- bsc#1253059 - libnbd: Unsanitized hostnames in nbd+ssh URIs allow

remote execution
  uri-Sanitize-user-provided-hostnames.patch

_service

@@ -1,7 +1,7 @@
 <services>
   <service name="tar_scm" mode="manual">
     <param name="filename">libnbd</param>
-    <param name="revision">v1.24.0</param>
+    <param name="revision">v1.22.2</param>
     <param name="scm">git</param>
     <param name="submodules">disable</param>
     <param name="url">https://gitlab.com/nbdkit/libnbd.git</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.com/nbdkit/libnbd.git</param>
-              <param name="changesrevision">7df1ebd896ccccbb4ae7bdcdd4580fa16a708eb6</param></service></servicedata>
+              <param name="changesrevision">5f55a26f3a776c11049a27154b1f2b59b8c335da</param></service></servicedata>

libnbd-1.24.0.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f086d321fe3a41c70b4dead88e7bac006bc7ab526c55bdd1c2c226f4c14fca83
-size 503324

libnbd.changes

@@ -1,200 +1,9 @@
 -------------------------------------------------------------------
-Tue Dec 16 16:29:46 UTC 2025 - Charles Arnold <carnold@suse.com>
+Wed Nov  5 11:03:52 MST 2025 - carnold@suse.com
 
