Accepting request 1168942 from home:jfehlig:branches:Virtualization
- Update to version 1.18.4: * Version 1.18.4. * tests/connect-uri: Remove -DPIDFILE, generate it implicitly * rust: Make the struct Cookie internal field fully public * interop/block-status-64.c: Fix skip path under valgrind * Revert "valgrind: Add suppression for liblzma bug" * ocaml: Add ocamlfind -package to ocamldoc invocation * info/can.c: Assert that 'can' variable is set * info: Fix error message * info: Add note that --can/--is/--has are synonyms * info: Handle failure of call to file * fuzzing: Add a comment that the libfuzzer test is unmaintained * Version 1.18.3. * tests/opt-info.c: Free string returned by nbd_get_export_name * valgrind: Add suppression for liblzma bug * info: Try harder to report contents from nbd-server * copy: Add test for server without meta context support * api: Fix nbd_can_meta_context for server that lacks meta contexts * copy, info: Treat can_meta_context failures as unsupported * configure: Copy bash-completions test from nbdkit * podwrapper: Ignore check on older versions of Perl * podwrapper: Allow = (POD directive) followed by bare URL * podwrapper: Check for bare URLs and suggest replacement with L<> links * podwrapper: Move long lines and cross-reference checks earlier * tests: Missed another C test which didn't use NBDKIT * tests: Use $NBDKIT instead of plain 'nbdkit' * tests: Use 'source ./function.sh' consistently in this directory * ocaml/tests: Add replacement for Bytes.set_int64_be * ocaml/tests: Add explicit dependency on ocaml_test_config.cm{o,x} * build: Define the minimum required version of OCaml as 4.05 OBS-URL: https://build.opensuse.org/request/show/1168942 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libnbd?expand=0&rev=33
This commit is contained in:
parent
4bee7820cf
commit
c1b29b222e
@ -1,82 +0,0 @@
|
|||||||
commit 4451e5b61ca07771ceef3e012223779e7a0c7701
|
|
||||||
Author: Eric Blake <eblake@redhat.com>
|
|
||||||
Date: Mon Oct 30 12:50:53 2023 -0500
|
|
||||||
|
|
||||||
generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871
|
|
||||||
|
|
||||||
Another round of fuzz testing revealed that when a server negotiates
|
|
||||||
extended headers and replies with a 64-bit flag value where the client
|
|
||||||
used the 32-bit API command, we were correctly flagging the server's
|
|
||||||
response as being an EOVERFLOW condition, but then immediately failing
|
|
||||||
in an assertion failure instead of reporting it to the application.
|
|
||||||
|
|
||||||
The following one-byte change to qemu.git at commit fd9a38fd43 allows
|
|
||||||
the creation of an intentionally malicious server:
|
|
||||||
|
|
||||||
| diff --git i/nbd/server.c w/nbd/server.c
|
|
||||||
| index 859c163d19f..32e1e771a95 100644
|
|
||||||
| --- i/nbd/server.c
|
|
||||||
| +++ w/nbd/server.c
|
|
||||||
| @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea)
|
|
||||||
|
|
|
||||||
| for (i = 0; i < ea->count; i++) {
|
|
||||||
| ea->extents[i].length = cpu_to_be64(ea->extents[i].length);
|
|
||||||
| - ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags);
|
|
||||||
| + ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags);
|
|
||||||
| }
|
|
||||||
| }
|
|
||||||
|
|
||||||
and can then be detected with the following command line:
|
|
||||||
|
|
||||||
$ nbdsh -c - <<\EOF
|
|
||||||
> def f(a,b,c,d):
|
|
||||||
> pass
|
|
||||||
>
|
|
||||||
> h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd",
|
|
||||||
> "-r", "-f", "raw", "TODO"])
|
|
||||||
> h.block_staus(h.get_size(), 0, f)
|
|
||||||
> EOF
|
|
||||||
nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed.
