rpms/libnbd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to libnbd 1.23.11

Browse Source 
resolves: RHEL-111243

Synch spec file with Fedora

Fix unsanitized hostnames in nbd+ssh URIs allow remote execution
resolves: RHEL-129296
This commit is contained in:
Richard W.M. Jones 2025-11-18 14:10:58 +00:00
parent 1809c4bb0d
commit 3a18c60944
6 changed files with 20 additions and 347 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
0001-lib-uri.c-Replace-nbd-user-with-tls-username.patch
View File

@ -1,114 +0,0 @@
From 1f2ba448ffd703d3e19016fdc52bc181fb902346 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Sun, 24 Aug 2025 13:58:33 +0100
Subject: [PATCH] lib/uri.c: Replace nbd-user with tls-username
Commit f9df1ba621 added a new nbd-user parameter which let you
override the TLS username. It was misnamed, and should have been
called tls-username, both to reflect its actual use and to fit in with
the other tls-* parameters, so let's rename it.
Renaming it also allows simplifying the loop which checks for other
query parameters.
Updates: commit f9df1ba621cffc3ef74fdb27650c9258b0abd3fc
---
generator/API.ml | 16 ++++++++--------
lib/uri.c | 25 ++++++++++++-------------
2 files changed, 20 insertions(+), 21 deletions(-)
diff --git a/generator/API.ml b/generator/API.ml
index ab135004..c434e3e6 100644
--- a/generator/API.ml
+++ b/generator/API.ml
@@ -2075,14 +2075,6 @@ For SSH transport, this specifies the port used to connect to
the NBD server, but the port in the authority field is used for
the SSH connection.
-=item B<nbd-user=>C<USER>
-
-Override the username from the authority part of the URI.
-
-For SSH transport, this specifies the user for connecting to
-the NBD server, but the user in the authority field is used
-for the SSH connection.
-
=item B<socket=>F<SOCKET>
Specifies the Unix domain socket to connect on.
@@ -2103,6 +2095,14 @@ this is not allowed by default - see next section.
Set the TLS hostname. See L<nbd_set_tls_hostname(3)>.
+=item B<tls-username=>C<USER>
+
+Override the username from the authority part of the URI.
+
+For SSH transport, this specifies the TLS username for connecting to
+the NBD server, but the user in the authority field is used
+for the SSH connection.
+
=item B<tls-verify-peer=false>
Do not verify the server certificate. See L<nbd_set_tls_verify_peer(3)>.
diff --git a/lib/uri.c b/lib/uri.c
index e110bc34..45ba531c 100644
--- a/lib/uri.c
+++ b/lib/uri.c
@@ -350,7 +350,7 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
uri_query_list queries = empty_vector;
int i, r;
int ret = -1;
- const char *nbd_user = NULL, *nbd_port = NULL;
+ const char *nbd_port = NULL;
const char *tls_username = NULL;
const char *unixsocket = NULL;
@@ -489,9 +489,12 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
if (tls && nbd_unlocked_set_tls (h, LIBNBD_TLS_REQUIRE) == -1)
goto cleanup;
- /* Look for some tls-* parameters. */
+ /* Look for some other query parameters. */
for (i = 0; i < queries.len; i++) {
- if (strcasecmp (queries.ptr[i].name, "tls-certificates") == 0) {
+ if (strcasecmp (queries.ptr[i].name, "nbd-port") == 0) {
+ nbd_port = queries.ptr[i].value;
+ }
+ else if (strcasecmp (queries.ptr[i].name, "tls-certificates") == 0) {
if (! h->uri_allow_local_file) {
set_error (EPERM,
"local file access (tls-certificates) is not allowed, "
@@ -515,6 +518,9 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
if (nbd_unlocked_set_tls_hostname (h, queries.ptr[i].value) == -1)
goto cleanup;
}
+ else if (strcasecmp (queries.ptr[i].name, "tls-username") == 0) {
+ tls_username = queries.ptr[i].value; /* set below */
+ }
else if (strcasecmp (queries.ptr[i].name, "tls-verify-peer") == 0) {
int v = parse_bool ("tls-verify-peer", queries.ptr[i].value);
if (v == -1)
@@ -524,16 +530,9 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
}
}
- /* NBD user and port overrides.. */
- for (i = 0; i < queries.len; i++) {
- if (strcasecmp (queries.ptr[i].name, "nbd-user") == 0)
- nbd_user = queries.ptr[i].value;
- else if (strcasecmp (queries.ptr[i].name, "nbd-port") == 0)
- nbd_port = queries.ptr[i].value;
- }
-
- /* Set the TLS username. Always prefer nbd-user. */
- tls_username = nbd_user ? : (uri->user ? : NULL);
+ /* Set the TLS username. Always prefer tls-username parameter. */
+ if (!tls_username)
+ tls_username = uri->user;
if (tls_username && nbd_unlocked_set_tls_username (h, tls_username) == -1)
goto cleanup;
--
2.47.1

