From 4b12b3ec01fda43dd0cf8bd9a3da9e178fa673985cccad642a11d47d5b7d7ae4 Mon Sep 17 00:00:00 2001 From: Charles Arnold Date: Tue, 12 Jul 2022 21:55:44 +0000 Subject: [PATCH] - Update to version 1.48.4 * This is a bug fix release - Drop patches included in new tarball CVE-2022-2211-docs-guestfs-security-document.patch CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch - CVE-2022-2211 - Fix buffer overflow in get_keys() OBS-URL: https://build.opensuse.org/package/show/Virtualization/libguestfs?expand=0&rev=521 --- ...-2211-docs-guestfs-security-document.patch | 55 --------- ...ions-fix-buffer-overflow-in-get_keys.patch | 116 ------------------ libguestfs-1.48.3.tar.gz | 3 - libguestfs-1.48.3.tar.gz.sig | 17 --- libguestfs-1.48.4.tar.gz | 3 + libguestfs-1.48.4.tar.gz.sig | 17 +++ libguestfs.changes | 12 +- libguestfs.spec | 4 +- 8 files changed, 31 insertions(+), 196 deletions(-) delete mode 100644 CVE-2022-2211-docs-guestfs-security-document.patch delete mode 100644 CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch delete mode 100644 libguestfs-1.48.3.tar.gz delete mode 100644 libguestfs-1.48.3.tar.gz.sig create mode 100644 libguestfs-1.48.4.tar.gz create mode 100644 libguestfs-1.48.4.tar.gz.sig diff --git a/CVE-2022-2211-docs-guestfs-security-document.patch b/CVE-2022-2211-docs-guestfs-security-document.patch deleted file mode 100644 index f184482..0000000 --- a/CVE-2022-2211-docs-guestfs-security-document.patch +++ /dev/null @@ -1,55 +0,0 @@ -Subject: docs/guestfs-security: document CVE-2022-2211 -From: Laszlo Ersek lersek@redhat.com Tue Jun 28 13:54:16 2022 +0200 -Date: Wed Jun 29 15:29:37 2022 +0200: -Git: 99844660b48ed809e37378262c65d63df6ce4a53 - -Short log for the common submodule, commit range -f8de5508fe75..35467027f657: - -Laszlo Ersek (2): - mlcustomize: factor out pkg install/update/uninstall from guestfs-tools - options: fix buffer overflow in get_keys() [CVE-2022-2211] - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453 -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862 -Signed-off-by: Laszlo Ersek -Message-Id: <20220628115418.5376-2-lersek@redhat.com> -Reviewed-by: Richard W.M. Jones - ---- a/docs/guestfs-security.pod -+++ b/docs/guestfs-security.pod -@@ -406,6 +406,34 @@ The libvirt backend is not affected. - The solution is to update qemu to a version containing the fix (see - L). - -+=head2 CVE-2022-2211 -+ -+L -+ -+The C function in F collects -+those I<--key> options from the command line into a new array that match -+a particular block device that's being decrypted for inspection. The -+function intends to size the result array such that potentially all -+I<--key> options, plus a terminating C element, fit into it. The -+code mistakenly uses the C macro instead of C, and therefore -+only one element is allocated before the C terminator. -+ -+Passing precisely two I<--key ID:...> options on the command line for -+the encrypted block device C causes C to overwrite the -+terminating C, leading to an out-of-bounds read in -+C, file F. -+ -+Passing more than two I<--key ID:...> options on the command line for -+the encrypted block device C causes C itself to perform -+out-of-bounds writes. The most common symptom is a crash with C -+later on. -+ -+This issue affects -- broadly speaking -- all libguestfs-based utilities -+that accept I<--key>, namely: C, C, C, -+C, C, C, C, -+C, C, C, C, -+C, C, C. -+ - =head1 SEE ALSO - - L, diff --git a/CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch b/CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch deleted file mode 100644 index b966203..0000000 --- a/CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch +++ /dev/null @@ -1,116 +0,0 @@ -Subject: options: fix buffer overflow in get_keys() [CVE-2022-2211] -From: Laszlo Ersek lersek@redhat.com Tue Jun 28 13:49:04 2022 +0200 -Date: Wed Jun 29 15:17:17 2022 +0200: -Git: 35467027f657de76aca34b48a6f23e9608b23a57 - -When calculating the greatest possible number of matching