From 8a4b914681eb968f8f1969d0a3a3ef35ed4cc18a Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Wed, 6 Jul 2022 17:33:07 +0100 Subject: [PATCH] Rebase to new stable branch version 1.48.4 resolves: rhbz#2059285 --- ...device_name-returning-the-drive-name.patch | 2 +- ...rewrite-with-FileOut-transfer-to-lif.patch | 2 +- ...minimize-the-number-of-send_file_wri.patch | 2 +- ...-direct-ignore-drive-iface-parameter.patch | 2 +- ...create_data-drive-remove-field-iface.patch | 2 +- ...e-VALID_FORMAT_IFACE-to-VALID_FORMAT.patch | 2 +- ...ions-remove-iface-based-restrictions.patch | 2 +- ...ize-invert-SELinux-relabeling-defaul.patch | 2 +- ...ize-reintroduce-selinux-relabel-as-a.patch | 2 +- 0009-update-common-submodule.patch | 46 -- ...upported-remote-drive-protocols-RHBZ.patch | 2 +- ...of-libguestfs-winsupport-features-ex.patch | 2 +- ...crypto-policies-back-ends-opensslcnf.patch | 4 +- ...0013-php-add-arginfo-to-php-bindings.patch | 2 +- ...introduce-the-clevis_luks_unlock-API.patch | 2 +- 0015-build-Pick-first-field-in-ID_LIKE.patch | 42 -- ...ount-enable-networking-for-key-ID-cl.patch | 69 +++ ...ance-daemon-disable-lvm2-devicesfile.patch | 119 ----- ...stfs-security-document-CVE-2022-2211.patch | 99 ----- ...ount-enable-networking-for-key-ID-cl.patch | 414 ------------------ libguestfs.spec | 35 +- sources | 4 +- 22 files changed, 97 insertions(+), 761 deletions(-) rename 0010-generator-customize-reintroduce-selinux-relabel-as-a.patch => 0009-generator-customize-reintroduce-selinux-relabel-as-a.patch (95%) delete mode 100644 0009-update-common-submodule.patch rename 0012-RHEL-Disable-unsupported-remote-drive-protocols-RHBZ.patch => 0010-RHEL-Disable-unsupported-remote-drive-protocols-RHBZ.patch (99%) rename 0013-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch => 0011-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch (97%) rename 0014-RHEL-Create-etc-crypto-policies-back-ends-opensslcnf.patch => 0012-RHEL-Create-etc-crypto-policies-back-ends-opensslcnf.patch (91%) rename 0017-php-add-arginfo-to-php-bindings.patch => 0013-php-add-arginfo-to-php-bindings.patch (97%) rename 0019-introduce-the-clevis_luks_unlock-API.patch => 0014-introduce-the-clevis_luks_unlock-API.patch (99%) delete mode 100644 0015-build-Pick-first-field-in-ID_LIKE.patch create mode 100644 0015-guestfish-guestmount-enable-networking-for-key-ID-cl.patch delete mode 100644 0016-appliance-daemon-disable-lvm2-devicesfile.patch delete mode 100644 0018-docs-guestfs-security-document-CVE-2022-2211.patch delete mode 100644 0020-guestfish-guestmount-enable-networking-for-key-ID-cl.patch diff --git a/0001-New-API-guestfs_device_name-returning-the-drive-name.patch b/0001-New-API-guestfs_device_name-returning-the-drive-name.patch index 27109c4..fe4b696 100644 --- a/0001-New-API-guestfs_device_name-returning-the-drive-name.patch +++ b/0001-New-API-guestfs_device_name-returning-the-drive-name.patch @@ -1,4 +1,4 @@ -From 18472273bb58eff008a0c1aacfe7c21dec6705a1 Mon Sep 17 00:00:00 2001 +From e3ebd50abde3b05db86c8965868c866152cd3287 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 28 Apr 2022 13:16:54 +0100 Subject: [PATCH] New API: guestfs_device_name returning the drive name diff --git a/0002-guestfs_readdir-rewrite-with-FileOut-transfer-to-lif.patch b/0002-guestfs_readdir-rewrite-with-FileOut-transfer-to-lif.patch index 41a0315..1c7e841 100644 --- a/0002-guestfs_readdir-rewrite-with-FileOut-transfer-to-lif.patch +++ b/0002-guestfs_readdir-rewrite-with-FileOut-transfer-to-lif.patch @@ -1,4 +1,4 @@ -From e77853fd91466181e9963392fbc97d0bf97b8492 Mon Sep 17 00:00:00 2001 +From b97b90779d5ea261d5e737f073bb4ec5dc546511 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Mon, 2 May 2022 10:56:00 +0200 Subject: [PATCH] guestfs_readdir(): rewrite with FileOut transfer, to lift diff --git a/0003-guestfs_readdir-minimize-the-number-of-send_file_wri.patch b/0003-guestfs_readdir-minimize-the-number-of-send_file_wri.patch index 1bd3f7f..6e060a5 100644 --- a/0003-guestfs_readdir-minimize-the-number-of-send_file_wri.patch +++ b/0003-guestfs_readdir-minimize-the-number-of-send_file_wri.patch @@ -1,4 +1,4 @@ -From ba6c7a9a609d650c07d26ee4777f18a6730f4028 Mon Sep 17 00:00:00 2001 +From 62cd6c9d2dd62dd24cc04b16437bfb816a6f4357 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Mon, 2 May 2022 10:56:01 +0200 Subject: [PATCH] guestfs_readdir(): minimize the number of send_file_write() diff --git a/0004-lib-launch-direct-ignore-drive-iface-parameter.patch b/0004-lib-launch-direct-ignore-drive-iface-parameter.patch index cdbdaf3..958b99f 100644 --- a/0004-lib-launch-direct-ignore-drive-iface-parameter.patch +++ b/0004-lib-launch-direct-ignore-drive-iface-parameter.patch @@ -1,4 +1,4 @@ -From 0279a052dcb859f0c421d2efb92cf3b3d549dcd7 Mon Sep 17 00:00:00 2001 +From e4901a4e83f0ab59a525095d2fe1c7f1a38c0aac Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 4 May 2022 15:41:52 +0200 Subject: [PATCH] lib: launch-direct: ignore drive "iface" parameter diff --git a/0005-lib-drive_create_data-drive-remove-field-iface.patch b/0005-lib-drive_create_data-drive-remove-field-iface.patch index d940f35..3f01445 100644 --- a/0005-lib-drive_create_data-drive-remove-field-iface.patch +++ b/0005-lib-drive_create_data-drive-remove-field-iface.patch @@ -1,4 +1,4 @@ -From 3db215d52abd929364fe65da74e2f393ee196818 Mon Sep 17 00:00:00 2001 +From f13297315495144775f6249e9e24dc5f18f6f902 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 4 May 2022 15:41:53 +0200 Subject: [PATCH] lib: drive_create_data, drive: remove field "iface" diff --git a/0006-lib-rename-VALID_FORMAT_IFACE-to-VALID_FORMAT.patch b/0006-lib-rename-VALID_FORMAT_IFACE-to-VALID_FORMAT.patch index cffbe09..9386a58 100644 --- a/0006-lib-rename-VALID_FORMAT_IFACE-to-VALID_FORMAT.patch +++ b/0006-lib-rename-VALID_FORMAT_IFACE-to-VALID_FORMAT.patch @@ -1,4 +1,4 @@ -From 2fba4170207b5fef8887ef7003725f7f2deea85b Mon Sep 17 00:00:00 2001 +From f408b24d8d8f5b5f4e1a25c1046c3a18107c8d80 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 4 May 2022 15:41:54 +0200 Subject: [PATCH] lib: rename VALID_FORMAT_IFACE to VALID_FORMAT diff --git a/0007-tests-regressions-remove-iface-based-restrictions.patch b/0007-tests-regressions-remove-iface-based-restrictions.patch index 1d8f0c0..5c8c1d0 100644 --- a/0007-tests-regressions-remove-iface-based-restrictions.patch +++ b/0007-tests-regressions-remove-iface-based-restrictions.patch @@ -1,4 +1,4 @@ -From 052163a725b8eb430b1f56ee86825cf35c5012d7 Mon Sep 17 00:00:00 2001 +From 431ca828e9f7d7a6c7e315b410f381304986ba44 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 4 May 2022 15:41:55 +0200 Subject: [PATCH] tests/regressions: remove "iface"-based restrictions diff --git a/0008-generator-customize-invert-SELinux-relabeling-defaul.patch b/0008-generator-customize-invert-SELinux-relabeling-defaul.patch index 8d9cc75..b3aba8f 100644 --- a/0008-generator-customize-invert-SELinux-relabeling-defaul.patch +++ b/0008-generator-customize-invert-SELinux-relabeling-defaul.patch @@ -1,4 +1,4 @@ -From decf2b497b47e8a49b2384144b198979df2be8eb Mon Sep 17 00:00:00 2001 +From 8f800b369ada05ea690cebb0bb5e0fed0ba1c548 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Tue, 10 May 2022 12:27:57 +0200 Subject: [PATCH] generator/customize: invert SELinux relabeling default diff --git a/0010-generator-customize-reintroduce-selinux-relabel-as-a.patch b/0009-generator-customize-reintroduce-selinux-relabel-as-a.patch similarity index 95% rename from 0010-generator-customize-reintroduce-selinux-relabel-as-a.patch rename to 0009-generator-customize-reintroduce-selinux-relabel-as-a.patch index b9cf24a..4c8b115 100644 --- a/0010-generator-customize-reintroduce-selinux-relabel-as-a.patch +++ b/0009-generator-customize-reintroduce-selinux-relabel-as-a.patch @@ -1,4 +1,4 @@ -From d09099b1da8da93c11aaf51c94e7e456256d6fe9 Mon Sep 17 00:00:00 2001 +From 4cfba19fa2b087c4b2c5a1b67aa70eb16e9d5a59 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 25 May 2022 09:19:58 +0200 Subject: [PATCH] generator/customize: reintroduce "--selinux-relabel" as a diff --git a/0009-update-common-submodule.patch b/0009-update-common-submodule.patch deleted file mode 100644 index 6242819..0000000 --- a/0009-update-common-submodule.patch +++ /dev/null @@ -1,46 +0,0 @@ -From ec3fcb5bf880ce25dc98047903e9d0a090c151f0 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Wed, 11 May 2022 05:26:48 +0200 -Subject: [PATCH] update common submodule - -Laszlo Ersek (2): - mlcustomize: refresh generated files - remove non-generated "--selinux-relabel" options - -Richard W.M. Jones (2): - options/uri.c: Fix missing word in error message - options/uri.c: Free variable on error path - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1554735 -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075718 -Signed-off-by: Laszlo Ersek -(cherry picked from commit 08c4ac90f5a3c08b48444e2faf3d0f58d6ddc206) ---- - common | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Submodule common 0a231b3e6..48527b876: -diff --git a/common/options/uri.c b/common/options/uri.c -index 6b696fc2d..84d393c1e 100644 ---- a/common/options/uri.c -+++ b/common/options/uri.c -@@ -135,7 +135,7 @@ parse (const char *arg, char **path_ret, char **protocol_ret, - socket = query_get (uri, "socket"); - - if (uri->server && STRNEQ (uri->server, "") && socket) { -- fprintf (stderr, _("%s: %s: cannot both a server name and a socket query parameter\n"), -+ fprintf (stderr, _("%s: %s: cannot have both a server name and a socket query parameter\n"), - getprogname (), arg); - return -1; - } -@@ -347,6 +347,7 @@ make_server (xmlURIPtr uri, const char *socket, char ***ret) - *ret = malloc (sizeof (char *) * 2); - if (*ret == NULL) { - perror ("malloc"); -+ free (server); - return -1; - } - (*ret)[0] = server; --- -2.31.1 - diff --git a/0012-RHEL-Disable-unsupported-remote-drive-protocols-RHBZ.patch b/0010-RHEL-Disable-unsupported-remote-drive-protocols-RHBZ.patch similarity index 99% rename from 0012-RHEL-Disable-unsupported-remote-drive-protocols-RHBZ.patch rename to 0010-RHEL-Disable-unsupported-remote-drive-protocols-RHBZ.patch index 2620118..e558c88 100644 --- a/0012-RHEL-Disable-unsupported-remote-drive-protocols-RHBZ.patch +++ b/0010-RHEL-Disable-unsupported-remote-drive-protocols-RHBZ.patch @@ -1,4 +1,4 @@ -From 0bba553b311f448c50ba6b3dd934b88387302d01 Mon Sep 17 00:00:00 2001 +From 010cd5ff441166c01125fc588398a1fb8367a852 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Mon, 