diff --git a/4451e5b6-CVE-2023-5871.patch b/4451e5b6-CVE-2023-5871.patch deleted file mode 100644 index 982939e..0000000 --- a/4451e5b6-CVE-2023-5871.patch +++ /dev/null @@ -1,82 +0,0 @@ -commit 4451e5b61ca07771ceef3e012223779e7a0c7701 -Author: Eric Blake -Date: Mon Oct 30 12:50:53 2023 -0500 - - generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871 - - Another round of fuzz testing revealed that when a server negotiates - extended headers and replies with a 64-bit flag value where the client - used the 32-bit API command, we were correctly flagging the server's - response as being an EOVERFLOW condition, but then immediately failing - in an assertion failure instead of reporting it to the application. - - The following one-byte change to qemu.git at commit fd9a38fd43 allows - the creation of an intentionally malicious server: - - | diff --git i/nbd/server.c w/nbd/server.c - | index 859c163d19f..32e1e771a95 100644 - | --- i/nbd/server.c - | +++ w/nbd/server.c - | @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea) - | - | for (i = 0; i < ea->count; i++) { - | ea->extents[i].length = cpu_to_be64(ea->extents[i].length); - | - ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags); - | + ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags); - | } - | } - - and can then be detected with the following command line: - - $ nbdsh -c - <<\EOF - > def f(a,b,c,d): - > pass - > - > h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd", - > "-r", "-f", "raw", "TODO"]) - > h.block_staus(h.get_size(), 0, f) - > EOF - nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed. - Aborted (core dumped) - - whereas a fixed libnbd will give: - - nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type - - We can either relax the assertion (by changing to 'assert ((len | - flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags - to make the existing assertion reliable. This patch goes with the - latter approach. - - Sadly, this crash is possible in all existing 1.18.x stable releases, - if they were built with assertions enabled (most distros do this by - default), meaning a malicious server has an easy way to cause a Denial - of Service attack by triggering the assertion failure in vulnerable - clients, so we have assigned this CVE-2023-5871. Mitigating factors: - the crash only happens for a server that sends a 64-bit status block - reply (no known production servers do so; qemu 8.2 will be the first - known server to support extended headers, but it is not yet released); - and as usual, a client can use TLS to guarantee it is connecting only - to a known-safe server. If libnbd is compiled without assertions, - there is no crash or other mistaken behavior; and when assertions are - enabled, the attacker cannot accomplish anything more than a denial of - service. - - Reported-by: Richard W.M. Jones - Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4) - Signed-off-by: Eric Blake - (cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6) - Signed-off-by: Eric Blake - -Index: libnbd-1.18.1/generator/states-reply-chunk.c -=================================================================== ---- libnbd-1.18.1.orig/generator/states-reply-chunk.c -+++ libnbd-1.18.1/generator/states-reply-chunk.c -@@ -600,6 +600,7 @@ STATE_MACHINE { - break; /* Skip this and later extents; we already made progress */ - /* Expose this extent as an error; we made no progress */ - cmd->error = cmd->error ? : EOVERFLOW; -+ flags = (uint32_t)flags; - } - } - diff --git a/_service b/_service index 33b7879..a7e907e 100644 --- a/_service +++ b/_service @@ -1,7 +1,7 @@ - + libnbd - v1.18.1 + v1.18.4 git disable https://gitlab.com/nbdkit/libnbd.git @@ -10,9 +10,9 @@ \1 enable - + *.tar bz2 - + diff --git a/_servicedata b/_servicedata index 6ec303e..4bf2686 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://gitlab.com/nbdkit/libnbd.git - ebadf0df2122edb99361c66f78ac1f90f1500f96 \ No newline at end of file + d2e14942c87901db13f99c56e5a93eab7d79617c \ No newline at end of file diff --git a/libnbd-1.18.1.tar.bz2 b/libnbd-1.18.1.tar.bz2 deleted file mode 100644 index 5cc61b8..0000000 --- a/libnbd-1.18.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9e2526fdb4ab4b18b877b539fdd560a56fc2b46acea5b8077270ea78abb91dc6 -size 438122 diff --git a/libnbd-1.18.4.tar.bz2 b/libnbd-1.18.4.tar.bz2 new file mode 100644 index 0000000..9ce0246 --- /dev/null +++ b/libnbd-1.18.4.