-- Update to version 1.24.0:
-  * Version 1.24.0.
-  * docs: Finalize release notes for libnbd 1.24
-  * ci/lcitool/projects/libnbd.yml: Add 'tar' as an explicit dependency
-  * misc: Require libxml2 / URI support for these tests
-  * tests: Add an explicit 'requires_uri' for URI support
-  * ci: Update various OS versions
-  * generator: Rework description of nbd_set_tls_priority
-  * Version 1.23.13.
-  * tests: Add a test of tls-priority
-  * lib: In nbd_get_uri return tls-priority if non-default
-  * lib: Add tls-priority to URIs, but disable it by default
-  * generator/API.ml: Arrange tls-* URI parameters in order
-  * lib: Use the TLS priority from the handle
-  * lib: Add nbd_get_tls_priority and nbd_set_tls_priority
-  * rust: Allow piped links in POD documentation
-  * lib/crypto.c: Support extra client keys for hybrid PQC
-  * configure: Print TLS priority in summary output
-  * vector: Fine-tune vector_reserve behavior
-  * misc: Fix tab-completion of -h/--help options
-  * Version 1.23.12.
-  * docs: Add outline release notes for libnbd 1.24
-  * misc: Rename -f/--fast as --fast-zero
-  * misc/nbddiscard.pod: Document --check & --fast in alphabetical order
-  * misc/nbddiscard.pod: Document short and long options in synopsis
-  * sh: Add an example of writing to the disk using nbdsh
-  * sh: Link to nbdkit(1)
-  * sh: Link to nbddump from the hexdump example
-  * misc: Add nbdzero --fast
-  * misc: Add nbddiscard --check
-  * misc: Avoid traceback on NBD errors in nbddiscard
-  * misc: Enhance nbddiscard/nbdzero range tests
-  * tests: Add define() to functions.sh
-  * Version 1.23.11.
-  * misc: Fix creation of nbdzero symlink
-  * misc/nbddiscard.in: Fix tests on macOS
-  * misc/nbddiscard: Generate shebang with correct path to python
-  * copy: Link --destination-is-zero option to new tools nbddiscard/nbdzero
-  * misc/nbdzero.1: Fix link to nbddiscard(1)
-  * Version 1.23.10.
-  * Add new 'nbddiscard' and 'nbdzero' tools
-  * tests: Fix missing exit in some tests
-  * Update TODO
-  * configure: Add new macro to print package version
-  * copy: Skip some tests when running on ZFS
-  * copy/copy-allocated-destination-zero-*.sh: Remove test for /dev/zero
-  * docs/libnbd-security.pod: Add section for recent nbd+ssh security issue
-  * Version 1.23.9.
-  * uri: Sanitize user-provided hostnames
-  * lib/uri.c: Replace boolean parsing code with common nbdkit code
-  * common/include: Extra bool parsing into a mini-library
-  * common/include: Add locale-safe ascii_strcasecmp and ascii_strncasecmp.
-  * Version 1.23.8.
-  * lib/uri: Allow ssh compression to be controlled from URIs
-  * generator: Additional checking for longdesc
-  * generator/API.ml: Make longdesc fields consistent
-  * generator: Use quoted string literals in many places
-  * generator: Use quoted string literals for regular expressions
-  * ocaml: Deal with fallback case
-  * examples/connect-benchmark.c: Include <stdatomic.h> or fall back
-  * docs: Minor copyediting to export name documentation
-  * docs: Document which NBD URI features are non-standard
-  * tests: Add a test of tls-username in NBD URIs
-  * lib/uri.c: Replace nbd-user with tls-username
-  * Version 1.23.7.
-  * docs: nbd_connect_uri: Combine export name sections together
-  * docs: nbd_connect_uri: Minor copyedits
-  * docs: nbd_connect_uri: Split up URI parsing section
-  * lib/uri.c: Add nbd-port and nbd-user parameters
-  * lib/uri.c: Return EINVAL errno for invalid SSH username
-  * lib/uri: Refactor long connect_uri function
-  * lib/uri.c: Use uri_query_list functions to free
-  * lib/uri.c: Add static annotation to parse_bool
-  * lib/uri.c: Factor out common char port_str[32]
-  * lib: Convert nbd+ssh://user@.. to SSH username
-  * docs: Clarify documentation for export names in nbd_connect_uri
-  * docs: Add S<...> around qemu versions to avoid distracting linebreak
-  * generator: rust: Parse S<...> (non-breaking spaces) in POD
-  * generator: rust: Allow nested X<..X<..>..> expressions in POD
-  * generator: Don't list nbd_is_uri as a "flag call"
-  * generator: Clarify documentation for nbd_set_private_data
-  * Version 1.23.6.
-  * ocaml: Get a better estimate of the size of the libnbd handle
-  * lib: When debugging is enabled print the size of the handle
-  * lib: New API nbd_get_handle_size to estimate the handle size
-  * ocaml: Small tweaks to the generated documentation
-  * ci: Remove fedora-40, alpine-320, add fedora-42, alpine-322
-  * python: Implement indexing and slicing for nbd.Buffer
-  * python: Add libnbd-python(3) documentation
-  * common: utils: Add const to <vector>_duplicate variable decls
-  * copy, info: Use new vector_array_append functions in a couple of places
-  * common: utils: vector: Fix vector_uniq prototype and add a test
-  * common: utils: vector: Add range functions for insert, append and remove
-  * common: utils: vector: Prefer vector_reset over free()
