- bsc#1253059 - libnbd: Unsanitized hostnames in nbd+ssh URIs allow

remote execution
  uri-Sanitize-user-provided-hostnames.patch

_service

@@ -1,7 +1,7 @@
 <services>
   <service name="tar_scm" mode="manual">
     <param name="filename">libnbd</param>
-    <param name="revision">v1.20.2</param>
+    <param name="revision">v1.22.2</param>
     <param name="scm">git</param>
     <param name="submodules">disable</param>
     <param name="url">https://gitlab.com/nbdkit/libnbd.git</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.com/nbdkit/libnbd.git</param>
-              <param name="changesrevision">30963227b281adab0017317e3eb17f4c3088f1fc</param></service></servicedata>
+              <param name="changesrevision">5f55a26f3a776c11049a27154b1f2b59b8c335da</param></service></servicedata>

libnbd-1.18.4.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c5d129ec5cbb189ca454218bf2283d2de684788300a0485f7f4378eaac95db58
-size 440557

libnbd.changes

@@ -1,3 +1,132 @@
+-------------------------------------------------------------------
+Wed Nov  5 11:03:52 MST 2025 - carnold@suse.com
+
+- bsc#1253059 - libnbd: Unsanitized hostnames in nbd+ssh URIs allow
+  remote execution
+  uri-Sanitize-user-provided-hostnames.patch
+
+-------------------------------------------------------------------
+Tue May 06 22:48:02 UTC 2025 - jfehlig@suse.com
+
+- Update to version 1.22.2:
+  * Version 1.22.2.
+  * copy: Test --allocated + --destination-is-zero options together
+  * copy: Test --destination-is-zero option
+  * copy: Test --allocated option more thoroughly
+  * copy: Add a test of the --flush option
+  * copy: Remove output file in a few tests
+  * build: Print rustc version in ./configure output
+  * rust: Use nbd.is_uri in examples
+  * ci: Skip go on FreeBSD 14
+  * ci: Update to latest
+  * copy: Fix file allocation when using --allocated
+  * copy: Fix file_sync_zero when allocate == true
+  * copy: Consider options when zeroing in synch mode
+  * copy: Hard error if sync_file_range fails
+  * info/info-uri-nbds.sh: Fix test if compiled without GnuTLS
+  * copy: Set the total size in bytes copied
+  * copy: progress: Add a comment about size and pipes
+  * info: Use magenta for export headings, instead of black
+  * Version 1.22.1.
+  * ocaml/{examples,tests}: Don't try to run OCAMLFIND if --disable-ocaml
+  * docs/libnbd-release-notes-1.22.pod: Set release date
+  * Version 1.22.0.
+  * ci: Update FreeBSD builds
+  * copy: Include pthread.h
+  * docs: Small revisions to the release notes
+  * golang: Replace () with correct argument decl, for GCC 15
+  * docs: Add outline release notes for libnbd 1.22
+  * ci: Update to latest
+  * dump: Add a test of --length and --offset
+  * dump: Add --offset for further limiting the dump
+  * dump: Document --length
+  * examples: Add simple program to benchmark connections
+  * Version 1.21.6.
+  * build: Use 'tar ztf' instead of 'zcat | tar'
+  * Revert "ci: Skip maintainer-check-extra-dist test on macOS"
+  * ci: Skip maintainer-check-extra-dist test on macOS
+  * ci: Install bash (from homebrew) in the CI environment
+  * configure: Check that bash is sufficiently new
+  * ci: Dump out failed log files when the tests fail
+  * golang, rust: Use env bash for FreeBSD
+  * python: Skip Python tests on macOS
+  * tests/newstyle-limited.c: Check truncate is GNU truncate before using
+  * ocaml/tests/test_220_opt_list.ml: Use correct nbdkit binary
+  * ocaml/tests/test_580_aio_connect.ml: Skip this test on macOS
+  * build: Test for GnuTLS certtool on macOS
+  * build: Use GNU alternatives on macOS and FreeBSD
+  * copy/copy-file-to-nbd.sh: Remove test for 'truncate'
+  * lib/test-fork-safe-execvpe.sh: Skip this test on macOS
+  * ci/build.sh: Set os_id on macOS which lacks /etc/os-release
+  * ci: Don't skip tests on non-Linux
