pool/libnbd
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1168944 from Virtualization

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1168944
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libnbd?expand=0&rev=16
This commit is contained in:
Ana Guerrero 2024-04-19 17:14:34 +00:00 committed by Git OBS Bridge
commit 292474e6b5
7 changed files with 81 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
4451e5b6-CVE-2023-5871.patch
View File

@ -1,82 +0,0 @@
commit 4451e5b61ca07771ceef3e012223779e7a0c7701
Author: Eric Blake <eblake@redhat.com>
Date: Mon Oct 30 12:50:53 2023 -0500
generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871
Another round of fuzz testing revealed that when a server negotiates
extended headers and replies with a 64-bit flag value where the client
used the 32-bit API command, we were correctly flagging the server's
response as being an EOVERFLOW condition, but then immediately failing
in an assertion failure instead of reporting it to the application.
The following one-byte change to qemu.git at commit fd9a38fd43 allows
the creation of an intentionally malicious server:
| diff --git i/nbd/server.c w/nbd/server.c
| index 859c163d19f..32e1e771a95 100644
| --- i/nbd/server.c
| +++ w/nbd/server.c
| @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea)
|
| for (i = 0; i < ea->count; i++) {
| ea->extents[i].length = cpu_to_be64(ea->extents[i].length);
| - ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags);
| + ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags);
| }
| }
and can then be detected with the following command line:
$ nbdsh -c - <<\EOF
> def f(a,b,c,d):
> pass
>
> h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd",
> "-r", "-f", "raw", "TODO"])
> h.block_staus(h.get_size(), 0, f)
> EOF
nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed.
Aborted (core dumped)
whereas a fixed libnbd will give:
nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type
We can either relax the assertion (by changing to 'assert ((len |
flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags
to make the existing assertion reliable. This patch goes with the
latter approach.
Sadly, this crash is possible in all existing 1.18.x stable releases,
if they were built with assertions enabled (most distros do this by
default), meaning a malicious server has an easy way to cause a Denial
of Service attack by triggering the assertion failure in vulnerable
clients, so we have assigned this CVE-2023-5871. Mitigating factors:
the crash only happens for a server that sends a 64-bit status block
reply (no known production servers do so; qemu 8.2 will be the first
known server to support extended headers, but it is not yet released);
and as usual, a client can use TLS to guarantee it is connecting only
to a known-safe server. If libnbd is compiled without assertions,
there is no crash or other mistaken behavior; and when assertions are
enabled, the attacker cannot accomplish anything more than a denial of
service.
Reported-by: Richard W.M. Jones <rjones@redhat.com>
Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4)
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6)
Signed-off-by: Eric Blake <eblake@redhat.com>
Index: libnbd-1.18.1/generator/states-reply-chunk.c
===================================================================
--- libnbd-1.18.1.orig/generator/states-reply-chunk.c
+++ libnbd-1.18.1/generator/states-reply-chunk.c
@@ -600,6 +600,7 @@ STATE_MACHINE {
break; /* Skip this and later extents; we already made progress */
/* Expose this extent as an error; we made no progress */
cmd->error = cmd->error ? : EOVERFLOW;
+ flags = (uint32_t)flags;
}
}

8
_service
View File

@ -1,7 +1,7 @@
<services>
<service name="tar_scm" mode="disabled">
<service name="tar_scm" mode="manual">
<param name="filename">libnbd</param>
<param name="revision">v1.18.1</param>
<param name="revision">v1.18.4</param>
<param name="scm">git</param>
<param name="submodules">disable</param>
<param name="url">https://gitlab.com/nbdkit/libnbd.git</param>
@ -10,9 +10,9 @@
<param name="versionrewrite-replacement">\1</param>
<param name="changesgenerate">enable</param>
</service>
<service name="recompress" mode="disabled">
<service name="recompress" mode="manual">
<param name="file">*.tar</param>
<param name="compression">bz2</param>
</service>
<service name="set_version" mode="disabled"/>
<service name="set_version" mode="manual"/>
</services>

2
_servicedata
View File

@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://gitlab.com/nbdkit/libnbd.git</param>
<param name="changesrevision">ebadf0df2122edb99361c66f78ac1f90f1500f96</param></service></servicedata>
<param name="changesrevision">d2e14942c87901db13f99c56e5a93eab7d79617c</param></service></servicedata>

BIN
libnbd-1.18.1.tar.bz2 (Stored with Git LFS)
View File

Binary file not shown.