|
|
||||||
Aborted (core dumped)
|
|
||||||
|
|
||||||
whereas a fixed libnbd will give:
|
|
||||||
|
|
||||||
nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type
|
|
||||||
|
|
||||||
We can either relax the assertion (by changing to 'assert ((len |
|
|
||||||
flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags
|
|
||||||
to make the existing assertion reliable. This patch goes with the
|
|
||||||
latter approach.
|
|
||||||
|
|
||||||
Sadly, this crash is possible in all existing 1.18.x stable releases,
|
|
||||||
if they were built with assertions enabled (most distros do this by
|
|
||||||
default), meaning a malicious server has an easy way to cause a Denial
|
|
||||||
of Service attack by triggering the assertion failure in vulnerable
|
|
||||||
clients, so we have assigned this CVE-2023-5871. Mitigating factors:
|
|
||||||
the crash only happens for a server that sends a 64-bit status block
|
|
||||||
reply (no known production servers do so; qemu 8.2 will be the first
|
|
||||||
known server to support extended headers, but it is not yet released);
|
|
||||||
and as usual, a client can use TLS to guarantee it is connecting only
|
|
||||||
to a known-safe server. If libnbd is compiled without assertions,
|
|
||||||
there is no crash or other mistaken behavior; and when assertions are
|
|
||||||
enabled, the attacker cannot accomplish anything more than a denial of
|
|
||||||
service.
|
|
||||||
|
|
||||||
Reported-by: Richard W.M. Jones <rjones@redhat.com>
|
|
||||||
Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4)
|
|
||||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
|
||||||
(cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6)
|
|
||||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
|
||||||
|
|
||||||
Index: libnbd-1.18.1/generator/states-reply-chunk.c
|
|
||||||
===================================================================
|
|
||||||
--- libnbd-1.18.1.orig/generator/states-reply-chunk.c
|
|
||||||
+++ libnbd-1.18.1/generator/states-reply-chunk.c
|
|
||||||
@@ -600,6 +600,7 @@ STATE_MACHINE {
|
|
||||||
break; /* Skip this and later extents; we already made progress */
|
|
||||||
/* Expose this extent as an error; we made no progress */
|
|
||||||
cmd->error = cmd->error ? : EOVERFLOW;
|
|
||||||
+ flags = (uint32_t)flags;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
8
_service
8
_service
@ -1,7 +1,7 @@
|
|||||||
<services>
|
<services>
|
||||||
<service name="tar_scm" mode="disabled">
|
<service name="tar_scm" mode="manual">
|
||||||
<param name="filename">libnbd</param>
|
<param name="filename">libnbd</param>
|
||||||
<param name="revision">v1.18.1</param>
|
<param name="revision">v1.18.4</param>
|
||||||
<param name="scm">git</param>
|
<param name="scm">git</param>
|
||||||
<param name="submodules">disable</param>
|
<param name="submodules">disable</param>
|
||||||
<param name="url">https://gitlab.com/nbdkit/libnbd.git</param>
|
<param name="url">https://gitlab.com/nbdkit/libnbd.git</param>
|
||||||
@ -10,9 +10,9 @@
|
|||||||
<param name="versionrewrite-replacement">\1</param>
|
<param name="versionrewrite-replacement">\1</param>
|
||||||
<param name="changesgenerate">enable</param>
|
<param name="changesgenerate">enable</param>
|
||||||
</service>
|
</service>
|
||||||
<service name="recompress" mode="disabled">
|
<service name="recompress" mode="manual">
|
||||||
<param name="file">*.tar</param>
|
<param name="file">*.tar</param>
|
||||||
<param name="compression">bz2</param>
|
<param name="compression">bz2</param>
|
||||||
</service>
|
</service>
|
||||||
<service name="set_version" mode="disabled"/>
|
<service name="set_version" mode="manual"/>
|
||||||
</services>
|
</services>
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
<servicedata>
|
<servicedata>
|
||||||
<service name="tar_scm">
|
<service name="tar_scm">
|
||||||
<param name="url">https://gitlab.com/nbdkit/libnbd.git</param>
|
<param name="url">https://gitlab.com/nbdkit/libnbd.git</param>
|
||||||
<param name="changesrevision">ebadf0df2122edb99361c66f78ac1f90f1500f96</param></service></servicedata>
|
<param name="changesrevision">d2e14942c87901db13f99c56e5a93eab7d79617c</param></service></servicedata>
|
BIN
libnbd-1.18.1.tar.bz2
(Stored with Git LFS)
BIN
libnbd-1.18.1.tar.bz2
(Stored with Git LFS)
Binary file not shown.