keys in -get_keys(), the current expression - - MIN (1, ks->nr_keys) - -is wrong -- it will return at most 1. - -If all "nr_keys" keys match however, then we require "nr_keys" non-NULL -entries in the result array; in other words, we need - - MAX (1, ks->nr_keys) - -(The comment just above the expression is correct; the code is wrong.) - -This buffer overflow is easiest to trigger in those guestfs tools that -parse the "--key" option in C; that is, with "OPTION_key". For example, -the command - -$ virt-cat $(seq -f '--key /dev/sda2:key:%g' 200) -d DOMAIN /no-such-file - -which passes 200 (different) passphrases for the LUKS-encrypted block -device "/dev/sda2", crashes with a SIGSEGV. - -A slightly better reproducer from Rich Jones is the following, since it -doesn't require an encrypted guest disk image: - -$ echo TEST | guestfish --keys-from-stdin -N part luks-format /dev/sda1 0 -$ virt-cat $(seq -f '--key /dev/sda1:key:%g' 200) -a test1.img /no-such-file -Segmentation fault (core dumped) -$ rm test1.img - -( - - The buffer overflow is possible to trigger in OCaml-language tools as - well; that is, those that call "create_standard_options" with - ~key_opts:true. - - Triggering the problem that way is less trivial. The reason is that when - the OCaml tools parse the "--key" options, they de-duplicate the options - first, based on the device identifier. - - Thus, in theory, this de-duplication masks the issue, as (one would - think) only one "--key" option could belong to a single device, and - therefore the buffer overflow would not be triggered in practice. - - This is not the case however: the de-duplication does not collapse keys - that are provided for the same device, but use different identifier - types (such as pathname of device node versus LUKS UUID) -- in that - situation, two entries in the keystore will match the device, and the - terminating NULL entry will not be present once get_keys() returns. In - this scenario, we don't have an out-of-bounds write, but an - out-of-bounds read, in decrypt_mountables() [options/decrypt.c]. - - There is *yet another* bug in get_keys() though that undoes the above - "masking". The "uuid" parameter of get_keys() may be NULL (for example - when the device to decrypt uses BitLocker and not LUKS). When this - happens, get_keys() adds all keys in the keystore to the result array. - Therefore, the out-of-bounds write is easy to trigger with - OCaml-language tools as well, as long as we attempt to decrypt a - BitLocker (not LUKS) device, and we pass the "--key" options with - different device identifiers. - - Subsequent patches in this series fix all of the above; this patch fixes - the security bug. - -) - -Rather than replacing MIN with MAX, open-code the comparison, as we first -set "len" to 1 anyway. - -While at it, rework the NULL-termination such that the (len+1) addition -not go unchecked. - -Fixes: c10c8baedb88e7c2988a01b70fc5f81fa8e4885c -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453 -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862 -Signed-off-by: Laszlo Ersek -Message-Id: <20220628114915.5030-2-lersek@redhat.com> -Reviewed-by: Richard W.M. Jones - ---- a/common/options/keys.c -+++ b/common/options/keys.c -@@ -128,17 +128,23 @@ read_first_line_from_file (const char *f - char ** - get_keys (struct key_store *ks, const char *device, const char *uuid) - { -- size_t i, j, len; -+ size_t i, j, nmemb; - char **r; - char *s; - - /* We know the returned list must have at least one element and not - * more than ks->nr_keys. - */ -- len = 1; -- if (ks) -- len = MIN (1, ks->nr_keys); -- r = calloc (len+1, sizeof (char *)); -+ nmemb = 1; -+ if (ks && ks->nr_keys > nmemb) -+ nmemb = ks->nr_keys; -+ -+ /* make room for the terminating NULL */ -+ if (nmemb == (size_t)-1) -+ error (EXIT_FAILURE, 0, _("size_t overflow")); -+ nmemb++; -+ -+ r = calloc (nmemb, sizeof (char *)); - if (r == NULL) - error (EXIT_FAILURE, errno, "calloc"); - diff --git a/libguestfs-1.48.3.tar.gz b/libguestfs-1.48.3.tar.gz deleted file mode 100644 index cd09d36..0000000 --- a/libguestfs-1.48.