66
0002-tests-Add-a-test-of-tls-username-in-NBD-URIs.patch
View File

@ -1,66 +0,0 @@
From 2a5c694f7370773cb51e0d344ea8da91cbe8518e Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Sun, 24 Aug 2025 16:32:18 +0100
Subject: [PATCH] tests: Add a test of tls-username in NBD URIs
This (or the previously added nbd-user) was not tested.
---
.gitignore | 1 +
tests/Makefile.am | 18 ++++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/.gitignore b/.gitignore
index bbe3967f..a373fc29 100644
--- a/.gitignore
+++ b/.gitignore
@@ -230,6 +230,7 @@ Makefile.in
/tests/connect-uri-nbds-unix-tls-hostname
/tests/connect-uri-nbds-unix-tls-verify-peer-false
/tests/connect-uri-nbds-unix-psk
+/tests/connect-uri-nbds-unix-psk-tls-username
/tests/debug
/tests/debug-environment
/tests/dlopen
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 8aca4c7d..e3b74a1d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -904,10 +904,12 @@ if HAVE_PSKTOOL
check_PROGRAMS += \
connect-uri-nbds-psk \
connect-uri-nbds-unix-psk \
+ connect-uri-nbds-unix-psk-tls-username \
$(NULL)
TESTS += \
connect-uri-nbds-psk \
connect-uri-nbds-unix-psk \
+ connect-uri-nbds-unix-psk-tls-username \
$(NULL)
connect_uri_nbds_psk_SOURCES = \
@@ -936,6 +938,22 @@ connect_uri_nbds_unix_psk_CPPFLAGS = \
$(NULL)
connect_uri_nbds_unix_psk_LDADD = $(top_builddir)/lib/libnbd.la
+connect_uri_nbds_unix_psk_tls_username_SOURCES = \
+ connect-uri.c \
+ requires.c requires.h pick-a-port.c pick-a-port.h \
+ $(NULL)
+connect_uri_nbds_unix_psk_tls_username_CPPFLAGS = \
+ $(AM_CPPFLAGS) \
+ -DDEFINE_STR_AS_UNIX_SOCKET=1 \
+ -DSERVER_PARAMS='"-U", str, "--tls=require", "--tls-verify-peer", "--tls-psk=keys.psk"' \
+ -DREQUIRES="requires_nbdkit_tls_verify_peer ();" \
+ -DURI='"nbds+unix://NOTUSED@/?tls-psk-file=keys.psk&socket=%s&tls-username=alice", str' \
+ -DSKIP_GET_URI=1 \
+ $(NULL)
+connect_uri_nbds_unix_psk_tls_username_LDADD = \
+ $(top_builddir)/lib/libnbd.la \
+ $(NULL)
+
endif HAVE_PSKTOOL
endif HAVE_GNUTLS
--
2.47.1