3
libnbd-1.18.4.tar.bz2
Normal file
3
libnbd-1.18.4.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:c5d129ec5cbb189ca454218bf2283d2de684788300a0485f7f4378eaac95db58
|
||||||
|
size 440557
|
@ -1,3 +1,73 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 18 20:01:31 UTC 2024 - jfehlig@suse.com
|
||||||
|
|
||||||
|
- Update to version 1.18.4:
|
||||||
|
* Version 1.18.4.
|
||||||
|
* tests/connect-uri: Remove -DPIDFILE, generate it implicitly
|
||||||
|
* rust: Make the struct Cookie internal field fully public
|
||||||
|
* interop/block-status-64.c: Fix skip path under valgrind
|
||||||
|
* Revert "valgrind: Add suppression for liblzma bug"
|
||||||
|
* ocaml: Add ocamlfind -package to ocamldoc invocation
|
||||||
|
* info/can.c: Assert that 'can' variable is set
|
||||||
|
* info: Fix error message
|
||||||
|
* info: Add note that --can/--is/--has are synonyms
|
||||||
|
* info: Handle failure of call to file
|
||||||
|
* fuzzing: Add a comment that the libfuzzer test is unmaintained
|
||||||
|
* Version 1.18.3.
|
||||||
|
* tests/opt-info.c: Free string returned by nbd_get_export_name
|
||||||
|
* valgrind: Add suppression for liblzma bug
|
||||||
|
* info: Try harder to report contents from nbd-server
|
||||||
|
* copy: Add test for server without meta context support
|
||||||
|
* api: Fix nbd_can_meta_context for server that lacks meta contexts
|
||||||
|
* copy, info: Treat can_meta_context failures as unsupported
|
||||||
|
* configure: Copy bash-completions test from nbdkit
|
||||||
|
* podwrapper: Ignore check on older versions of Perl
|
||||||
|
* podwrapper: Allow = (POD directive) followed by bare URL
|
||||||
|
* podwrapper: Check for bare URLs and suggest replacement with L<> links
|
||||||
|
* podwrapper: Move long lines and cross-reference checks earlier
|
||||||
|
* tests: Missed another C test which didn't use NBDKIT
|
||||||
|
* tests: Use $NBDKIT instead of plain 'nbdkit'
|
||||||
|
* tests: Use 'source ./function.sh' consistently in this directory
|
||||||
|
* ocaml/tests: Add replacement for Bytes.set_int64_be
|
||||||
|
* ocaml/tests: Add explicit dependency on ocaml_test_config.cm{o,x}
|
||||||
|
* build: Define the minimum required version of OCaml as 4.05
|
||||||
|
* generator: Remove definition of sort_uniq
|
||||||
|
* configure: Annotate OCaml tests by version of OCaml
|
||||||
|
* ci: Skip certain deadlocking nbd-server tests on Alpine 3.19
|
||||||
|
* docs: Clarify description of block size constraints
|
||||||
|
* ocaml: tests: Compute srcdir centrally in Ocaml_test_config module
|
||||||
|
* ocaml: tests: Use @NBDKIT@ instead of hard coding nbdkit
|
||||||
|
* python: tests: Use $NBDKIT instead of hard coding nbdkit
|
||||||
|
* python: Various fixes to the Python tests and test wrapper
|
||||||
|
* tests: Use wait_for_pidfile instead of open-coded loops
|
||||||
|
* tests: Define NBD_SERVER in config.h and use it for requires tests
|
||||||
|
* tests: Define QEMU_NBD in config.h and use it for requires tests
|
||||||
|