29 Jul 2013 14:47:56 +0100 Subject: [PATCH] RHEL: Disable unsupported remote drive protocols diff --git a/0013-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch b/0011-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch similarity index 97% rename from 0013-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch rename to 0011-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch index 04c99e9..bae7529 100644 --- a/0013-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch +++ b/0011-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch @@ -1,4 +1,4 @@ -From 046e64463e958fb0d2abb6ef6330a6757803a759 Mon Sep 17 00:00:00 2001 +From d59942a7a3d1ca2248a94099d28f7555378d7993 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 7 Jul 2015 09:28:03 -0400 Subject: [PATCH] RHEL: Reject use of libguestfs-winsupport features except for diff --git a/0014-RHEL-Create-etc-crypto-policies-back-ends-opensslcnf.patch b/0012-RHEL-Create-etc-crypto-policies-back-ends-opensslcnf.patch similarity index 91% rename from 0014-RHEL-Create-etc-crypto-policies-back-ends-opensslcnf.patch rename to 0012-RHEL-Create-etc-crypto-policies-back-ends-opensslcnf.patch index 120e1f8..5683472 100644 --- a/0014-RHEL-Create-etc-crypto-policies-back-ends-opensslcnf.patch +++ b/0012-RHEL-Create-etc-crypto-policies-back-ends-opensslcnf.patch @@ -1,4 +1,4 @@ -From 0598660ad71cce8c55e6af3b6f0c9afda6d70bcb Mon Sep 17 00:00:00 2001 +From c1ff450bcee1465f0eaca00a4d6c8c731f175488 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 29 Jun 2021 15:29:11 +0100 Subject: [PATCH] RHEL: Create /etc/crypto-policies/back-ends/opensslcnf.config @@ -9,7 +9,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1977214#c13 1 file changed, 8 insertions(+) diff --git a/appliance/init b/appliance/init -index 7076821d2..fe6497b4d 100755 +index 19aa151b7..e67d88280 100755 --- a/appliance/init +++ b/appliance/init @@ -76,6 +76,14 @@ if ! test -e /etc/mtab; then diff --git a/0017-php-add-arginfo-to-php-bindings.patch b/0013-php-add-arginfo-to-php-bindings.patch similarity index 97% rename from 0017-php-add-arginfo-to-php-bindings.patch rename to 0013-php-add-arginfo-to-php-bindings.patch index 38040f1..7122e7c 100644 --- a/0017-php-add-arginfo-to-php-bindings.patch +++ b/0013-php-add-arginfo-to-php-bindings.patch @@ -1,4 +1,4 @@ -From 7f5b5b3ac884fbe215267c32a88e3740bd9f0117 Mon Sep 17 00:00:00 2001 +From d451e0e42c75429279426e9eb5a7701cd4681d07 Mon Sep 17 00:00:00 2001 From: Geoff Amey Date: Wed, 15 Jun 2022 17:06:56 -0400 Subject: [PATCH] php: add arginfo to php bindings diff --git a/0019-introduce-the-clevis_luks_unlock-API.patch b/0014-introduce-the-clevis_luks_unlock-API.patch similarity index 99% rename from 0019-introduce-the-clevis_luks_unlock-API.patch rename to 0014-introduce-the-clevis_luks_unlock-API.patch index 4dbafee..10db265 100644 --- a/0019-introduce-the-clevis_luks_unlock-API.patch +++ b/0014-introduce-the-clevis_luks_unlock-API.patch @@ -1,4 +1,4 @@ -From 17eb49e3373e46f92768bdca0733e811603bcc80 Mon Sep 17 00:00:00 2001 +From 51ea2e3af9caa434e847ca74a86f5de5ade6058f Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Thu, 30 Jun 2022 14:20:47 +0200 Subject: [PATCH] introduce the "clevis_luks_unlock" API diff --git a/0015-build-Pick-first-field-in-ID_LIKE.patch b/0015-build-Pick-first-field-in-ID_LIKE.patch deleted file mode 100644 index fa40096..0000000 --- a/0015-build-Pick-first-field-in-ID_LIKE.patch +++ /dev/null @@ -1,42 +0,0 @@ -From ad24b9f4d6950dd681e65ea9d1de334119ec9ec7 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Thu, 26 May 2022 14:02:58 +0100 -Subject: [PATCH] build: Pick first field in ID_LIKE - -CentOS Stream has: - -ID_LIKE="rhel fedora" - -which confused the existing script. If there are multiple "likes" -arbitrarily pick the first one in the list. - -Fixes: commit 63b722b6c094f3a35a5e72f0ae3236a58ddda110 -(cherry picked from commit 7afbf5ee4415f6fa2553898d3af238e794062096) ---- - m4/guestfs-appliance.m4 | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/m4/guestfs-appliance.m4 b/m4/guestfs-appliance.m4 -index 4e63ef435..19db4fc7e 100644 ---- a/m4/guestfs-appliance.m4 -+++ b/m4/guestfs-appliance.m4 -@@ -106,11 +106,11 @@ AC_ARG_WITH([distro], - cat /etc/os-release >&AS_MESSAGE_LOG_FD - DISTRO="$( - . /etc/os-release -- if test -n "$ID_LIKE"; then -- echo $ID_LIKE | tr '@<:@:lower:@:>@' '@<:@:upper:@:>@' -- else -- echo $ID | tr '@<:@:lower:@:>@' '@<:@:upper:@:>@' -- fi -+ ( if test -n "$ID_LIKE"; then -+ echo $ID_LIKE | $AWK '{print $1}' -+ else -+ echo $ID -+ fi ) | tr '@<:@:lower:@:>@' '@<:@:upper:@:>@' - )" - AS_CASE([$DISTRO], - [FEDORA | RHEL | CENTOS | ALMALINUX | CLOUDLINUX | ROCKY], --- -2.31.1 - diff --git a/0015-guestfish-guestmount-enable-networking-for-key-ID-cl.patch b/0015-guestfish-guestmount-enable-networking-for-key-ID-cl.patch new file mode 100644 index 0000000..c4a406e --- /dev/null +++ b/0015-guestfish-guestmount-enable-networking-for-key-ID-cl.patch @@ -0,0 +1,69 @@ +From 5ae97d7d83d8cdb6e8428774282167dd774aaf70 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Thu, 30 Jun 2022 14:20:48 +0200 +Subject: [PATCH] guestfish, guestmount: enable networking for "--key + ID:clevis" + +Call the C-language helper