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bd26fb40eb12beb9fddf69c3268dd4db7a7cc77836eae8529203d4765314c6a9 -size 19185249 diff --git a/libguestfs-1.48.3.tar.gz.sig b/libguestfs-1.48.3.tar.gz.sig deleted file mode 100644 index fdd0a4a..0000000 --- a/libguestfs-1.48.3.tar.gz.sig +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmKPV+gRHHJpY2hAYW5u -ZXhpYS5vcmcACgkQkXOPc+G3aKCKkg/9EtADDnkcIWioiFYhCe0LTIMQqBG/q09G -ghfBbvWk4bhZiFMqtxPLS65mc8rCvf3aSA+b8tT3LKD2uarY4LiXKNn9U0nPb1hu -vxc+V/xK5DsqFOyc/Vh0xScBkGP4SoX7R/A6ZfM3dmOV+Ff9KRIpNDFSCM+nxhTh -OmYbdzdjbrdsv1NlNR8YYpn6LFiS1Ngf2ju0oM1tLF+XQ+BG7qyKGKNCmAokup0f -h1IM3fMah0m69hC7i83rfQm/01gZBi0z+JevZlqxa1hM8G2Vm37uv6HQTkX0W5oM -bNz8n6x3CB7oTMXtOhSOl29jCWkqto/MDcD9bVddOSS5f/S04ssXBf2NTrh2/VIz -YfwEjojyGfMgoPdM/lcc5jbns5Fp+hypdXl1PhihwFtfFxipa6eyPWlX/9TZ7AKQ -5wWF+hGnFeWxZF3+rYIdZzKHRnKjlh2DdmZYSgPD1RBXUVYBpgDTtNuDkK1dMx+w -9EVJYasZ4CidspwVRge1IU/hr+xVDo/05ieUYaYG70gLSZZ9vCwgpZKZKe4FFA7p -4EK2exuUo2kU0DG9IWDSlOE9I6vAaB2q4hLs6HDx4I2mJgouDd69DX8oB7ezrm/H -cIqd7SWwK3chC0syFYdDF0A8sZ65NmdTcTh3PLSFqanS+Kps+SSOMnSBv4Iw/wFw -+L1EZHxlO80= -=HHYl ------END PGP SIGNATURE----- diff --git a/libguestfs-1.48.4.tar.gz b/libguestfs-1.48.4.tar.gz new file mode 100644 index 0000000..35ae6df --- /dev/null +++ b/libguestfs-1.48.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9dc22b6c5a45f19c2cba911a37b3a8d86f62744521b10eb53c3d3907e5080312 +size 19189712 diff --git a/libguestfs-1.48.4.tar.gz.sig b/libguestfs-1.48.4.tar.gz.sig new file mode 100644 index 0000000..c27f5ce --- /dev/null +++ b/libguestfs-1.48.4.tar.gz.sig @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmLFql8RHHJpY2hAYW5u +ZXhpYS5vcmcACgkQkXOPc+G3aKAV2hAAzOcZseFTUFFoj4M5riqXqtBN3W+fr/O7 +v0wzJ9sY31Ftk8KFKKgpwOn4UFXYMPXY7Hm94GRAYjYBAtx9Viyyt7B6PbV7mVZ0 +WHLlZcg3ZsliF23s3EoHfgTGFfKLkjDwfPlmChC260Ffhq4KKvnwu/DobY/CDLHG +0cvrjb0OOYibBGbq58AHYR6QlVH/ScAuLSA1aRAd06bbpixufRR1oh1MtFA1iSvC +yjNH0joLFiu0uuD7KFH66YX2nFNrO24r0LxJkwT5G7GHlZJStJUpvs/QHa8Tw5Zt +Z1JMk9yB9EMPYimdVDm7m6eDBxTx8YbF7u6G8JdHRXgAPBt4O09XX7WGxxmh9Dc4 +M+QkpiubEOG6qwBythJJ6sTSRLKIAPeVfHEOauXg8n45Tbk5jYwthMKbnD9ETb3t +QKdMr5g+DZUO0LfbOvP0GtD+b1jK4iu4BcWDquQBXpDTbx7LUfSuTDrWItehEnBp +/K6FRbakNZEroLR5VA9WAa6sE+2B3gg1OG+KHypHuw4hfpmutvVA8wnPgyw3j+WK +xdcRp65NUMUkKRE/FTwp1MkY1Y2S9M9iAPX+CopdHPVoq9O2YE+K6Rv1EdJjmKZK +EwLzX08Xcj9T/U9GEfV+QdIzitCuxf7x9ULEDcFozFnuHXww+JLdR0EmIDkUwl7C +Z0KKsy18Eq8= +=WB1H +-----END PGP SIGNATURE----- diff --git a/libguestfs.changes b/libguestfs.changes index d9358ce..675030f 100644 --- a/libguestfs.changes +++ b/libguestfs.changes @@ -1,8 +1,16 @@ +------------------------------------------------------------------- +Tue Jul 12 15:53:22 MDT 2022 - carnold@suse.com + +- Update to version 1.48.4 + * This is a bug fix release +- Drop patches included in new tarball + CVE-2022-2211-docs-guestfs-security-document.patch + CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch + ------------------------------------------------------------------- Wed Jun 29 09:51:03 MDT 2022 - carnold@suse.com -- bsc#1201064 - Libguestfs: Buffer overflow in get_keys leads - to DOS - CVE-2022-2211 +- CVE-2022-2211 - Fix buffer overflow in get_keys() CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch CVE-2022-2211-docs-guestfs-security-document.patch diff --git a/libguestfs.spec b/libguestfs.spec index 137f792..f6bafc7 100644 --- a/libguestfs.spec +++ b/libguestfs.spec @@ -18,7 +18,7 @@ Name: libguestfs ExclusiveArch: x86_64 ppc64 ppc64le s390x aarch64 -Version: 1.48.3 +Version: 1.48.4 Release: 0 Summary: Access and modify virtual machine disk images License: GPL-2.0-or-later @@ -32,8 +32,6 @@ Source100: mount-rootfs-and-chroot.sh Source101: README # Patches -Patch1: CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch -Patch2: CVE-2022-2211-docs-guestfs-security-document.patch BuildRequires: bison BuildRequires: file-devel