* maint: Be more consistent about using ./configure-defined @NBDKIT@
|
||||||
|
* maint: Be more consistent about using ./configure-defined @QEMU_NBD@
|
||||||
|
* interop: Prefer exporting QEMU_STORAGE_DAEMON through tests/functions.sh
|
||||||
|
* interop: Use nbd-server FORCEDTLS mode
|
||||||
|
* interop: Test write, flush and zero operations
|
||||||
|
* interop: Add nbd-server flush flag
|
||||||
|
* interop: Remove -DNEEDS_TMPFILE
|
||||||
|
* maint: Use @LN_S@ autoconf macro in preference to writing out 'ln -s'
|
||||||
|
* tests: connect-uri: Choose random port for TCP connections at runtime
|
||||||
|
* tests: connect-uri: Change how Unix domain sockets are generated
|
||||||
|
* docs: Fix accidental double line in SECURITY file
|
||||||
|
* bash: Make nbdfuse and nbdublk installation conditional
|
||||||
|
* Version 1.18.2.
|
||||||
|
* ocaml: Nullify custom block before releasing runtime lock
|
||||||
|
* ocaml: Use Gc.finalize instead of a C finalizer
|
||||||
|
* ci: Update to latest lcitool
|
||||||
|
* rust: Avoid compiler warning about unused import
|
||||||
|
* docs: Mention CVE-2023-5871
|
||||||
|
* New mailing list archives
|
||||||
|
* fuzzing: We need to disable Rust bindings when building fuzzer version
|
||||||
|
* tests: Check behavior of nbd_set_strict_mode(STRICT_AUTO_FLAG)
|
||||||
|
* docs: Fix incorrect xref in libnbd-release-notes for 1.18
|
||||||
|
* generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871
|
||||||
|
* Drop patch 4451e5b6-CVE-2023-5871.patch, which is now included
|
||||||
|
in the stable-1.18 branch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Dec 12 12:12:12 UTC 2023 - ohering@suse.de
|
Tue Dec 12 12:12:12 UTC 2023 - ohering@suse.de
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package libnbd
|
# spec file for package libnbd
|
||||||
#
|
#
|
||||||
# Copyright (c) 2023 SUSE LLC
|
# Copyright (c) 2024 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -19,20 +19,19 @@
|
|||||||
%define sover 0
|
%define sover 0
|
||||||
|
|
||||||
Name: libnbd
|
Name: libnbd
|
||||||
Version: 1.18.1
|
Version: 1.18.4
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: NBD client library in userspace
|
Summary: NBD client library in userspace
|
||||||
License: LGPL-2.1-or-later
|
License: LGPL-2.1-or-later
|
||||||
URL: https://gitlab.com/nbdkit/libnbd
|
URL: https://gitlab.com/nbdkit/libnbd
|
||||||
Source0: %{name}-%{version}.tar.bz2
|
Source0: %{name}-%{version}.tar.bz2
|
||||||
Patch0: 4451e5b6-CVE-2023-5871.patch
|
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
BuildRequires: ocaml-findlib
|
BuildRequires: ocaml-findlib
|
||||||
BuildRequires: pkg-config
|
|
||||||
BuildRequires: ocaml-rpm-macros
|
BuildRequires: ocaml-rpm-macros
|
||||||
|
BuildRequires: pkg-config
|
||||||
BuildRequires: ocaml(compiler)
|
BuildRequires: ocaml(compiler)
|
||||||
BuildRequires: perl(Pod::Man)
|
BuildRequires: perl(Pod::Man)
|
||||||
BuildRequires: perl(Pod::Simple)
|
BuildRequires: perl(Pod::Simple)
|
||||||
|
Loading…
Reference in New Issue
Block a user