key_store_requires_network() in guestfish and +guestmount. + +(Short log for the "common" submodule, commit range +35467027f657..af6cb55bc58a: + +Laszlo Ersek (12): + options: fix UUID comparison logic bug in get_keys() + mltools/tools_utils: remove unused function "key_store_to_cli" + mltools/tools_utils: allow multiple "--key" options for OCaml tools too + options: replace NULL-termination with number-of-elements in get_keys() + options: wrap each passphrase from get_keys() into a struct + options: add back-end for LUKS decryption with Clevis+Tang + options: introduce selector type "key_clevis" + options: generalize "--key" selector parsing for C-language utilities + mltools/tools_utils-c: handle internal type error with abort() + mltools/tools_utils: generalize "--key" selector parsing for OCaml utils + options, mltools/tools_utils: parse "--key ID:clevis" options + options, mltools/tools_utils: add helper for network dependency +). + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453 +Signed-off-by: Laszlo Ersek +Reviewed-by: Richard W.M. Jones +Message-Id: <20220630122048.19335-4-lersek@redhat.com> +(cherry picked from commit 6a5b44f538065a9f661510234a4235bf38348213) +--- + fish/fish.c | 3 +++ + fuse/guestmount.c | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/fish/fish.c b/fish/fish.c +index 23d9bb94f..19e3d2799 100644 +--- a/fish/fish.c ++++ b/fish/fish.c +@@ -476,6 +476,9 @@ main (int argc, char *argv[]) + /* If we've got drives to add, add them now. */ + add_drives (drvs); + ++ if (key_store_requires_network (ks) && guestfs_set_network (g, 1) == -1) ++ exit (EXIT_FAILURE); ++ + /* If we've got mountpoints or prepared drives or -i option, we must + * launch the guest and mount them. + */ +diff --git a/fuse/guestmount.c b/fuse/guestmount.c +index 77c534828..3c6d57bde 100644 +--- a/fuse/guestmount.c ++++ b/fuse/guestmount.c +@@ -348,6 +348,10 @@ main (int argc, char *argv[]) + + /* Do the guest drives and mountpoints. */ + add_drives (drvs); ++ ++ if (key_store_requires_network (ks) && guestfs_set_network (g, 1) == -1) ++ exit (EXIT_FAILURE); ++ + if (guestfs_launch (g) == -1) + exit (EXIT_FAILURE); + if (inspector) +-- +2.31.1 + diff --git a/0016-appliance-daemon-disable-lvm2-devicesfile.patch b/0016-appliance-daemon-disable-lvm2-devicesfile.patch deleted file mode 100644 index 6751af8..0000000 --- a/0016-appliance-daemon-disable-lvm2-devicesfile.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 20eb220c0b1c8a7aaaadcc26fe5fdeae681341b4 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Mon, 30 May 2022 16:10:27 +0200 -Subject: [PATCH] appliance, daemon: disable lvm2 devicesfile - -In guestfs-tools commit 4fe8a03cd2d3 ('sysprep: remove lvm2's default -"system.devices" file', 2022-04-11), we disabled the use of LVM2's new -"devicesfile" feature, which could interfere with the cloning of virtual -machines. - -We suspected in - - https://bugzilla.redhat.com/show_bug.cgi?id=2072493#c6 - -that the same lvm2 feature could affect the libguestfs appliance itself, -but decided in - - https://bugzilla.redhat.com/show_bug.cgi?id=2072493#c8 - https://bugzilla.redhat.com/show_bug.cgi?id=2072493#c10 - -that this would not be the case, because "appliance/init" already -constructed a pristine LVM_SYSTEM_DIR. - -Unfortunately, that's not enough: due to the "use_devicesfile=1" default -(on RHEL9 anyway), some "lvm" invocation, possibly inside the -lvm-set-filter API, *creates* "$LVM_SYSTEM_DIR/devices/system.devices". -And then we get (minimally) warnings such as - -> Please remove the lvm.conf global_filter, it is ignored with the devices -> file. -> Please remove the lvm.conf filter, it is ignored with the devices file. - -when using the lvm-set-filter API. - -Explicitly disable the "devices file" in "appliance/init", and also -whenever we rewrite "lvm.conf" -- that is, in set_filter() -[daemon/lvm-filter.c]. In the former, check for the feature by locating -the devicesfile-related utilities "lvmdevices" and "vgimportdevices". In -the C code, invoke the utilities with the "--help" option instead. (In -"appliance/init", I thought it was best not to call any lvm2 utilities -even with "--help", with our lvm2.conf still under construction there.) If -either utility is available, set "use_devicesfile = 0". - -Cc: David Teigland -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1965941 -Signed-off-by: Laszlo Ersek -Message-Id: <20220530141027.16167-1-lersek@redhat.com> -Acked-by: Richard W.M. Jones -[lersek@redhat.com: style fix: break "devicesfile_feature" in the function - definition to a new line] -(cherry picked from commit 8fc4d167153a23ab91befafb2f7083db2d312ef8) ---- - appliance/init | 11 +++++++++++ - daemon/lvm-filter.c | 20 ++++++++++++++++++++ - 2 files changed, 31 insertions(+) - -diff --git a/appliance/init b/appliance/init -index fe6497b4d..e67d88280 100755 ---- a/appliance/init -+++ b/appliance/init -@@ -142,6 +142,17 @@ mdadm -As --auto=yes --no-degraded - # Empty LVM configuration file means "all defaults". - mkdir -p /tmp/lvm - touch /tmp/lvm/lvm.conf -+ -+# If lvm2 supports a "devices file", we need to disable its use -+# (RHBZ#1965941). -+if command -v lvmdevices || command -v vgimportdevices; then -+ { -+ printf 'devices {\n' -+ printf '\tuse_devicesfile = 0\n' -+ printf '}\n' -+ } >> /tmp/lvm/lvm.conf -+fi -+ - LVM_SYSTEM_DIR=/tmp/lvm - export LVM_SYSTEM_DIR - lvmetad -diff --git a/daemon/lvm-filter.c b/daemon/lvm-filter.c -index c6dd35156..00b36f826 100644 ---- a/daemon/lvm-filter.c -+++ b/daemon/lvm-filter.c -@@ -68,6 +68,19 @@ free_lvm_system_dir (void) - free (lvm_system_dir); - } - -+static bool -+devicesfile_feature (void) -+{ -+ static bool checked, available; -+ -+ if (!checked) { -+ checked = true; -+ available = command (NULL, NULL, "lvmdevices", "--help", NULL) == 0 || -+ command (NULL, NULL, "vgimportdevices", "--help", NULL) == 0; -+ } -+ return available; -+} -+ - /* Rewrite the 'filter = [ ... ]' line in lvm.conf. */ - static int - set_filter (char *const *filters) -@@ -88,6 +101,13 @@ set_filter (char *const *filters) - } - - fprintf (fp, "devices {\n"); -+ -+ /* If lvm2 supports a "devices file", we need to disable its use -+ * (RHBZ#1965941). -+ */ -+ if (devicesfile_feature ()) -+ fprintf (fp, " use_devicesfile = 0\n"); -+ - for (j = 0; filter_types[j] != NULL; ++j) { - fprintf (fp, " %s = [\n", filter_types[j]); - fprintf (fp, " "); --- -2.31.1 - diff --git a/0018-docs-guestfs-security-document-CVE-2022-2211.patch b/0018-docs-guestfs-security-document-CVE-2022-2211.patch deleted file mode 100644 index ad382e2..0000000 --- a/0018-docs-guestfs-security-document-CVE-2022-2211.patch +++ /dev/null @@ -1,99 +0,0 @@ -From fc0fd56abc2778a8473e9d421c73c9099dade4c4 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 28 Jun 2022 13:54:16 +0200 -Subject: [PATCH] docs/guestfs-security: document CVE-2022-2211 - -Short log for the common submodule, commit range -f8de5508fe75..35467027f657: - -Laszlo Ersek (2): - mlcustomize: factor out pkg install/update/uninstall from guestfs-tools - options: fix buffer overflow in get_keys() [CVE-2022-2211] - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453 -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862 -Signed-off-by: Laszlo Ersek -Message-Id: <20220628115418.5376-2-lersek@redhat.com> -Reviewed-by: Richard W.M. Jones -(cherry picked from commit 99844660b48ed809e37378262c65d63df6ce4a53) ---- - common | 2 +- - docs/guestfs-security.pod | 28 ++++++++++++++++++++++++++++ - 2 files changed, 29 insertions(+), 1 deletion(-) - -Submodule common f8de5508f..35467027f: -diff --git a/common/options/keys.c b/common/options/keys.c -index 798315c2e..d27a7123e 100644 ---- a/common/options/keys.c -+++ b/common/options/keys.c -@@ -128,17 +128,23 @@ read_first_line_from_file (const char *filename) - char ** - get_keys (struct key_store *ks, const char *device, const char *uuid) - { -- size_t i, j, len; -+ size_t i, j, nmemb; - char **r; - char *s; - - /* We know the returned list must have at least one element and not - * more than ks->nr_keys. - */ -- len = 1; -- if (ks) -- len = MIN (1, ks->nr_keys); -- r = calloc (len+1, sizeof (char *)); -+ nmemb = 1; -+ if (ks && ks->nr_keys > nmemb) -+ nmemb = ks->nr_keys; -+ -+ /* make room for the terminating NULL */ -+ if (nmemb == (size_t)-1) -+ error (EXIT_FAILURE, 0, _("size_t overflow")); -+ nmemb++; -+ -+ r = calloc (nmemb, sizeof (char *)); - if (r == NULL) - error (EXIT_FAILURE, errno, "calloc"); - -diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod -index 9ceef5623..efa35b29d 100644 ---- a/docs/guestfs-security.pod -+++ b/docs/guestfs-security.pod -@@ -406,6 +406,34 @@ The libvirt backend is not affected. - The solution is to update qemu to a version containing the fix (see - L). - -+=head2 CVE-2022-2211 -+ -+L -+ -+The C function in F collects -+those I<--key> options from the command line into a new array that match -+a particular block device that's being decrypted for inspection. The -+function intends to size the result array such that potentially all -+I<--key> options, plus a terminating C element, fit into it. The -+code mistakenly uses the C macro instead of C, and therefore -+only one element is allocated before the C terminator. -+ -+Passing precisely two I<--key ID:...> options on the command line for -+the encrypted block device C causes C to overwrite the -+terminating C, leading to an out-of-bounds read in -+C, file F. -+ -+Passing more than two I<--key ID:...> options on the command line for -+the encrypted block device C causes C itself to perform -+out-of-bounds writes. The most common symptom is a crash with C -+later on. -+ -+This issue affects -- broadly speaking -- all libguestfs-based utilities -+that accept I<--key>, namely: C, C, C, -+C, C, C, C, -+C, C, C, C, -+C, C, C. -+ - =head1 SEE ALSO - - L, --- -2.31.1 - diff --git a/0020-guestfish-guestmount-enable-networking-for-key-ID-cl.patch b/0020-guestfish-guestmount-enable-networking-for-key-ID-cl.patch deleted file mode 100644 index 7bb7027..0000000 --- a/0020-guestfish-guestmount-enable-networking-for-key-ID-cl.patch +++ /dev/null @@ -1,414 +0,0 @@ -From 212708dee7c5c483dd0ce76889f7e20abba7f859 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Thu, 30 Jun 2022 14:20:48 +0200 -Subject: [PATCH] guestfish, guestmount: enable networking for "--key - ID:clevis" - -Call the C-language helper key_store_requires_network() in guestfish and -guestmount. - -(Short log for the "common" submodule, commit