote execution
+  uri-Sanitize-user-provided-hostnames.patch
 
 -------------------------------------------------------------------
 Tue May 06 22:48:02 UTC 2025 - jfehlig@suse.com

libnbd.spec

@@ -19,12 +19,13 @@
 %define sover 0
 
 Name:           libnbd
-Version:        1.22.4
+Version:        1.22.2
 Release:        0
 Summary:        NBD client library in userspace
 License:        LGPL-2.1-or-later
 URL:            https://gitlab.com/nbdkit/libnbd
 Source0:        %{name}-%{version}.tar.bz2
+Patch1:         uri-Sanitize-user-provided-hostnames.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  fdupes

uri-Sanitize-user-provided-hostnames.patch

@@ -0,0 +1,66 @@
+Subject: uri: Sanitize user-provided hostnames
+From: Eric Blake eblake@redhat.com Mon Oct 13 10:01:21 2025 -0500
+Date: Tue Oct 21 15:30:19 2025 -0500:
+Git: f461fe64d21fe8a6d32b56ccb50d06489d2e2698
+
+Dan Berrangé ran a free trial of zeropath (http://zeropath.com/) AI
+analysis on libnbd, and it highlighted the following:
+
+ "When using nbd+ssh:// URIs the library constructs an argv array for
+ ssh from parsed URI parts (server, port, user, unix socket, nbd-port)
+ and execs it. The server component is used directly as an ssh
+ argument; if it begins with '-' an attacker can inject ssh options
+ (e.g. -oProxyCommand=...) that cause ssh to run local commands. There
+ is no protection (such as rejecting leading '-' in server or inserting
+ a '--' to stop option parsing), so an attacker who can supply the URI
+ can cause local command execution in the client process."
+
+ eg with this....  "nbdinfo nbd+ssh://-oProxyCommand=rm%20run.in"
+ you'll get a failure to start the NBD connection, but it none the less
+ deletes the file 'run.in' in the local working directory
+
+The RFCs are vague enough that it is not immediately obvious whether
+there is any possibility of a valid hostname with a leading - (see
+https://www.netmeister.org/blog/hostnames.html).  Still, it is better
+to pass the user's string on to ssh's determination of a valid
+hostname (which does appear to reject leading -) rather than trying to
+teach libnbd what patterns to allow, and thereby avoid risking any
+pattern written in libnbd accidentally being too restrictive.  Do this
+by using "--" to end ssh options before the hostname, but that in turn
+must come after any use of -oUser=.  With this in place, we now get a
+sane error rather than spawning a calculator with:
+
+$ nbdinfo nbd+ssh://-oProxyCommand=gnome-calculator
+hostname contains invalid characters
+/home/eblake/libnbd/info/.libs/nbdinfo: nbd_connect_uri: recv: server disconnected unexpectedly
+
+See also Libvirt commit e4cb8500 (Aug 2017), which in turn was
+inspired by GIT security flaws
+(http://blog.recurity-labs.com/2017-08-10/scm-vulns).  We have put out
+a request to Red Hat security on whether this warrants a CVE in
+libnbd; however, as the problem was easy to identify using only free
+AI resources, and the problem itself is relatively low priority (to
+exploit it, an attacker has to convince an admin to run a program that
+will use libnbd on an untrusted URI), so we are publishing this now
+rather than waiting for any embargo.  If a CVE is assigned, it will be
+announced to the mailing list in a followup post.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+CC: Daniel P. Berrangé <berrange@redhat.com>
+
+(cherry picked from commit fffd87a3ba216cf2f9c212e5db96b13b98985edf)
+Conflicts:
+	lib/uri.c - no username override, backport looks different
+Signed-off-by: Eric Blake <eblake@redhat.com>
+
+--- a/lib/uri.c
++++ b/lib/uri.c
+@@ -446,7 +446,7 @@ nbd_unlocked_aio_connect_uri (struct nbd
+   case ssh: {                   /* SSH */
+     char port_str[32];
+     const char *ssh_command[] = {
+-      "ssh", "-p", port_str, uri->server,
++      "ssh", "-p", port_str, "--", uri->server,
+       "nc",
+       NULL,                     /* [5] "-U" or "localhost" */
+       NULL,                     /* [6] socket or "10809" */