import CS libnbd-1.18.1-3.el9

.gitignore

@@ -1,2 +1,2 @@
 SOURCES/libguestfs.keyring
-SOURCES/libnbd-1.16.0.tar.gz
+SOURCES/libnbd-1.18.1.tar.gz

.libnbd.metadata

@@ -1,2 +1,2 @@
 cc1b37b9cfafa515aab3eefd345ecc59aac2ce7b SOURCES/libguestfs.keyring
-c2414379523599f06d4fb1f16fb9ed988e7fbb35 SOURCES/libnbd-1.16.0.tar.gz
+4f99e6f21edffe62b394aa9c7fb68149e6d4d5e4 SOURCES/libnbd-1.18.1.tar.gz

SOURCES/0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch

@@ -0,0 +1,88 @@
+From 4451e5b61ca07771ceef3e012223779e7a0c7701 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Mon, 30 Oct 2023 12:50:53 -0500
+Subject: [PATCH] generator: Fix assertion in ext-mode BLOCK_STATUS,
+ CVE-2023-5871
+
+Another round of fuzz testing revealed that when a server negotiates
+extended headers and replies with a 64-bit flag value where the client
+used the 32-bit API command, we were correctly flagging the server's
+response as being an EOVERFLOW condition, but then immediately failing
+in an assertion failure instead of reporting it to the application.
+
+The following one-byte change to qemu.git at commit fd9a38fd43 allows
+the creation of an intentionally malicious server:
+
+| diff --git i/nbd/server.c w/nbd/server.c
+| index 859c163d19f..32e1e771a95 100644
+| --- i/nbd/server.c
+| +++ w/nbd/server.c
+| @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea)
+|
+|      for (i = 0; i < ea->count; i++) {
+|          ea->extents[i].length = cpu_to_be64(ea->extents[i].length);
+| -        ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags);
+| +        ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags);
+|      }
+|  }
+
+and can then be detected with the following command line:
+
+$ nbdsh -c - <<\EOF
+> def f(a,b,c,d):
+>   pass
+>
+> h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd",
+>   "-r", "-f", "raw", "TODO"])
+> h.block_staus(h.get_size(), 0, f)
+> EOF
+nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed.
+Aborted (core dumped)
+
+whereas a fixed libnbd will give:
+
+nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type
+
+We can either relax the assertion (by changing to 'assert ((len |
+flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags
+to make the existing assertion reliable.  This patch goes with the
+latter approach.
+
+Sadly, this crash is possible in all existing 1.18.x stable releases,
+if they were built with assertions enabled (most distros do this by
+default), meaning a malicious server has an easy way to cause a Denial
+of Service attack by triggering the assertion failure in vulnerable
+clients, so we have assigned this CVE-2023-5871.  Mitigating factors:
+the crash only happens for a server that sends a 64-bit status block
+reply (no known production servers do so; qemu 8.2 will be the first
+known server to support extended headers, but it is not yet released);
+and as usual, a client can use TLS to guarantee it is connecting only
+to a known-safe server.  If libnbd is compiled without assertions,
+there is no crash or other mistaken behavior; and when assertions are
+enabled, the attacker cannot accomplish anything more than a denial of
+service.
+
+Reported-by: Richard W.M. Jones <rjones@redhat.com>
+Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4)
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6)
+Signed-off-by: Eric Blake <eblake@redhat.com>
+---
+ generator/states-reply-chunk.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/generator/states-reply-chunk.c b/generator/states-reply-chunk.c
+index 5a31c19..8ab7e8b 100644
+--- a/generator/states-reply-chunk.c
++++ b/generator/states-reply-chunk.c
+@@ -600,6 +600,7 @@ STATE_MACHINE {
+             break; /* Skip this and later extents; we already made progress */
+           /* Expose this extent as an error; we made no progress */
+           cmd->error = cmd->error ? : EOVERFLOW;
++          flags = (uint32_t)flags;
+         }
+       }
+ 
+-- 
+2.39.3
+

