Compare commits
5 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| 9209bd8962 | |||
| 4e880a0308 | |||
| 2246f74653 | |||
| 6ed3b8c016 | |||
| 848a5ba6dd |
2
_service
2
_service
@@ -1,7 +1,7 @@
|
||||
<services>
|
||||
<service name="tar_scm" mode="manual">
|
||||
<param name="filename">libnbd</param>
|
||||
<param name="revision">v1.22.2</param>
|
||||
<param name="revision">v1.22.4</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="submodules">disable</param>
|
||||
<param name="url">https://gitlab.com/nbdkit/libnbd.git</param>
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
<servicedata>
|
||||
<service name="tar_scm">
|
||||
<param name="url">https://gitlab.com/nbdkit/libnbd.git</param>
|
||||
<param name="changesrevision">5f55a26f3a776c11049a27154b1f2b59b8c335da</param></service></servicedata>
|
||||
<param name="changesrevision">caf41ba1847f79ab25e3a73401f8170cbe351908</param></service></servicedata>
|
||||
BIN
libnbd-1.22.2.tar.bz2
LFS
BIN
libnbd-1.22.2.tar.bz2
LFS
Binary file not shown.
3
libnbd-1.22.4.tar.bz2
Normal file
3
libnbd-1.22.4.tar.bz2
Normal file
@@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:e3fb6a89c7ef6faf9ade7e1a2914215c9d0b5d2236ea70d044ca70f5a64e007b
|
||||
size 483984
|
||||
@@ -1,9 +1,41 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 5 11:03:52 MST 2025 - carnold@suse.com
|
||||
Fri Sep 05 21:02:25 UTC 2025 - Charles Arnold <carnold@suse.com>
|
||||
|
||||
- bsc#1253059 - libnbd: Unsanitized hostnames in nbd+ssh URIs allow
|
||||
remote execution
|
||||
uri-Sanitize-user-provided-hostnames.patch
|
||||
- Update to version 1.22.4:
|
||||
* Version 1.22.4.
|
||||
* docs: nbd_connect_uri: Combine export name sections together
|
||||
* docs: nbd_connect_uri: Minor copyedits
|
||||
* docs: nbd_connect_uri: Split up URI parsing section
|
||||
* lib/uri.c: Use uri_query_list functions to free
|
||||
* lib/uri.c: Add static annotation to parse_bool
|
||||
* docs: Clarify documentation for export names in nbd_connect_uri
|
||||
* docs: Add S<...> around qemu versions to avoid distracting linebreak
|
||||
* generator: rust: Parse S<...> (non-breaking spaces) in POD
|
||||
* generator: rust: Allow nested X<..X<..>..> expressions in POD
|
||||
* generator: Don't list nbd_is_uri as a "flag call"
|
||||
* generator: Clarify documentation for nbd_set_private_data
|
||||
* ocaml: Small tweaks to the generated documentation
|
||||
* ci: Remove fedora-40, alpine-320, add fedora-42, alpine-322
|
||||
* common: utils: Add const to <vector>_duplicate variable decls
|
||||
* copy, info: Use new vector_array_append functions in a couple of places
|
||||
* common: utils: vector: Fix vector_uniq prototype and add a test
|
||||
* common: utils: vector: Add range functions for insert, append and remove
|
||||
* common: utils: vector: Prefer vector_reset over free()
|
||||
* common: utils: vector: Add new vector_uniq function
|
||||
* common/utils: Add convenient string_append_format function
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 31 17:01:32 UTC 2025 - Charles Arnold <carnold@suse.com>
|
||||
|
||||
- Update to version 1.22.3:
|
||||
* Version 1.22.3.