+  * Version 1.21.5.
+  * interop: Skip nbd-server test on Alpine
+  * ci: Update CI files
+  * vsock: Document limitations and reserved vsock port numbers
+  * rust: Parse perlpod L<https://...> (external links) to rust markup
+  * generator: connect_uri: Document differences with qemu parsing
+  * podwrapper: Add some simple checks for cross-references within manual pages.
+  * docs/libnbd-release-notes-1.10.pod: Remove broken link to "nbd_connect(3)"
+  * docs/nbd_create.pod: Cross-reference nbd_shutdown(3)
+  * Version 1.21.4.
+  * docs: Use "oldstyle servers" in preference to "older servers"
+  * docs: Mention newstyle and oldstyle servers in main docs
+  * docs: Mention nbd_is_uri under "Connecting to an NBD URI" in main docs
+  * README: Fix bold markdown
+  * README: Mention 'make install DESTDIR=...'
+  * README: Mention the ./run script
+  * lib: Add nbd_get_subprocess_pid to return h->pid
+  * docs/libnbd-security.pod: Assign CVE-2024-7383
+  * Version 1.21.3.
+  * build: Prefer "for developers" in ./configure --help output
+  * build: Fix ./configure --help output for --enable-python-code-style
+  * copy: Fix URI detection
+  * lib: Add new nbd_is_uri API
+  * tests/requires.c: Don't fail to compile if NBDKIT is not defined
+  * Version 1.21.2.
+  * lib: Implement nbd+ssh:// and nbds+ssh:// URIs
+  * tests/connect-uri.c: Replace -DREQUIRES_NBDKIT_TLS_VERIFY_PEER=1
+  * lib/uri.c: Change socket required boolean into an enum
+  * generator/states-newstyle.c: Don't sign extend escaped chars
+  * rust: Add os-ext feature to get mio::unix
+  * generator/states-newstyle.c: Quote untrusted string from the server
+  * generator: Restore assignment to local 'err'
+  * .gitignore: Remove unused line
+  * lib: Don't overwrite error in nbd_opt_{go,info}
+  * generator: Print full error in handle_reply_error
+  * ci: Drop Alma Linux 8
+  * lib/crypto.c: Check <gnutls/socket.h> works before including it
+  * lib/uri.c: Append tls-hostname and tls-verify-peer when getting URI
+  * Version 1.21.1.
+  * docs: security: Add link to TLS server certificate checking announcement
+  * lib/uri.c: Allow tls-hostname to be overridden in URIs
+  * lib/uri.c: Allow tls-verify-peer to be overridden in URIs
+  * lib/crypto.c: Add API functions to get/set TLS hostname
+
+-------------------------------------------------------------------
+Fri Oct 18 16:42:38 UTC 2024 - jfehlig@suse.com
+
+- Update to version 1.20.3:
+  * Version 1.20.3.
+  * interop: Skip nbd-server test on Alpine
+  * ci: Update CI files
+  * rust: Parse perlpod L<https://...> (external links) to rust markup
+  * podwrapper: Add some simple checks for cross-references within manual pages.
+  * docs/libnbd-release-notes-1.10.pod: Remove broken link to "nbd_connect(3)"
+  * docs/nbd_create.pod: Cross-reference nbd_shutdown(3)
+  * docs: Use "oldstyle servers" in preference to "older servers"
+  * docs: Mention newstyle and oldstyle servers in main docs
+  * README: Fix bold markdown
+  * README: Mention 'make install DESTDIR=...'
+  * README: Mention the ./run script
+  * build: Prefer "for developers" in ./configure --help output
+  * build: Fix ./configure --help output for --enable-python-code-style
+  * .gitignore: Remove unused line
+  * ci: Drop Alma Linux 8
+  * lib/crypto.c: Check <gnutls/socket.h> works before including it
+  * docs/libnbd-security.pod: Assign CVE-2024-7383
+  * jsc#PED-8910
+
 -------------------------------------------------------------------
 Mon Aug 05 16:08:37 UTC 2024 - jfehlig@suse.com
 
@@ -387,6 +516,7 @@ Fri Jul  8 17:59:24 UTC 2022 - James Fehlig <jfehlig@suse.com>
   * python: Plug uninit leak in nbd.Buffer.to_bytearray
   * python: Avoid memleak on (unlikely) module failure
   * python: Accept buffers in nbd.Buffer.from_bytearray()
+  * jsc#ECO-3633
 - Enable building python module and utilities
 