SOURCES/0002-docs-Fix-incorrect-xref-in-libnbd-release-notes-for-.patch

@@ -0,0 +1,34 @@
+From c39e31b7a20c7dc8aa12c5fa3f1742824e1e0c76 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Thu, 9 Nov 2023 09:40:30 +0000
+Subject: [libnbd PATCH] docs: Fix incorrect xref in libnbd-release-notes for
+ 1.18
+Content-type: text/plain
+
+LIBNBD_STRICT_AUTO_FLAG was added to nbd_set_strict_mode(3).
+
+Reported-by: Vera Wu
+(cherry picked from commit 4fef3dbc07e631fce58487d25d991e83bbb424b1)
+Signed-off-by: Eric Blake <eblake@redhat.com>
+---
+ docs/libnbd-release-notes-1.18.pod | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/docs/libnbd-release-notes-1.18.pod b/docs/libnbd-release-notes-1.18.pod
+index 935fab11..836ebe19 100644
+--- a/docs/libnbd-release-notes-1.18.pod
++++ b/docs/libnbd-release-notes-1.18.pod
+@@ -84,8 +84,8 @@ Golang, OCaml and Python language bindings (Eric Blake).
+
+ L<nbd_shutdown(3)> now works correctly when in opt mode (Eric Blake).
+
+-L<nbd_set_string(3)> adds C<LIBNBD_STRICT_AUTO_FLAG> which allows the
+-client to test how servers behave when the payload length flag is
++L<nbd_set_strict_mode(3)> adds C<LIBNBD_STRICT_AUTO_FLAG> which allows
++the client to test how servers behave when the payload length flag is
+ adjusted (Eric Blake).
+
+ =head2 Protocol
+-- 
+2.41.0
+

