From 7f92a5327a55fac7592f71075fe8851c0a6f6086b511f1e2e8f091419af1b6b5 Mon Sep 17 00:00:00 2001 From: Charles Arnold Date: Tue, 12 Jul 2022 22:14:04 +0000 Subject: [PATCH] - Update to version 2.0.7 * This is a bug fix release - Drop patch contained in new tarball CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/virt-v2v?expand=0&rev=32 --- ...ions-fix-buffer-overflow-in-get_keys.patch | 116 ------------------ virt-v2v-2.0.6.tar.gz | 3 - virt-v2v-2.0.6.tar.gz.sig | 17 --- virt-v2v-2.0.7.tar.gz | 3 + virt-v2v-2.0.7.tar.gz.sig | 17 +++ virt-v2v.changes | 8 ++ virt-v2v.spec | 4 +- 7 files changed, 30 insertions(+), 138 deletions(-) delete mode 100644 CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch delete mode 100644 virt-v2v-2.0.6.tar.gz delete mode 100644 virt-v2v-2.0.6.tar.gz.sig create mode 100644 virt-v2v-2.0.7.tar.gz create mode 100644 virt-v2v-2.0.7.tar.gz.sig diff --git a/CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch b/CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch deleted file mode 100644 index b966203..0000000 --- a/CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch +++ /dev/null @@ -1,116 +0,0 @@ -Subject: options: fix buffer overflow in get_keys() [CVE-2022-2211] -From: Laszlo Ersek lersek@redhat.com Tue Jun 28 13:49:04 2022 +0200 -Date: Wed Jun 29 15:17:17 2022 +0200: -Git: 35467027f657de76aca34b48a6f23e9608b23a57 - -When calculating the greatest possible number of matching keys in -get_keys(), the current expression - - MIN (1, ks->nr_keys) - -is wrong -- it will return at most 1. - -If all "nr_keys" keys match however, then we require "nr_keys" non-NULL -entries in the result array; in other words, we need - - MAX (1, ks->nr_keys) - -(The comment just above the expression is correct; the code is wrong.) - -This buffer overflow is easiest to trigger in those guestfs tools that -parse the "--key" option in C; that is, with "OPTION_key". For example, -the command - -$ virt-cat $(seq -f '--key /dev/sda2:key:%g' 200) -d DOMAIN /no-such-file - -which passes 200 (different) passphrases for the LUKS-encrypted block -device "/dev/sda2", crashes with a SIGSEGV. - -A slightly better reproducer from Rich Jones is the following, since it -doesn't require an encrypted guest disk image: - -$ echo TEST | guestfish --keys-from-stdin -N part luks-format /dev/sda1 0 -$ virt-cat $(seq -f '--key /dev/sda1:key:%g' 200) -a test1.img /no-such-file -Segmentation fault (core dumped) -$ rm test1.img - -( - - The buffer overflow is possible to trigger in OCaml-language tools as - well; that is, those that call "create_standard_options" with - ~key_opts:true. - - Triggering the problem that way is less trivial. The reason is that when - the OCaml tools parse the "--key" options, they de-duplicate the options - first, based on the device identifier. - - Thus, in theory, this de-duplication masks the issue, as (one would - think) only one "--key" option could belong to a single device, and - therefore the buffer overflow would not be triggered in practice. - - This is not the case however: the de-duplication does not collapse keys - that are provided for the same device, but use different identifier - types (such as pathname of device node versus LUKS UUID) -- in that - situation, two entries in the keystore will match the device, and the - terminating NULL entry will not be present once get_keys() returns. In - this scenario, we don't have an out-of-bounds write, but an - out-of-bounds read, in decrypt_mountables() [options/decrypt.c]. - - There is *yet another* bug in get_keys() though that undoes the above - "masking". The "uuid" parameter of get_keys() may be NULL (for example - when the device to decrypt uses BitLocker and not LUKS). When this - happens, get_keys() adds all keys in the keystore to the result array. - Therefore, the out-of-bounds write is easy to trigger with - OCaml-language tools as well, as long as we attempt to decrypt a - BitLocker (not LUKS) device, and we pass the "--key" options with - different device identifiers. - - Subsequent patches in this series fix all of the above; this patch fixes - the security bug. - -) - -Rather than replacing MIN with MAX, open-code the comparison, as we first -set "len" to 1 anyway. - -While at it, rework the NULL-termination such that the (len+1) addition -not go unchecked. - -Fixes: c10c8baedb88e7c2988a01b70fc5f81fa8e4885c -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453 -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862 -Signed-off-by: Laszlo Ersek -Message-Id: <20220628114915.5030-2-lersek@redhat.com> -Reviewed-by: Richard W.M. Jones - ---- a/common/options/keys.c -+++ b/common/options/keys.c -@@ -128,17 +128,23 @@ read_first_line_from_file (const char *f - char ** - get_keys (struct key_store *ks, const char *device, const char *uuid) - { -- size_t i, j, len; -+ size_t i, j, nmemb; - char **r; - char *s; - - /* We know the returned list must have at least one element and not - * more than ks->nr_keys. - */ -- len = 1; -- if (ks) -- len = MIN (1, ks->nr_keys); -- r = calloc (len+1, sizeof (char *)); -+ nmemb = 1; -+ if (ks && ks->nr_keys > nmemb) -+ nmemb = ks->nr_keys; -+ -+ /* make room for the terminating NULL */ -+ if (nmemb == (size_t)-1) -+ error (EXIT_FAILURE, 0, _("size_t overflow")); -+ nmemb++; -+ -+ r = calloc (nmemb, sizeof (char *)); - if (r == NULL) - error (EXIT_FAILURE, errno, "calloc"); - diff --git a/virt-v2v-2.0.6.tar.gz b/virt-v2v-2.0.6.tar.gz deleted file mode 100644 index 70bba59..0000000 --- a/virt-v2v-2.0.6.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e5eba9f7960340334100c06e1380bf84d0d730c53cdf587fefbfab7c889aca15 -size 4022694 diff --git a/virt-v2v-2.0.6.tar.gz.sig b/virt-v2v-2.0.6.tar.gz.sig deleted file mode 100644 index 78f7e75..0000000 --- a/virt-v2v-2.0.6.tar.gz.sig +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmKPUfYRHHJpY2hAYW5u -ZXhpYS5vcmcACgkQkXOPc+G3aKAr5Q/9E5XizPbQPS47zjQqwY1oS12+R26rRBHR -WEoBXz8t64xAfUpsYN+LNp/auYKel/Bs7k4br34DzjqtxNOR4HZINbQUyd/cY/nI -iP9803liXX9z09X2cn52+H2HQ+GGnQhmls3y9d2asZJosw5wjDArUUgvr8Wv+5zn -DPYfdqauBNLvHSs1Sbhol5mExofW4L6l/rgPLCyO205uPYylPwZH1E8AfAew4dmW -8iQ2K/AJHBFNKD85ntwV3DKeTRlQxGrh4DkMtVOea+YOKRoqNZVAN5I+WkYQTSWj -beY4CYnNdfxEO81bNbA1r1sLGpSKf0Dyj/CFzjfYr3nxWMJevmmv1DdkKZGgE0o8 -ve7Coy32WR0b/uCWq4DlFylhYb3PwKoVbcwmHSu18Hd9OZWsltm97ddFqrGLnQg9 -9b9TPtBnhmQRnBY+0AD/lU0xneMfpLZrXo9GstVmH0WvVt5NCyjYxC9xMJvF1S3j -1m9FZXiLkspB7vvA4aRi6o98AhbGQmRPNe2BZ7SYmJyCleRecWx1Ikv+1ryctbLj -piWXBBKYZ/ESA1X3LDK9l6JhY0uMGlvqQq3o7W1dCS5UkviSIo9rZOJ7OVAZaED+ -WvphZ4ScUQWgKzqj6wp6ysQscIMaQ1C9qaRjFFt46Ma1KnQo2rnoZ5xdNhE0Ha7w -osjxDokdICA= -=nBN0 ------END PGP SIGNATURE----- diff --git a/virt-v2v-2.0.7.tar.gz b/virt-v2v-2.0.7.tar.gz new file mode 100644 index 0000000..1ef9bb5 --- /dev/null +++ b/virt-v2v-2.0.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:89b8cdabd04a57c0addb11be043e0f8102d2586590ace493ee849201efde7ba3 +size 7702629 diff --git a/virt-v2v-2.0.7.tar.gz.sig b/virt-v2v-2.0.7.tar.gz.sig new file mode 100644 index 0000000..7eb3c74 --- /dev/null +++ b/virt-v2v-2.0.7.tar.gz.sig @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmLFq4sRHHJpY2hAYW5u +ZXhpYS5vcmcACgkQkXOPc+G3aKCdDg/+LQr8ro5P9iKSDRNwLJ4jHmoXOqZVkSqO +KHk+kHuqFwSruEHxVGZwf9jYBNOuGD9K1d6AFWfYbRS2jEZpiA22ZX1Ym67PF5Fp +dw72BmWHBOzJ8YO6vauvpaRNLPypSgr3RwJUPlRYw847MFDrn71EVOBv7dqwVp0q +LqBk1wj/M3wKVV2DL8u0JE+CArSmqYSCCnyl2oq0VfIlhYbPQ4iprqTr5HWdd2fs +Mc0JkQiuYLoV3V7MP8U0qncktABZ/6gNuTSiUAsWLGSLaH67MNEfqjF4OyEU95cA +qivB53LEIebIAO07E9bLeFeXx7WLZsPI3Ms5m+aFWqjCLHl7h0qarHsrMMe+SBI6 +aSK+BzPzVHfzrqGRnL+95EQI0Vw9g5yLkxkm69KYGbukMulFdGgI24cGqHKEFadu +NbrSE/6ydkdKS8NGKeyM+Y5RMoWh379nQcksj8dB6Vv2NV31KQvde9mFxnV92FOn +1gYbIRwKPM1cc3VF6E3qlmIuBq59vagsJ/rcKg8fe8LNpNiOfi+Cmk8gYs9WuDFH +/RWCYd3XMWxYQ5ZGi3rCVw4ijZbdHGwc1+sH9/ExLGDVuUJQfJ0fpdjR4mYnghav +tFKc6EjxJknCR7D4HahVdzFbT/XrD0KpQ5JxToLDA3o7ecPJ42ExfKL53OwYjM/t +LUUDntYK6sk= +=Grra +-----END PGP SIGNATURE----- diff --git a/virt-v2v.changes b/virt-v2v.changes index cada5bd..fba6edf 100644 --- a/virt-v2v.changes +++ b/virt-v2v.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Jul 12 16:03:38 MDT 2022 - carnold@suse.com + +- Update to version 2.0.7 + * This is a bug fix release +- Drop patch contained in new tarball + CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch + ------------------------------------------------------------------- Wed Jun 29 09:51:03 MDT 2022 - carnold@suse.com diff --git a/virt-v2v.spec b/virt-v2v.spec index cb6f5c9..dc5d91e 100644 --- a/virt-v2v.spec +++ b/virt-v2v.spec @@ -22,7 +22,7 @@ # The source directory. %global source_directory 2.0-stable Name: virt-v2v -Version: 2.0.6 +Version: 2.0.7 Release: 0 Summary: Tools to convert a virtual machine to run on KVM License: GPL-2.0-or-later @@ -30,7 +30,7 @@ Group: System/Management URL: https://github.com/libguestfs/virt-v2v Source0: https://download.libguestfs.org/virt-v2v/%{source_directory}/%{name}-%{version}.tar.gz Source1: https://download.libguestfs.org/virt-v2v/%{source_directory}/%{name}-%{version}.tar.gz.sig -Patch1: CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch + BuildRequires: augeas-devel BuildRequires: file-devel #BuildRequires: /usr/bin/pod2man