-  * common: utils: vector: Add new vector_uniq function
-  * common/utils: Add convenient string_append_format function
-  * Version 1.23.5.
-  * tools: Add extra version information in the output of --version
-  * ublk: Remove unused EXPECTED_VERSION
-  * lib: New API: nbd_get_version_extra
-  * build: Add ./configure --with-extra="..."
-  * todo: Remove a couple of minor features that have been implemented
-  * Version 1.23.4.
-  * api: Relax LIBNBD_STRICT_ALIGN for unaligned image size
-  * info: Tolerate nbdkit slop on large extents
-  * generator: Avoid const-correctness warnings in golang
-  * generator: Optimize buffer size on macOS and Linux
-  * ocaml: Implement NBD.Buffer.is_zero
-  * maint: Spelling fixes
-  * ci: Disable cross-builds of Rust
-  * rust: Allow cargo build --target $RUST_TARGET to be set
-  * Version 1.23.3.
-  * copy: Test --allocated + --destination-is-zero options together
-  * copy: Test --destination-is-zero option
-  * copy: Test --allocated option more thoroughly
-  * copy: Add a test of the --flush option
-  * copy: Remove output file in a few tests
-  * build: Print rustc version in ./configure output
-  * generator: Improve the comment for set_buffers
-  * Set socket buffer only for unix socket
-  * rust: Use nbd.is_uri in examples
-  * Set socket receive and send buffers on macOS
-  * ci: Skip go on FreeBSD 14
-  * ci: Update to latest
-  * copy: Fix file allocation when using --allocated
-  * copy: Fix file_sync_zero when allocate == true
-  * copy: Consider options when zeroing in synch mode
-  * copy: Fix corrupted hash on incomplete read
-  * copy: Enable zero optimization for allocated extents
-  * copy: Shrink struct block
-  * copy: Define block_type outside of block struct
-  * copy: Fix crash when blkhash size is not a power of 2
-  * Version 1.23.2.
-  * copy: Hard error if sync_file_range fails
-  * Version 1.23.1.
-  * copy: Add --blkhash option
-  * info/info-uri-nbds.sh: Fix test if compiled without GnuTLS
-  * copy: Set the total size in bytes copied
-  * copy: progress: Add a comment about size and pipes
-  * build: Create sections in the configure file
-  * build: Add heading about basic build environment
-  * build: Only use ANSI colour sequences if stdout is a terminal
-  * build: Embolden headings in configure output
-  * build: Colourize features
-
--------------------------------------------------------------------
-Tue Oct 28 16:11:08 UTC 2025 - Charles Arnold <carnold@suse.com>
-
-- Update to version 1.22.5:
-  * Version 1.22.5.
-  * lib/uri.c: Fix indices in SSH command array.
-    Fixes bsc#1253059, bsc#1255432 - CVE-2025-14946
-  * uri: Sanitize user-provided hostnames
-  * examples/connect-benchmark.c: Include <stdatomic.h> or fall back
-  * docs: Minor copyediting to export name documentation
-
--------------------------------------------------------------------
-Fri Sep 05 21:02:25 UTC 2025 - Charles Arnold <carnold@suse.com>
-
-- Update to version 1.22.4:
-  * Version 1.22.4.
-  * docs: nbd_connect_uri: Combine export name sections together
-  * docs: nbd_connect_uri: Minor copyedits
-  * docs: nbd_connect_uri: Split up URI parsing section
-  * lib/uri.c: Use uri_query_list functions to free
-  * lib/uri.c: Add static annotation to parse_bool
-  * docs: Clarify documentation for export names in nbd_connect_uri
-  * docs: Add S<...> around qemu versions to avoid distracting linebreak
-  * generator: rust: Parse S<...> (non-breaking spaces) in POD
-  * generator: rust: Allow nested X<..X<..>..> expressions in POD
-  * generator: Don't list nbd_is_uri as a "flag call"
-  * generator: Clarify documentation for nbd_set_private_data
-  * ocaml: Small tweaks to the generated documentation
-  * ci: Remove fedora-40, alpine-320, add fedora-42, alpine-322
-  * common: utils: Add const to <vector>_duplicate variable decls
-  * copy, info: Use new vector_array_append functions in a couple of places
-  * common: utils: vector: Fix vector_uniq prototype and add a test
-  * common: utils: vector: Add range functions for insert, append and remove
-  * common: utils: vector: Prefer vector_reset over free()
-  * common: utils: vector: Add new vector_uniq function
-  * common/utils: Add convenient string_append_format function
-
--------------------------------------------------------------------
-Thu Jul 31 17:01:32 UTC 2025 - Charles Arnold <carnold@suse.com>
-
-- Update to version 1.22.3:
-  * Version 1.22.3.
-  * ublk: Remove unused EXPECTED_VERSION
-  * todo: Remove a couple of minor features that have been implemented
-  * info: Tolerate nbdkit slop on large extents
-  * generator: Avoid const-correctness warnings in golang
-  * maint: Spelling fixes
-  * ci: Disable cross-builds of Rust
-  * rust: Allow cargo build --target $RUST_TARGET to be set
+- bsc#1253059 - libnbd: Unsanitized hostnames in nbd+ssh URIs allow
+  remote execution
+  uri-Sanitize-user-provided-hostnames.patch
 