SOURCES/0003-tests-Check-behavior-of-nbd_set_strict_mode-STRICT_A.patch

@@ -0,0 +1,206 @@
+From 32cb9ab9f1701b1a1a826b48f2083cb75adf1e87 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 9 Nov 2023 20:11:08 -0600
+Subject: [libnbd PATCH] tests: Check behavior of
+ nbd_set_strict_mode(STRICT_AUTO_FLAG)
+Content-type: text/plain
+
+While developing extended header support for qemu 8.2, I needed a way
+to make libnbd quickly behave as a non-compliant client to test corner
+cases in qemu's server code; so I wrote commit 5c1dae9236 ("api: Add
+LIBNBD_STRICT_AUTO_FLAG to nbd_set_strict", v1.18.0) to meet my needs.
+However, I failed to codify my manual tests of that bit into a unit
+test for libnbd, until now.  Most sane clients will never call
+nbd_set_strict_mode() in the first place (after all, it is explicitly
+documented as an integration tool, which is how I used it with my qemu
+code development), but it never hurts to make sure we don't break it
+even for the relatively small set of users that would ever use it.
+
+The test added here runs in two parts; if you get a SKIP despite
+having qemu-nbd, then the first part ran successfully before the
+second half gave up due to lack of extended headers in qemu
+(presumably qemu 8.1 or older); if you get a PASS, then both parts
+were run.  However, both parts are inherently fragile, depending on
+behavior known to be in qemu 8.2 - while it is unlikely to change in
+future qemu releases (at least as long as I continue to maintain NBD
+code there), the fact that we are intentionally violating the NBD
+protocol means a different server is within its rights to behave
+differently than qemu 8.2 did.  Hence this test lives in interop/
+rather than tests/ because of its strong ties to a particular qemu.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit 54d4426394c372413f55f648d4ad1d21b3395e07)
+Signed-off-by: Eric Blake <eblake@redhat.com>
+---
+ interop/Makefile.am              |   2 +
+ interop/strict-mode-auto-flag.sh | 138 +++++++++++++++++++++++++++++++
+ 2 files changed, 140 insertions(+)
+ create mode 100755 interop/strict-mode-auto-flag.sh
+
+diff --git a/interop/Makefile.am b/interop/Makefile.am
+index d6485adf..ac12d84a 100644
+--- a/interop/Makefile.am
++++ b/interop/Makefile.am
+@@ -28,6 +28,7 @@ EXTRA_DIST = \
+ 	structured-read.sh \
+ 	opt-extended-headers.sh \
+ 	block-status-payload.sh \
++	strict-mode-auto-flag.sh \
+ 	$(NULL)
+
+ TESTS_ENVIRONMENT = \
+@@ -153,6 +154,7 @@ TESTS += \
+ 	interop-qemu-block-size.sh \
+ 	opt-extended-headers.sh \
+ 	block-status-payload.sh \
++	strict-mode-auto-flag.sh \
+ 	$(NULL)
+
+ interop_qemu_nbd_SOURCES = \
+diff --git a/interop/strict-mode-auto-flag.sh b/interop/strict-mode-auto-flag.sh
+new file mode 100755
+index 00000000..8f73ea73
+--- /dev/null
++++ b/interop/strict-mode-auto-flag.sh
+@@ -0,0 +1,138 @@
++#!/usr/bin/env bash
++# nbd client library in userspace
++# Copyright Red Hat
++#
++# This library is free software; you can redistribute it and/or
++# modify it under the terms of the GNU Lesser General Public
++# License as published by the Free Software Foundation; either
++# version 2 of the License, or (at your option) any later version.
++#
++# This library is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public
++# License along with this library; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
++
++# Test effect of AUTO_FLAG bit in set_strict_mode()
++
++source ../tests/functions.sh
++set -e
++set -x
++
++requires truncate --version
++requires qemu-nbd --version
++requires nbdsh --version
++
++file="strict-mode-auto-flag.file"
++rm -f $file
++cleanup_fn rm -f $file
++
++truncate -s 1M $file
++
++# Unconditional part of test: behavior when extended headers are not in use
++$VG nbdsh -c '
++import errno
++
++h.set_request_extended_headers(False)
++args = ["qemu-nbd", "-f", "raw", "'"$file"'"]
++h.connect_systemd_socket_activation(args)
++assert h.get_extended_headers_negotiated() is False
++
++# STRICT_AUTO_FLAG and STRICT_COMMANDS are on by default
++flags = h.get_strict_mode()
++assert flags & nbd.STRICT_AUTO_FLAG
++assert flags & nbd.STRICT_COMMANDS
++
++# Under STRICT_AUTO_FLAG, using or omitting flag does not matter; client
++# side auto-corrects the flag before passing to server
++h.pwrite(b"1"*512, 0, 0)
++h.pwrite(b"2"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN)
++
++# Without STRICT_AUTO_FLAG but still STRICT_COMMANDS, client side now sees
++# attempts to use the flag as invalid
++flags = flags & ~nbd.STRICT_AUTO_FLAG
++h.set_strict_mode(flags)
++h.pwrite(b"3"*512, 0, 0)
++stats = h.stats_bytes_sent()
++try:
++  h.pwrite(b"4"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN)
++  assert False
++except nbd.Error as e:
++  assert e.errnum == errno.EINVAL
++assert stats == h.stats_bytes_sent()
++
++# Warning: fragile test ahead.  Without STRICT_COMMANDS, we send unexpected
++# flag to qemu, and expect failure. For qemu <= 8.1, this is safe (those
++# versions did not know the flag, and correctly reject unknown flags with
++# NBD_EINVAL). For qemu 8.2, this also works (qemu knows the flag, but warns
++# that we were not supposed to send it without extended headers). But if
++# future qemu versions change to start silently ignoring the flag (after all,
++# a write command obviously has a payload even without extended headers, so
++# the flag is redundant for NBD_CMD_WRITE), then we may need to tweak this.
++flags = flags & ~nbd.STRICT_COMMANDS
++h.set_strict_mode(flags)
++h.pwrite(b"5"*512, 0, 0)
++stats = h.stats_bytes_sent()
++try:
++  h.pwrite(b"6"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN)
++  print("Did newer qemu change behavior?")
++  assert False
++except nbd.Error as e:
++  assert e.errnum == errno.EINVAL
++assert stats < h.stats_bytes_sent()
++
++h.shutdown()
++'
++
++# Conditional part of test: only run if qemu supports extended headers
++requires nbdinfo --has extended-headers -- [ qemu-nbd -r -f raw "$file" ]
++$VG nbdsh -c '
++import errno
++
++args = ["qemu-nbd", "-f", "raw", "'"$file"'"]
++h.connect_systemd_socket_activation(args)
++assert h.get_extended_headers_negotiated() is True
++
++# STRICT_AUTO_FLAG and STRICT_COMMANDS are on by default
++flags = h.get_strict_mode()
++assert flags & nbd.STRICT_AUTO_FLAG
++assert flags & nbd.STRICT_COMMANDS
++
++# Under STRICT_AUTO_FLAG, using or omitting flag does not matter; client
++# side auto-corrects the flag before passing to server
++h.pwrite(b"1"*512, 0, 0)
++h.pwrite(b"2"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN)
++
++# Without STRICT_AUTO_FLAG but still STRICT_COMMANDS, client side now sees
++# attempts to omit the flag as invalid
++flags = flags & ~nbd.STRICT_AUTO_FLAG
++h.set_strict_mode(flags)
++h.pwrite(b"3"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN)
++stats = h.stats_bytes_sent()
++try:
++  h.pwrite(b"4"*512, 0, 0)
++  assert False
++except nbd.Error as e:
++  assert e.errnum == errno.EINVAL
++assert stats == h.stats_bytes_sent()
++
++# Warning: fragile test ahead.  Without STRICT_COMMANDS, omitting the flag
++# is a protocol violation. qemu 8.2 silently ignores the violation; but a
++# future qemu might start failing the command, at which point we would need
++# to tweak this part of the test.
++flags = flags & ~nbd.STRICT_COMMANDS
++h.set_strict_mode(flags)
++h.pwrite(b"5"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN)
++stats = h.stats_bytes_sent()
++try:
++  h.pwrite(b"6"*512, 0, 0)
++except nbd.Error:
++  print("Did newer qemu change behavior?")
++  assert False
++assert stats < h.stats_bytes_sent()
++
++h.shutdown()
++'
+-- 
+2.41.0
+