3
libnbd-1.18.4.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c5d129ec5cbb189ca454218bf2283d2de684788300a0485f7f4378eaac95db58
size 440557

70
libnbd.changes
View File

@ -1,3 +1,73 @@
-------------------------------------------------------------------
Thu Apr 18 20:01:31 UTC 2024 - jfehlig@suse.com
- Update to version 1.18.4:
* Version 1.18.4.
* tests/connect-uri: Remove -DPIDFILE, generate it implicitly
* rust: Make the struct Cookie internal field fully public
* interop/block-status-64.c: Fix skip path under valgrind
* Revert "valgrind: Add suppression for liblzma bug"
* ocaml: Add ocamlfind -package to ocamldoc invocation
* info/can.c: Assert that 'can' variable is set
* info: Fix error message
* info: Add note that --can/--is/--has are synonyms
* info: Handle failure of call to file
* fuzzing: Add a comment that the libfuzzer test is unmaintained
* Version 1.18.3.
* tests/opt-info.c: Free string returned by nbd_get_export_name
* valgrind: Add suppression for liblzma bug
* info: Try harder to report contents from nbd-server
* copy: Add test for server without meta context support
* api: Fix nbd_can_meta_context for server that lacks meta contexts
* copy, info: Treat can_meta_context failures as unsupported
* configure: Copy bash-completions test from nbdkit
* podwrapper: Ignore check on older versions of Perl
* podwrapper: Allow = (POD directive) followed by bare URL
* podwrapper: Check for bare URLs and suggest replacement with L<> links
* podwrapper: Move long lines and cross-reference checks earlier
* tests: Missed another C test which didn't use NBDKIT
* tests: Use $NBDKIT instead of plain 'nbdkit'
* tests: Use 'source ./function.sh' consistently in this directory
* ocaml/tests: Add replacement for Bytes.set_int64_be
* ocaml/tests: Add explicit dependency on ocaml_test_config.cm{o,x}
* build: Define the minimum required version of OCaml as 4.05
* generator: Remove definition of sort_uniq
* configure: Annotate OCaml tests by version of OCaml
* ci: Skip certain deadlocking nbd-server tests on Alpine 3.19
* docs: Clarify description of block size constraints
* ocaml: tests: Compute srcdir centrally in Ocaml_test_config module
* ocaml: tests: Use @NBDKIT@ instead of hard coding nbdkit
* python: tests: Use $NBDKIT instead of hard coding nbdkit
* python: Various fixes to the Python tests and test wrapper
* tests: Use wait_for_pidfile instead of open-coded loops
* tests: Define NBD_SERVER in config.h and use it for requires tests
* tests: Define QEMU_NBD in config.h and use it for requires tests
* maint: Be more consistent about using ./configure-defined @NBDKIT@
* maint: Be more consistent about using ./configure-defined @QEMU_NBD@
* interop: Prefer exporting QEMU_STORAGE_DAEMON through tests/functions.sh
* interop: Use nbd-server FORCEDTLS mode
* interop: Test write, flush and zero operations
* interop: Add nbd-server flush flag
* interop: Remove -DNEEDS_TMPFILE
* maint: Use @LN_S@ autoconf macro in preference to writing out 'ln -s'
* tests: connect-uri: Choose random port for TCP connections at runtime
* tests: connect-uri: Change how Unix domain sockets are generated
* docs: Fix accidental double line in SECURITY file
* bash: Make nbdfuse and nbdublk installation conditional
* Version 1.18.2.
* ocaml: Nullify custom block before releasing runtime lock
* ocaml: Use Gc.finalize instead of a C finalizer
* ci: Update to latest lcitool
* rust: Avoid compiler warning about unused import
* docs: Mention CVE-2023-5871
* New mailing list archives
* fuzzing: We need to disable Rust bindings when building fuzzer version
* tests: Check behavior of nbd_set_strict_mode(STRICT_AUTO_FLAG)
* docs: Fix incorrect xref in libnbd-release-notes for 1.18
* generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871
* Drop patch 4451e5b6-CVE-2023-5871.patch, which is now included
in the stable-1.18 branch
-------------------------------------------------------------------
Tue Dec 12 12:12:12 UTC 2023 - ohering@suse.de

7
libnbd.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package libnbd
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -19,20 +19,19 @@
%define sover 0
Name: libnbd
Version: 1.18.1
Version: 1.18.4
Release: 0
Summary: NBD client library in userspace
License: LGPL-2.1-or-later
URL: https://gitlab.com/nbdkit/libnbd
Source0: %{name}-%{version}.tar.bz2
Patch0: 4451e5b6-CVE-2023-5871.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: fdupes
BuildRequires: libtool
BuildRequires: ocaml-findlib
BuildRequires: pkg-config
BuildRequires: ocaml-rpm-macros
BuildRequires: pkg-config
BuildRequires: ocaml(compiler)
BuildRequires: perl(Pod::Man)
BuildRequires: perl(Pod::Simple)