|
||||
* ublk: Remove unused EXPECTED_VERSION
|
||||
* todo: Remove a couple of minor features that have been implemented
|
||||
* info: Tolerate nbdkit slop on large extents
|
||||
* generator: Avoid const-correctness warnings in golang
|
||||
* maint: Spelling fixes
|
||||
* ci: Disable cross-builds of Rust
|
||||
* rust: Allow cargo build --target $RUST_TARGET to be set
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 06 22:48:02 UTC 2025 - jfehlig@suse.com
|
||||
|
||||
@@ -19,13 +19,12 @@
|
||||
%define sover 0
|
||||
|
||||
Name: libnbd
|
||||
Version: 1.22.2
|
||||
Version: 1.22.4
|
||||
Release: 0
|
||||
Summary: NBD client library in userspace
|
||||
License: LGPL-2.1-or-later
|
||||
URL: https://gitlab.com/nbdkit/libnbd
|
||||
Source0: %{name}-%{version}.tar.bz2
|
||||
Patch1: uri-Sanitize-user-provided-hostnames.patch
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: fdupes
|
||||
|
||||
@@ -1,66 +0,0 @@
|
||||
Subject: uri: Sanitize user-provided hostnames
|
||||
From: Eric Blake eblake@redhat.com Mon Oct 13 10:01:21 2025 -0500
|
||||
Date: Tue Oct 21 15:30:19 2025 -0500:
|
||||
Git: f461fe64d21fe8a6d32b56ccb50d06489d2e2698
|
||||
|
||||
Dan Berrangé ran a free trial of zeropath (http://zeropath.com/) AI
|
||||
analysis on libnbd, and it highlighted the following:
|
||||
|
||||
"When using nbd+ssh:// URIs the library constructs an argv array for
|
||||
ssh from parsed URI parts (server, port, user, unix socket, nbd-port)
|
||||
and execs it. The server component is used directly as an ssh
|
||||
argument; if it begins with '-' an attacker can inject ssh options
|
||||
(e.g. -oProxyCommand=...) that cause ssh to run local commands. There
|
||||
is no protection (such as rejecting leading '-' in server or inserting
|
||||
a '--' to stop option parsing), so an attacker who can supply the URI
|
||||
can cause local command execution in the client process."
|
||||
|
||||
eg with this.... "nbdinfo nbd+ssh://-oProxyCommand=rm%20run.in"
|
||||
you'll get a failure to start the NBD connection, but it none the less
|
||||
deletes the file 'run.in' in the local working directory
|
||||
|
||||
The RFCs are vague enough that it is not immediately obvious whether
|
||||
there is any possibility of a valid hostname with a leading - (see
|
||||
https://www.netmeister.org/blog/hostnames.html). Still, it is better
|
||||
to pass the user's string on to ssh's determination of a valid
|
||||
hostname (which does appear to reject leading -) rather than trying to
|
||||
teach libnbd what patterns to allow, and thereby avoid risking any
|
||||
pattern written in libnbd accidentally being too restrictive. Do this
|
||||
by using "--" to end ssh options before the hostname, but that in turn
|
||||
must come after any use of -oUser=. With this in place, we now get a
|
||||
sane error rather than spawning a calculator with:
|
||||
|
||||
$ nbdinfo nbd+ssh://-oProxyCommand=gnome-calculator
|
||||
hostname contains invalid characters
|
||||
/home/eblake/libnbd/info/.libs/nbdinfo: nbd_connect_uri: recv: server disconnected unexpectedly
|
||||
|
||||
See also Libvirt commit e4cb8500 (Aug 2017), which in turn was
|
||||
inspired by GIT security flaws
|
||||
(http://blog.recurity-labs.com/2017-08-10/scm-vulns). We have put out
|
||||
a request to Red Hat security on whether this warrants a CVE in
|
||||
libnbd; however, as the problem was easy to identify using only free
|
||||
AI resources, and the problem itself is relatively low priority (to
|
||||
exploit it, an attacker has to convince an admin to run a program that
|
||||
will use libnbd on an untrusted URI), so we are publishing this now
|
||||
rather than waiting for any embargo. If a CVE is assigned, it will be
|
||||
announced to the mailing list in a followup post.
|
||||
|
||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||
CC: Daniel P. Berrangé <berrange@redhat.com>
|
||||
|
||||
(cherry picked from commit fffd87a3ba216cf2f9c212e5db96b13b98985edf)
|
||||
Conflicts:
|
||||
lib/uri.c - no username override, backport looks different
|
||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||
|
||||
--- a/lib/uri.c
|
||||
+++ b/lib/uri.c
|
||||
@@ -446,7 +446,7 @@ nbd_unlocked_aio_connect_uri (struct nbd
|
||||
case ssh: { /* SSH */
|
||||
char port_str[32];
|
||||
const char *ssh_command[] = {
|
||||
- "ssh", "-p", port_str, uri->server,
|
||||
+ "ssh", "-p", port_str, "--", uri->server,
|
||||
"nc",
|
||||
NULL, /* [5] "-U" or "localhost" */
|
||||
NULL, /* [6] socket or "10809" */
|
||||
Reference in New Issue
Block a user