SOURCES/copy-patches.sh

@@ -6,7 +6,7 @@ set -e
 # directory.  Use it like this:
 #   ./copy-patches.sh
 
-rhel_version=9.3
+rhel_version=9.4
 
 # Check we're in the right directory.
 if [ ! -f libnbd.spec ]; then

SOURCES/libnbd-1.16.0.tar.gz.sig

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmQ+sXgRHHJpY2hAYW5u
-ZXhpYS5vcmcACgkQkXOPc+G3aKCBfw//VlPUPQXmQv4wz4aXPvlncbfktcZbLk4I
-eeRBt3dNBQNRIUzPMKfxOSWOX7H2zRp0mOMX9gFu+urvFfjn25QEAdkLpDJvoYVf
-Csy9CzYu/CeuUzl43h07FW8n8oXbp0YZkWnq1+QoO3tqrjn9JXJRttMYhn7K6Hgi
-zhuTsS/GfYrdzVRFBgF0DPJmso6M0fe9uk8cXAxuKPdrBwzqIUgFj1VOnwK1Pmla
-vwSZTDB0SPK54lu1Pfw7nGiQQeyG59V//T7NYqQPrhQ+4j8Wx5/+3IPO2Q6FNp/x
-OAsYKsPLQhu91oJPj6M7Xubt/rVSKJ8crHLtgwI7ZdVwzMfwAGzuf5qTta1HXlJj
-uXOQLja0/x9pddVWEw+gUutRjOg6ayRAroMDYgucp8gdIny2MpjsRQX9wlAjFCoE
-kGayXqRtVTDqtEVdeRPpMh1IyZcYkSuFUXevVuEqHSiUPXIWC7zVCS7WSkl53DLV
-mcdSp7dQsIERrd99gi/bve2ndCHMkcRV5c26b3wTaTH7IpMMCrje+TS14bNn4e3M
-MNwdwTkEBoagEDcYobZN0P2alL3MSeleEjycEQbJMD90PZC1Jya/tqbnlKIRvHS1
-nWxBTEZMIj4/HOCRNx+2nWLIxn4kAMRZ/zuYRlaXaA0GV0AdJxyobDuevrkglZtg
-qD401mkvLis=
-=3xTJ
------END PGP SIGNATURE-----

SOURCES/libnbd-1.18.1.tar.gz.sig

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmU2izoRHHJpY2hAYW5u
+ZXhpYS5vcmcACgkQkXOPc+G3aKA+txAAkLeWdvH2ryibEyqMeyejvh9vMgQO5I46
+LaygI8jDi+XG+rGy7imiwIxxWvyCZI3y2U5MFudLZoFi+gCyVAC+LeBxjF41NBGz
+fbgwFaQHrCbxyLlsj9OcR6M0+EPU8NXXPPGgXZNcnf7tHNZkTO0OGS9chml0wXHA
+Zx9WheHl6wbLTVIAtLWOJqzRQj80RlcPC+De1wZL+WFMPMkfF8L8K5FRNsfeTIXn
+l31d1R0g5QOMTTqBiKE2iopPmVmA5uC/adWCuqF3mzzjzCkHp+Ux/Ys99tkCETrU
+jUuHgJ+1pYjn4Lmt/HUwXQZD3L+RkNAWWQziY/3ejK31tGxZqR/XTwq5RPrc6Qs1
+/zuoWvSWJZZo9yvX1Iq2RQAaZF5724V/svm+HgaCakaK8EJEj6sntM0OhAl2pRC4
+G45Kb2o7k016WgL8plNOlrbHNxaruBcPrkFYDMoyy3KLnWaw3OYMARTD5w/Pd4dC
+CJa3tIXIKedhXw9xDtEWfxiKIHfO+LBHBMjpW9KzP/oxE2akmcJZJT+JNpsrpdzV
+O6mbVDPedWd5LQQ1bNmwzxkCsMEC9HFhVbCaTuYuSXe/By04Norns4xyEJyDXlG/
+QqFgEUS8R+V9xwYHoAPg5RUmycXubSmm64iTAQNqc46QsxeP0Va7gpbrPLe5qVk/
+irUsxdBhGIM=
+=pgmp
+-----END PGP SIGNATURE-----