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c5d129ec5cbb189ca454218bf2283d2de684788300a0485f7f4378eaac95db58 +size 440557 diff --git a/libnbd.changes b/libnbd.changes index f86ec72..e063909 100644 --- a/libnbd.changes +++ b/libnbd.changes @@ -1,3 +1,73 @@ +------------------------------------------------------------------- +Thu Apr 18 20:01:31 UTC 2024 - jfehlig@suse.com + +- Update to version 1.18.4: + * Version 1.18.4. + * tests/connect-uri: Remove -DPIDFILE, generate it implicitly + * rust: Make the struct Cookie internal field fully public + * interop/block-status-64.c: Fix skip path under valgrind + * Revert "valgrind: Add suppression for liblzma bug" + * ocaml: Add ocamlfind -package to ocamldoc invocation + * info/can.c: Assert that 'can' variable is set + * info: Fix error message + * info: Add note that --can/--is/--has are synonyms + * info: Handle failure of call to file + * fuzzing: Add a comment that the libfuzzer test is unmaintained + * Version 1.18.3. + * tests/opt-info.c: Free string returned by nbd_get_export_name + * valgrind: Add suppression for liblzma bug + * info: Try harder to report contents from nbd-server + * copy: Add test for server without meta context support + * api: Fix nbd_can_meta_context for server that lacks meta contexts + * copy, info: Treat can_meta_context failures as unsupported + * configure: Copy bash-completions test from nbdkit + * podwrapper: Ignore check on older versions of Perl + * podwrapper: Allow = (POD directive) followed by bare URL + * podwrapper: Check for bare URLs and suggest replacement with L<> links + * podwrapper: Move long lines and cross-reference checks earlier + * tests: Missed another C test which didn't use NBDKIT + * tests: Use $NBDKIT instead of plain 'nbdkit' + * tests: Use 'source ./function.sh' consistently in this directory + * ocaml/tests: Add replacement for Bytes.set_int64_be + * ocaml/tests: Add explicit dependency on ocaml_test_config.cm{o,x} + * build: Define the minimum required version of OCaml as 4.05 + * generator: Remove definition of sort_uniq + * configure: Annotate OCaml tests by version of OCaml + * ci: Skip certain deadlocking nbd-server tests on Alpine 3.19 + * docs: Clarify description of block size constraints + * ocaml: tests: Compute srcdir centrally in Ocaml_test_config module + * ocaml: tests: Use @NBDKIT@ instead of hard coding nbdkit + * python: tests: Use $NBDKIT instead of hard coding nbdkit + * python: Various fixes to the Python tests and test wrapper + * tests: Use wait_for_pidfile instead of open-coded loops + * tests: Define NBD_SERVER in config.h and use it for requires tests + * tests: Define QEMU_NBD in config.h and use it for requires tests + * maint: Be more consistent about using ./configure-defined @NBDKIT@ + * maint: Be more consistent about using ./configure-defined @QEMU_NBD@ + * interop: Prefer exporting QEMU_STORAGE_DAEMON through tests/functions.sh + * interop: Use nbd-server FORCEDTLS mode + * interop: Test write, flush and zero operations + * interop: Add nbd-server flush flag + * interop: Remove -DNEEDS_TMPFILE + * maint: Use @LN_S@ autoconf macro in preference to writing out 'ln -s' + * tests: connect-uri: Choose random port for TCP connections at runtime + * tests: connect-uri: Change how Unix domain sockets are generated + * docs: Fix accidental double line in SECURITY file + * bash: Make nbdfuse and nbdublk installation conditional + * Version 1.18.2. + * ocaml: Nullify custom block before releasing runtime lock + * ocaml: Use Gc.finalize instead of a C finalizer + * ci: Update to latest lcitool + * rust: Avoid compiler warning about unused import + * docs: Mention CVE-2023-5871 + * New mailing list archives + * fuzzing: We need to disable Rust bindings when building fuzzer version + * tests: Check behavior of nbd_set_strict_mode(STRICT_AUTO_FLAG) + * docs: Fix incorrect xref in libnbd-release-notes for 1.18 + * generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871 + * Drop patch 4451e5b6-CVE-2023-5871.patch, which is now included + in the stable-1.18 branch + ------------------------------------------------------------------- Tue Dec 12 12:12:12 UTC 2023 - ohering@suse.de diff --git a/libnbd.spec b/libnbd.spec index 56334d9..235941d 100644 --- a/libnbd.spec +++ b/libnbd.spec @@ -1,7 +1,7 @@ # # spec file for package libnbd # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,20 +19,19 @@ %define sover 0 Name: libnbd -Version: 1.18.1 +Version: 1.18.4 Release: 0 Summary: NBD client library in userspace License: LGPL-2.1-or-later URL: https://gitlab.com/nbdkit/libnbd Source0: %{name}-%{version}.tar.bz2 -Patch0: 4451e5b6-CVE-2023-5871.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: fdupes BuildRequires: libtool BuildRequires: ocaml-findlib -BuildRequires: pkg-config BuildRequires: ocaml-rpm-macros +BuildRequires: pkg-config BuildRequires: ocaml(compiler) BuildRequires: perl(Pod::Man) BuildRequires: perl(Pod::Simple)