 -------------------------------------------------------------------
 Tue May 06 22:48:02 UTC 2025 - jfehlig@suse.com

libnbd.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libnbd
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,12 +19,13 @@
 %define sover 0
 
 Name:           libnbd
-Version:        1.24.0
+Version:        1.22.2
 Release:        0
 Summary:        NBD client library in userspace
 License:        LGPL-2.1-or-later
 URL:            https://gitlab.com/nbdkit/libnbd
 Source0:        %{name}-%{version}.tar.bz2
+Patch1:         uri-Sanitize-user-provided-hostnames.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -161,13 +162,9 @@ done
 %{_bindir}/nbdcopy
 %{_bindir}/nbddump
 %{_bindir}/nbdinfo
-%{_bindir}/nbddiscard
-%{_bindir}/nbdzero
 %{_mandir}/man1/nbdcopy.1*
 %{_mandir}/man1/nbddump.1*
-%{_mandir}/man1/nbddiscard.1*
 %{_mandir}/man1/nbdinfo.1*
-%{_mandir}/man1/nbdzero.1*
 
 %files -n libnbd%{sover} -f %name.files
 %license COPYING.LIB
@@ -180,7 +177,6 @@ done
 %{_libdir}/pkgconfig/libnbd.pc
 %{_mandir}/man3/libnbd.3*
 %{_mandir}/man3/libnbd-ocaml.3.gz
-%{_mandir}/man3/libnbd-python.3*
 %{_mandir}/man1/libnbd-release-notes-1.*.1*
 %{_mandir}/man3/libnbd-security.3*
 %{_mandir}/man3/nbd_*.3*

uri-Sanitize-user-provided-hostnames.patch

@@ -0,0 +1,66 @@
+Subject: uri: Sanitize user-provided hostnames
+From: Eric Blake eblake@redhat.com Mon Oct 13 10:01:21 2025 -0500
+Date: Tue Oct 21 15:30:19 2025 -0500:
+Git: f461fe64d21fe8a6d32b56ccb50d06489d2e2698
+
+Dan Berrangé ran a free trial of zeropath (http://zeropath.com/) AI
+analysis on libnbd, and it highlighted the following:
+
+ "When using nbd+ssh:// URIs the library constructs an argv array for
+ ssh from parsed URI parts (server, port, user, unix socket, nbd-port)
+ and execs it. The server component is used directly as an ssh
+ argument; if it begins with '-' an attacker can inject ssh options
+ (e.g. -oProxyCommand=...) that cause ssh to run local commands. There
+ is no protection (such as rejecting leading '-' in server or inserting
+ a '--' to stop option parsing), so an attacker who can supply the URI
+ can cause local command execution in the client process."
+
+ eg with this....  "nbdinfo nbd+ssh://-oProxyCommand=rm%20run.in"
+ you'll get a failure to start the NBD connection, but it none the less
+ deletes the file 'run.in' in the local working directory
+
+The RFCs are vague enough that it is not immediately obvious whether
+there is any possibility of a valid hostname with a leading - (see
+https://www.netmeister.org/blog/hostnames.html).  Still, it is better
+to pass the user's string on to ssh's determination of a valid
+hostname (which does appear to reject leading -) rather than trying to
+teach libnbd what patterns to allow, and thereby avoid risking any
+pattern written in libnbd accidentally being too restrictive.  Do this
+by using "--" to end ssh options before the hostname, but that in turn
+must come after any use of -oUser=.  With this in place, we now get a
+sane error rather than spawning a calculator with:
+
+$ nbdinfo nbd+ssh://-oProxyCommand=gnome-calculator
+hostname contains invalid characters
+/home/eblake/libnbd/info/.libs/nbdinfo: nbd_connect_uri: recv: server disconnected unexpectedly
+
+See also Libvirt commit e4cb8500 (Aug 2017), which in turn was
+inspired by GIT security flaws
+(http://blog.recurity-labs.com/2017-08-10/scm-vulns).  We have put out
+a request to Red Hat security on whether this warrants a CVE in
+libnbd; however, as the problem was easy to identify using only free
+AI resources, and the problem itself is relatively low priority (to
+exploit it, an attacker has to convince an admin to run a program that
+will use libnbd on an untrusted URI), so we are publishing this now
+rather than waiting for any embargo.  If a CVE is assigned, it will be
+announced to the mailing list in a followup post.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+CC: Daniel P. Berrangé <berrange@redhat.com>
+
+(cherry picked from commit fffd87a3ba216cf2f9c212e5db96b13b98985edf)
+Conflicts:
+	lib/uri.c - no username override, backport looks different
+Signed-off-by: Eric Blake <eblake@redhat.com>
+
+--- a/lib/uri.c
++++ b/lib/uri.c
+@@ -446,7 +446,7 @@ nbd_unlocked_aio_connect_uri (struct nbd
+   case ssh: {                   /* SSH */
+     char port_str[32];
+     const char *ssh_command[] = {
+-      "ssh", "-p", port_str, uri->server,
++      "ssh", "-p", port_str, "--", uri->server,
+       "nc",
+       NULL,                     /* [5] "-U" or "localhost" */
+       NULL,                     /* [6] socket or "10809" */