SPECS/libnbd.spec

@@ -1,21 +1,18 @@
-# Do this until the feature is fixed in Fedora.
-%undefine _package_note_flags
-
 # If we should verify tarball signature with GPGv2.
 %global verify_tarball_signature 1
 
 # If there are patches which touch autotools files, set this to 1.
-%global patches_touch_autotools %{nil}
+%global patches_touch_autotools 1
 
 # The source directory.
-%global source_directory 1.16-stable
+%global source_directory 1.18-stable
 
 Name:           libnbd
-Version:        1.16.0
-Release:        1%{?dist}
+Version:        1.18.1
+Release:        3%{?dist}
 Summary:        NBD client library in userspace
 
-License:        LGPLv2+
+License:        LGPL-2.0-or-later AND BSD-3-Clause
 URL:            https://gitlab.com/nbdkit/libnbd
 
 Source0:        http://libguestfs.org/download/libnbd/%{source_directory}/%{name}-%{version}.tar.gz
@@ -29,9 +26,12 @@ Source2:       libguestfs.keyring
 Source3:        copy-patches.sh
 
 # Patches are stored in the upstream repository:
-# https://gitlab.com/nbdkit/libnbd/-/commits/rhel-9.3/
+# https://gitlab.com/nbdkit/libnbd/-/commits/rhel-9.4/
 
-# (no patches)
+# Patches.
+Patch0001:     0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch
+Patch0002:     0002-docs-Fix-incorrect-xref-in-libnbd-release-notes-for-.patch
+Patch0003:     0003-tests-Check-behavior-of-nbd_set_strict_mode-STRICT_A.patch
 
 %if 0%{patches_touch_autotools}
 BuildRequires: autoconf, automake, libtool
@@ -60,10 +60,12 @@ BuildRequires:  ubdsrv-devel >= 1.0-3.rc6
 # For the Python 3 bindings.
 BuildRequires:  python3-devel
 
+%ifnarch %{ix86}
 # For the OCaml bindings.
 BuildRequires:  ocaml
 BuildRequires:  ocaml-findlib-devel
 BuildRequires:  ocaml-ocamldoc
+%endif
 
 # Only for building the examples.
 BuildRequires:  glib2-devel
@@ -98,6 +100,11 @@ BuildRequires:  nbdkit-sh-plugin
 BuildRequires:  nbdkit-sparse-random-plugin
 %endif
 
+%ifnarch %{ix86}
+# The OCaml runtime system does not provide this symbol
+%global __ocaml_requires_opts -x Stdlib__Callback
+%endif
+
 
 %description
 NBD — Network Block Device — is a protocol for accessing Block Devices
@@ -122,7 +129,6 @@ The key features are:
 
 %package devel
 Summary:        Development headers for %{name}
-License:        LGPLv2+ and BSD
 Requires:       %{name}%{?_isa} = %{version}-%{release}
 
 
@@ -130,6 +136,7 @@ Requires:       %{name}%{?_isa} = %{version}-%{release}
 This package contains development headers for %{name}.
 
 
+%ifnarch %{ix86}
 %package -n ocaml-%{name}
 Summary:        OCaml language bindings for %{name}
 Requires:       %{name}%{?_isa} = %{version}-%{release}
@@ -148,6 +155,7 @@ Requires:       ocaml-%{name}%{?_isa} = %{version}-%{release}
 This package contains OCaml language development package for
 %{name}.  Install this if you want to compile OCaml software which
 uses %{name}.
+%endif
 
 
 %package -n python3-%{name}
@@ -166,7 +174,6 @@ python3-%{name} contains Python 3 bindings for %{name}.
 