 -------------------------------------------------------------------

libnbd.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libnbd
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,12 +19,13 @@
 %define sover 0
 
 Name:           libnbd
-Version:        1.20.2
+Version:        1.22.2
 Release:        0
 Summary:        NBD client library in userspace
 License:        LGPL-2.1-or-later
 URL:            https://gitlab.com/nbdkit/libnbd
 Source0:        %{name}-%{version}.tar.bz2
+Patch1:         uri-Sanitize-user-provided-hostnames.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  fdupes

uri-Sanitize-user-provided-hostnames.patch

@@ -0,0 +1,66 @@
+Subject: uri: Sanitize user-provided hostnames
+From: Eric Blake eblake@redhat.com Mon Oct 13 10:01:21 2025 -0500
+Date: Tue Oct 21 15:30:19 2025 -0500:
+Git: f461fe64d21fe8a6d32b56ccb50d06489d2e2698
+
+Dan Berrangé ran a free trial of zeropath (http://zeropath.com/) AI
+analysis on libnbd, and it highlighted the following:
+
+ "When using nbd+ssh:// URIs the library constructs an argv array for
+ ssh from parsed URI parts (server, port, user, unix socket, nbd-port)
+ and execs it. The server component is used directly as an ssh
+ argument; if it begins with '-' an attacker can inject ssh options
+ (e.g. -oProxyCommand=...) that cause ssh to run local commands. There
+ is no protection (such as rejecting leading '-' in server or inserting
+ a '--' to stop option parsing), so an attacker who can supply the URI
+ can cause local command execution in the client process."
+
+ eg with this....  "nbdinfo nbd+ssh://-oProxyCommand=rm%20run.in"
+ you'll get a failure to start the NBD connection, but it none the less
+ deletes the file 'run.in' in the local working directory
+
+The RFCs are vague enough that it is not immediately obvious whether
+there is any possibility of a valid hostname with a leading - (see
+https://www.netmeister.org/blog/hostnames.html).  Still, it is better
+to pass the user's string on to ssh's determination of a valid
+hostname (which does appear to reject leading -) rather than trying to
+teach libnbd what patterns to allow, and thereby avoid risking any
+pattern written in libnbd accidentally being too restrictive.  Do this
+by using "--" to end ssh options before the hostname, but that in turn
+must come after any use of -oUser=.  With this in place, we now get a
+sane error rather than spawning a calculator with:
+
+$ nbdinfo nbd+ssh://-oProxyCommand=gnome-calculator
+hostname contains invalid characters
+/home/eblake/libnbd/info/.libs/nbdinfo: nbd_connect_uri: recv: server disconnected unexpectedly
+
+See also Libvirt commit e4cb8500 (Aug 2017), which in turn was
+inspired by GIT security flaws
+(http://blog.recurity-labs.com/2017-08-10/scm-vulns).  We have put out
+a request to Red Hat security on whether this warrants a CVE in
+libnbd; however, as the problem was easy to identify using only free
+AI resources, and the problem itself is relatively low priority (to
+exploit it, an attacker has to convince an admin to run a program that
+will use libnbd on an untrusted URI), so we are publishing this now
+rather than waiting for any embargo.  If a CVE is assigned, it will be
+announced to the mailing list in a followup post.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+CC: Daniel P. Berrangé <berrange@redhat.com>
+
+(cherry picked from commit fffd87a3ba216cf2f9c212e5db96b13b98985edf)
+Conflicts:
+	lib/uri.c - no username override, backport looks different
+Signed-off-by: Eric Blake <eblake@redhat.com>
+
+--- a/lib/uri.c
++++ b/lib/uri.c
+@@ -446,7 +446,7 @@ nbd_unlocked_aio_connect_uri (struct nbd
+   case ssh: {                   /* SSH */
+     char port_str[32];
+     const char *ssh_command[] = {
+-      "ssh", "-p", port_str, uri->server,
++      "ssh", "-p", port_str, "--", uri->server,
+       "nc",
+       NULL,                     /* [5] "-U" or "localhost" */
+       NULL,                     /* [6] socket or "10809" */