range -35467027f657..af6cb55bc58a: - -Laszlo Ersek (12): - options: fix UUID comparison logic bug in get_keys() - mltools/tools_utils: remove unused function "key_store_to_cli" - mltools/tools_utils: allow multiple "--key" options for OCaml tools too - options: replace NULL-termination with number-of-elements in get_keys() - options: wrap each passphrase from get_keys() into a struct - options: add back-end for LUKS decryption with Clevis+Tang - options: introduce selector type "key_clevis" - options: generalize "--key" selector parsing for C-language utilities - mltools/tools_utils-c: handle internal type error with abort() - mltools/tools_utils: generalize "--key" selector parsing for OCaml utils - options, mltools/tools_utils: parse "--key ID:clevis" options - options, mltools/tools_utils: add helper for network dependency -). - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453 -Signed-off-by: Laszlo Ersek -Reviewed-by: Richard W.M. Jones -Message-Id: <20220630122048.19335-4-lersek@redhat.com> -(cherry picked from commit 6a5b44f538065a9f661510234a4235bf38348213) ---- - common | 2 +- - fish/fish.c | 3 +++ - fuse/guestmount.c | 4 ++++ - 3 files changed, 8 insertions(+), 1 deletion(-) - -Submodule common 35467027f..af6cb55bc: -diff --git a/common/options/decrypt.c b/common/options/decrypt.c -index 1cd7b627e..97c8b88d1 100644 ---- a/common/options/decrypt.c -+++ b/common/options/decrypt.c -@@ -124,10 +124,10 @@ decrypt_mountables (guestfs_h *g, const char * const *mountables, - while ((mountable = *mnt_scan++) != NULL) { - CLEANUP_FREE char *type = NULL; - CLEANUP_FREE char *uuid = NULL; -- CLEANUP_FREE_STRING_LIST char **keys = NULL; -+ struct matching_key *keys; -+ size_t nr_matches; - CLEANUP_FREE char *mapname = NULL; -- const char * const *key_scan; -- const char *key; -+ size_t scan; - - type = guestfs_vfs_type (g, mountable); - if (type == NULL) -@@ -144,33 +144,45 @@ decrypt_mountables (guestfs_h *g, const char * const *mountables, - /* Grab the keys that we should try with this device, based on device name, - * or UUID (if any). - */ -- keys = get_keys (ks, mountable, uuid); -- assert (keys[0] != NULL); -+ keys = get_keys (ks, mountable, uuid, &nr_matches); -+ assert (nr_matches > 0); - - /* Generate a node name for the plaintext (decrypted) device node. */ - if (uuid == NULL || asprintf (&mapname, "luks-%s", uuid) == -1) - mapname = make_mapname (mountable); - - /* Try each key in turn. */ -- key_scan = (const char * const *)keys; -- while ((key = *key_scan++) != NULL) { -+ for (scan = 0; scan < nr_matches; ++scan) { -+ struct matching_key *key = keys + scan; - int r; - - guestfs_push_error_handler (g, NULL, NULL); -- r = guestfs_cryptsetup_open (g, mountable, key, mapname, -1); -+ assert (key->clevis == (key->passphrase == NULL)); -+ if (key->clevis) -+#ifdef GUESTFS_HAVE_CLEVIS_LUKS_UNLOCK -+ r = guestfs_clevis_luks_unlock (g, mountable, mapname); -+#else -+ error (EXIT_FAILURE, 0, -+ _("'clevis_luks_unlock', needed for decrypting %s, is " -+ "unavailable in this libguestfs version"), mountable); -+#endif -+ else -+ r = guestfs_cryptsetup_open (g, mountable, key->passphrase, mapname, -+ -1); - guestfs_pop_error_handler (g); - - if (r == 0) - break; - } - -- if (key == NULL) -+ if (scan == nr_matches) - error (EXIT_FAILURE, 0, - _("could not find key to open LUKS encrypted %s.\n\n" - "Try using --key on the command line.\n\n" - "Original error: %s (%d)"), - mountable, guestfs_last_error (g), guestfs_last_errno (g)); - -+ free_keys (keys, nr_matches); - decrypted_some = true; - } - -diff --git a/common/options/key-option.pod b/common/options/key-option.pod -index 90a3b15c5..6bc04df17 100644 ---- a/common/options/key-option.pod -+++ b/common/options/key-option.pod -@@ -14,4 +14,13 @@ Use the specified C as passphrase. - - Read the passphrase from F. - -+=item B<--key> C:clevis -+ -+Attempt passphrase-less unlocking for C with Clevis, over the -+network. Please refer to L for more -+information on network-bound disk encryption (NBDE). -+ -+Note that if any such option is present on the command line, QEMU user -+networking will be automatically enabled for the libguestfs appliance. -+ - =back -diff --git a/common/options/keys.c b/common/options/keys.c -index d27a7123e..d987ae561 100644 ---- a/common/options/keys.c -+++ b/common/options/keys.c -@@ -125,11 +125,12 @@ read_first_line_from_file (const char *filename) - * keystore. There may be multiple. If none are read from the - * keystore, ask the user. - */ --char ** --get_keys (struct key_store *ks, const char *device, const char *uuid) -+struct matching_key * -+get_keys (struct key_store *ks, const char *device, const char *uuid, -+ size_t *nr_matches) - { -- size_t i, j, nmemb; -- char **r; -+ size_t i, nmemb; -+ struct matching_key *r, *match; - char *s; - - /* We know the returned list must have at least one element and not -@@ -139,22 +140,20 @@ get_keys (struct key_store *ks, const char *device, const char *uuid) - if (ks && ks->nr_keys > nmemb) - nmemb = ks->nr_keys; - -- /* make room for the terminating NULL */ -- if (nmemb == (size_t)-1) -+ if (nmemb > (size_t)-1 / sizeof *r) - error (EXIT_FAILURE, 0, _("size_t overflow")); -- nmemb++; - -- r = calloc (nmemb, sizeof (char *)); -+ r = malloc (nmemb * sizeof *r); - if (r == NULL) -- error (EXIT_FAILURE, errno, "calloc"); -+ error (EXIT_FAILURE, errno, "malloc"); - -- j = 0; -+ match = r; - - if (ks) { - for (i = 0; i < ks->nr_keys; ++i) { - struct key_store_key *key = &ks->keys[i]; - -- if (STRNEQ (key->id, device) && (uuid && STRNEQ (key->id, uuid))) -+ if (STRNEQ (key->id, device) && (!uuid || STRNEQ (key->id, uuid))) - continue; - - switch (key->type) { -@@ -162,68 +161,101 @@ get_keys (struct key_store *ks, const char *device, const char *uuid) - s = strdup (key->string.s); - if (!s) - error (EXIT_FAILURE, errno, "strdup"); -- r[j++] = s; -+ match->clevis = false; -+ match->passphrase = s; -+ ++match; - break; - case key_file: - s = read_first_line_from_file (key->file.name); -- r[j++] = s; -+ match->clevis = false; -+ match->passphrase = s; -+ ++match; -+ break; -+ case key_clevis: -+ match->clevis = true; -+ match->passphrase = NULL; -+ ++match; - break; - } - } - } - -- if (j == 0) { -+ if (match == r) { - /* Key not found in the key store, ask the user for it. */ - s = read_key (device); - if (!s) - error (EXIT_FAILURE, 0, _("could not read key from user")); -- r[0] = s; -+ match->clevis = false; -+ match->passphrase = s; -+ ++match; - } - -+ *nr_matches = (size_t)(match - r); - return r; - } - -+void -+free_keys (struct matching_key *keys, size_t nr_matches) -+{ -+ size_t i; -+ -+ for (i = 0; i < nr_matches; ++i) { -+ struct matching_key *key = keys + i; -+ -+ assert (key->clevis == (key->passphrase == NULL)); -+ if (!key->clevis) -+ free (key->passphrase); -+ } -+ free (keys); -+} -+ - struct key_store * - key_store_add_from_selector (struct key_store *ks, const char *selector) - { -- CLEANUP_FREE_STRING_LIST char **fields = -- guestfs_int_split_string (':', selector); -+ CLEANUP_FREE_STRING_LIST char **fields = NULL; -+ size_t field_count; - struct key_store_key key; - -+ fields = guestfs_int_split_string (':', selector); - if (!fields) - error (EXIT_FAILURE, errno, "guestfs_int_split_string"); -+ field_count = guestfs_int_count_strings (fields); - -- if (guestfs_int_count_strings (fields) != 3) { -- invalid_selector: -- error (EXIT_FAILURE, 0, "invalid selector for --key: %s", selector); -- } -- -- /* 1: device */ -+ /* field#0: ID */ -+ if (field_count < 1) -+ error (EXIT_FAILURE, 0, _("selector '%s': missing ID"), selector); - key.id = strdup (fields[0]); - if (!key.id) - error (EXIT_FAILURE, errno, "strdup"); - -- /* 2: key type */ -- if (STREQ (fields[1], "key")) -+ /* field#1...: TYPE, and TYPE-specific properties */ -+ if (field_count < 2) -+ error (EXIT_FAILURE, 0, _("selector '%s': missing TYPE"), selector); -+ -+ if (STREQ (fields[1], "key")) { - key.type = key_string; -- else if (STREQ (fields[1], "file")) -- key.type = key_file; -- else -- goto invalid_selector; -- -- /* 3: actual key */ -- switch (key.type) { -- case key_string: -+ if (field_count != 3) -+ error (EXIT_FAILURE, 0, -+ _("selector '%s': missing KEY_STRING, or too many fields"), -+ selector); - key.string.s = strdup (fields[2]); - if (!key.string.s) - error (EXIT_FAILURE, errno, "strdup"); -- break; -- case key_file: -+ } else if (STREQ (fields[1], "file")) { -+ key.type = key_file; -+ if (field_count != 3) -+ error (EXIT_FAILURE, 0, -+ _("selector '%s': missing FILENAME, or too many fields"), -+ selector); - key.file.name = strdup (fields[2]); - if (!key.file.name) - error (EXIT_FAILURE, errno, "strdup"); -- break; -- } -+ } else if (STREQ (fields[1], "clevis")) { -+ key.type = key_clevis; -+ if (field_count != 2) -+ error (EXIT_FAILURE, 0, _("selector '%s': too many fields"), selector); -+ } else -+ error (EXIT_FAILURE, 0, _("selector '%s': invalid TYPE"), selector); - - return key_store_import_key (ks, &key); - } -@@ -252,6 +284,21 @@ key_store_import_key (struct key_store *ks, const struct key_store_key *key) - return ks; - } - -+bool -+key_store_requires_network (const struct key_store *ks) -+{ -+ size_t i; -+ -+ if (ks == NULL) -+ return false; -+ -+ for (i = 0; i < ks->nr_keys; ++i) -+ if (ks->keys[i].type == key_clevis) -+ return true; -+ -+ return false; -+} -+ - void - free_key_store (struct key_store *ks) - { -@@ -270,6 +317,9 @@ free_key_store (struct key_store *ks) - case key_file: - free (key->file.name); - break; -+ case key_clevis: -+ /* nothing */ -+ break; - } - free (key->id); - } -diff --git a/common/options/options.h b/common/options/options.h -index 80df91a85..60d5d8064 100644 ---- a/common/options/options.h -+++ b/common/options/options.h -@@ -115,6 +115,7 @@ struct key_store_key { - enum { - key_string, /* key specified as string */ - key_file, /* key stored in a file */ -+ key_clevis, /* key reconstructed with Clevis+Tang */ - } type; - union { - struct { -@@ -134,6 +135,19 @@ struct key_store { - size_t nr_keys; - }; - -+/* A key matching a particular ID (pathname of the libguestfs device node that -+ * stands for the encrypted block device, or LUKS UUID). -+ */ -+struct matching_key { -+ /* True iff the passphrase should be reconstructed using Clevis, talking to -+ * Tang servers over the network. -+ */ -+ bool clevis; -+ -+ /* Explicit passphrase, otherwise. */ -+ char *passphrase; -+}; -+ - /* in config.c */ - extern void parse_config (void); - -@@ -151,9 +165,12 @@ extern void print_inspect_prompt (void); - - /* in key.c */ - extern char *read_key (const char *param); --extern char **get_keys (struct key_store *ks, const char *device, const char *uuid); -+extern struct matching_key *get_keys (struct key_store *ks, const char *device, -+ const char *uuid, size_t *nr_matches); -+extern void free_keys (struct matching_key *keys, size_t nr_matches); - extern struct key_store *key_store_add_from_selector (struct key_store *ks, const char *selector); - extern struct key_store *key_store_import_key (struct key_store *ks, const struct key_store_key *key); -+extern bool key_store_requires_network (const struct key_store *ks); - extern void free_key_store (struct key_store *ks); - - /* in options.c */ -diff --git a/fish/fish.c b/fish/fish.c -index 23d9bb94f..19e3d2799 100644 ---- a/fish/fish.c -+++ b/fish/fish.c -@@ -476,6 +476,9 @@ main (int argc, char *argv[]) - /* If we've got drives to add, add them now. */ - add_drives (drvs); - -+ if (key_store_requires_network (ks) && guestfs_set_network (g, 1) == -1) -+ exit (EXIT_FAILURE); -+ - /* If we've got mountpoints or prepared drives or -i option, we must - * launch the guest and mount them. - */ -diff --git a/fuse/guestmount.c b/fuse/guestmount.c -index 77c534828..3c6d57bde 100644 ---- a/fuse/guestmount.c -+++ b/fuse/guestmount.c -@@ -348,6 +348,10 @@ main (int argc, char *argv[]) - - /* Do the guest drives and mountpoints. */ - add_drives (drvs); -+ -+ if (key_store_requires_network (ks) && guestfs_set_network (g, 1) == -1) -+ exit (EXIT_FAILURE); -+ - if (guestfs_launch (g) == -1) - exit (EXIT_FAILURE); - if (inspector) --- -2.31.1 - diff --git a/libguestfs.spec b/libguestfs.spec index 00c6a99..45193f3 100644 --- a/libguestfs.spec +++ b/libguestfs.spec @@ -47,8 +47,8 @@ Summary: Access and modify virtual machine disk images Name: libguestfs Epoch: 1 -Version: 1.48.3 -Release: 5%{?dist} +Version: 1.48.4 +Release: 1%{?dist} License: LGPLv2+ # Build only for architectures that have a kernel @@ -94,26 +94,13 @@ Patch0005: 0005-lib-drive_create_data-drive-remove-field-iface.patch Patch0006: 0006-lib-rename-VALID_FORMAT_IFACE-to-VALID_FORMAT.patch Patch0007: 0007-tests-regressions-remove-iface-based-restrictions.patch Patch0008: 0008-generator-customize-invert-SELinux-relabeling-defaul.patch - # *NB* I modified this patch by hand to remove references to any - # files in common/mlcustomize. This directory is not included - # in the libguestfs tarball. -Patch0009: 0009-update-common-submodule.patch -Patch0010: 0010-generator-customize-reintroduce-selinux-relabel-as-a.patch - # *NB* This patch only references common/mlcustomize, so it is removed. -#Patch0011: 0011-update-common-submodule.patch -Patch0012: 0012-RHEL-Disable-unsupported-remote-drive-protocols-RHBZ.patch -Patch0013: 0013-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch -Patch0014: 0014-RHEL-Create-etc-crypto-policies-back-ends-opensslcnf.patch -Patch0015: 0015-build-Pick-first-field-in-ID_LIKE.patch -Patch0016: 0016-appliance-daemon-disable-lvm2-devicesfile.patch -Patch0017: 0017-php-add-arginfo-to-php-bindings.patch - # *NB* I modified this patch by hand to remove references to any - # files in common/mlcustomize. -Patch0018: 0018-docs-guestfs-security-document-CVE-2022-2211.patch -Patch0019: 0019-introduce-the-clevis_luks_unlock-API.patch - # *NB* I modified this patch by hand to remove references to any - # files in common/mltools. -Patch0020: 0020-guestfish-guestmount-enable-networking-for-key-ID-cl.patch +Patch0009: 0009-generator-customize-reintroduce-selinux-relabel-as-a.patch +Patch0010: 0010-RHEL-Disable-unsupported-remote-drive-protocols-RHBZ.patch +Patch0011: 0011-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch +Patch0012: 0012-RHEL-Create-etc-crypto-policies-back-ends-opensslcnf.patch +Patch0013: 0013-php-add-arginfo-to-php-bindings.patch +Patch0014: 0014-introduce-the-clevis_luks_unlock-API.patch +Patch0015: 0015-guestfish-guestmount-enable-networking-for-key-ID-cl.patch %if 0%{patches_touch_autotools} BuildRequires: autoconf, automake, libtool, gettext-devel @@ -1149,8 +1136,8 @@ rm ocaml/html/.gitignore %changelog -* Mon Jul 04 2022 Richard W.M. Jones - 1:1.48.3-5 -- Rebase to new stable branch version 1.48.3 +* Wed Jul 06 2022 Richard W.M. Jones - 1:1.48.4-1 +- Rebase to new stable branch version 1.48.4 resolves: rhbz#2059285 - Disable 5-level page tables when using -cpu max resolves: rhbz#2084568 diff --git a/sources b/sources index 4ddd628..cc49ea5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (libguestfs-1.48.3.tar.gz) = d88b7869e6098af1f7748dc2e8163b245ea251fcdf962a71e3735f5a1748c9e87a17be259802da3e0bb13569d7f7233b2c5a554b20a2a7758e1974a30a70b786 -SHA512 (libguestfs-1.48.3.tar.gz.sig) = f372cddfb661727c7e33505b9f038828e8341a229098c089b0b9f2167fc6308045e402cbfea653dfc0bd5343e2c9f9e2757af7923515615ac38430c132620de7 +SHA512 (libguestfs-1.48.4.tar.gz) = 76b942de88fa6fb48db667054a2c4fc23dd17b0a6083cddd51f1a77fdac24c0c7acd6be5234ada955b4afa94b0d8023aab50aa152465a6bc65f0e21d4195d50c +SHA512 (libguestfs-1.48.4.tar.gz.sig) = 4c8e1a58e60214b1189501a96c20349d1ab8ccb9be5d75389342ca40b35a561812889b363edaccb8df5b999d0d337c3572eff59a086a21ea3c77b601a600efe2