 %package -n nbdfuse
 Summary:        FUSE support for %{name}
-License:        LGPLv2+ and BSD
 Requires:       %{name}%{?_isa} = %{version}-%{release}
 Recommends:     fuse3
 
@@ -178,7 +185,6 @@ This package contains FUSE support for %{name}.
 %if !0%{?rhel}
 %package -n nbdublk
 Summary:        Userspace NBD block device
-License:        LGPLv2+
 Requires:       %{name}%{?_isa} = %{version}-%{release}
 Recommends:     kernel >= 6.0.0
 Recommends:     %{_sbindir}/ublk
@@ -220,9 +226,14 @@ autoreconf -i
     --with-tls-priority=@LIBNBD,SYSTEM \
     PYTHON=%{__python3} \
     --enable-python \
+%ifnarch %{ix86}
     --enable-ocaml \
+%else
+    --disable-ocaml \
+%endif
     --enable-fuse \
-    --disable-golang
+    --disable-golang \
+    --disable-rust
 
 make %{?_smp_mflags}
 
@@ -236,6 +247,11 @@ find $RPM_BUILD_ROOT -name '*.la' -delete
 # Delete the golang man page since we're not distributing the bindings.
 rm $RPM_BUILD_ROOT%{_mandir}/man3/libnbd-golang.3*
 
+%ifarch %{ix86}
+# Delete the OCaml man page on i686.
+rm $RPM_BUILD_ROOT%{_mandir}/man3/libnbd-ocaml.3*
+%endif
+
 %if 0%{?rhel}
 # Delete nbdublk on RHEL.
 rm $RPM_BUILD_ROOT%{_datadir}/bash-completion/completions/nbdublk
@@ -308,12 +324,12 @@ make %{?_smp_mflags} check || {
 %{_mandir}/man3/nbd_*.3*
 
 
+%ifnarch %{ix86}
 %files -n ocaml-%{name}
-%{_libdir}/ocaml/nbd
-%exclude %{_libdir}/ocaml/nbd/*.a
-%exclude %{_libdir}/ocaml/nbd/*.cmxa
-%exclude %{_libdir}/ocaml/nbd/*.cmx
-%exclude %{_libdir}/ocaml/nbd/*.mli
+%dir %{_libdir}/ocaml/nbd
+%{_libdir}/ocaml/nbd/META
+%{_libdir}/ocaml/nbd/*.cma
+%{_libdir}/ocaml/nbd/*.cmi
 %{_libdir}/ocaml/stublibs/dllmlnbd.so
 %{_libdir}/ocaml/stublibs/dllmlnbd.so.owner
 
@@ -321,13 +337,16 @@ make %{?_smp_mflags} check || {
 %files -n ocaml-%{name}-devel
 %doc ocaml/examples/*.ml
 %license ocaml/examples/LICENSE-FOR-EXAMPLES
-%{_libdir}/ocaml/nbd/*.a
+%ifarch %{ocaml_native_compiler}
 %{_libdir}/ocaml/nbd/*.cmxa
 %{_libdir}/ocaml/nbd/*.cmx
+%endif
+%{_libdir}/ocaml/nbd/*.a
 %{_libdir}/ocaml/nbd/*.mli
 %{_mandir}/man3/libnbd-ocaml.3*
 %{_mandir}/man3/NBD.3*
 %{_mandir}/man3/NBD.*.3*
+%endif
 
 
 %files -n python3-%{name}
@@ -364,6 +383,18 @@ make %{?_smp_mflags} check || {
 
 
 %changelog
+* Mon Nov 13 2023 Eric Blake <eblake@redhat.com> - 1.18.1-3
+- Backport unit test of recent libnbd API addition
+  resolves: RHEL-16292
+
+* Wed Nov 01 2023 Richard W.M. Jones <rjones@redhat.com> - 1.18.1-2
+- Fix assertion in ext-mode BLOCK_STATUS (CVE-2023-5871)
+  resolves: RHEL-15143
+
+* Tue Oct 24 2023 Richard W.M. Jones <rjones@redhat.com> - 1.18.1-1
+- Rebase to 1.18.1
+  resolves: RHEL-14476
+
 * Tue Apr 18 2023 Richard W.M. Jones <rjones@redhat.com> - 1.16.0-1
 - Rebase to 1.16.0
   resolves: rhbz#2168628