91
0003-docs-Document-which-NBD-URI-features-are-non-standar.patch
View File

@ -1,91 +0,0 @@
From 2bd353ef0e124c11b79eb3ed15eff5c8a9738086 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Sun, 24 Aug 2025 16:27:50 +0100
Subject: [PATCH] docs: Document which NBD URI features are non-standard
Also which version of libnbd implemented each feature (unless the
feature has basically been around since the beginning).
---
generator/API.ml | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/generator/API.ml b/generator/API.ml
index c434e3e6..3ebc1912 100644
--- a/generator/API.ml
+++ b/generator/API.ml
@@ -1992,6 +1992,16 @@ to an NBD server listening on port 10809.
=back
+=head2 NBD URI standard
+
+L<https://github.com/NetworkBlockDevice/nbd/blob/master/doc/uri.md>
+documents the NBD URI standard.
+
+In the documentation below, I<Non-standard> indicates features
+supported in libnbd which are not a part of the NBD URI standard,
+meaning that other NBD URI parsers might not support them or might
+implement things differently.
+
=head2 URI scheme
The scheme is the part before the first C<:>. The following schemes
@@ -2019,6 +2029,8 @@ respectively. The C<socket> parameter is required.
=item C<nbds+vsock:>
+I<Non-standard>
+
Connect over the C<AF_VSOCK> transport, without or with
TLS respectively. You can use L<nbd_supports_vsock(3)> to
see if this build of libnbd supports C<AF_VSOCK>.
@@ -2027,7 +2039,7 @@ see if this build of libnbd supports C<AF_VSOCK>.
=item C<nbds+ssh:>
-I<Experimental>
+I<Non-standard, libnbd E<ge> 1.22>
Tunnel NBD over a Secure Shell connection. This requires
that L<ssh(1)> is installed locally, and that L<nc(1)> (from the
@@ -2069,6 +2081,8 @@ Finally the query part of the URI can contain:
=item B<nbd-port=>C<PORT>
+I<Non-standard, libnbd E<ge> 1.24>
+
Override the port number from the authority part of the URI.
For SSH transport, this specifies the port used to connect to
@@ -2083,20 +2097,28 @@ for C<+ssh>, and must not be present for the other transports.
=item B<tls-certificates=>F<DIR>
+I<Non-standard, libnbd E<ge> 1.10>
+
Set the certificates directory. See L<nbd_set_tls_certificates(3)>.
Note this is not allowed by default - see next section.
=item B<tls-psk-file=>F<PSKFILE>
+I<Non-standard>
+
Set the PSK file. See L<nbd_set_tls_psk_file(3)>. Note
this is not allowed by default - see next section.
=item B<tls-hostname=>C<SERVER>
+I<libnbd E<ge> 1.22>
+
Set the TLS hostname. See L<nbd_set_tls_hostname(3)>.
=item B<tls-username=>C<USER>
+I<Non-standard, libnbd E<ge> 1.24>
+
Override the username from the authority part of the URI.
For SSH transport, this specifies the TLS username for connecting to
--
2.47.1

64
0004-docs-Minor-copyediting-to-export-name-documentation.patch
View File

@ -1,64 +0,0 @@
From a518da9fdc54e3652f67d92d266106017145c62b Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Sun, 24 Aug 2025 18:54:47 +0100
Subject: [PATCH] docs: Minor copyediting to export name documentation
---
generator/API.ml | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/generator/API.ml b/generator/API.ml
index 3ebc1912..3ab3aacb 100644
--- a/generator/API.ml
+++ b/generator/API.ml
@@ -478,15 +478,19 @@ handle with this information.";
permitted_states = [ Created; Negotiating ];
shortdesc = "set the export name";
longdesc = "\
-For servers which require an export name or can serve different
-content on different exports, set the C<export_name> to
-connect to. The default is the empty string C<\"\">.
+Some NBD servers can serve multiple disk images (\"exports\").
+The export is picked by the client, by requesting an export name
+during the negotiation phase. The default export is the
+empty string C<\"\">.
+Some NBD servers ignore this and serve the same content regardless.
This is only relevant when connecting to servers using the
newstyle protocol as the oldstyle protocol did not support
-export names. The NBD protocol limits export names to
-4096 bytes, but servers may not support the full length.
-The encoding of export names is always UTF-8.
+export names.
+
+The NBD protocol limits export names to 4096 bytes, but servers
+may not support the full length. The encoding of export names
+is always UTF-8.
When option mode is not in use, the export name must be set
before beginning a connection. However, when L<nbd_set_opt_mode(3)>
@@ -498,7 +502,9 @@ be used to learn details about an export before connecting.
This call may be skipped if using L<nbd_connect_uri(3)> to connect
to a URI that includes an export name.";
- see_also = [Link "get_export_name"; Link "connect_uri";
+ see_also = [Link "get_export_name";
+ Link "get_canonical_export_name";
+ Link "connect_uri";
Link "set_opt_mode"; Link "opt_go"; Link "opt_list";
Link "opt_info"];
};
@@ -603,7 +609,9 @@ C<\"\">).
Some servers are unlikely to report a canonical name unless the
client specifically hinted about wanting it, via L<nbd_set_full_info(3)>.";
example = Some "examples/server-flags.c";
- see_also = [Link "set_full_info"; Link "get_export_name";
+ see_also = [Link "set_full_info";
+ Link "set_export_name";
+ Link "get_export_name";
Link "opt_info"];
};
--
2.47.1

28
libnbd.spec
View File

@ -20,7 +20,7 @@
%global source_directory 1.23-development
Name: libnbd
Version: 1.23.7
Version: 1.23.12
Release: 1%{?dist}
Summary: NBD client library in userspace
@ -41,10 +41,7 @@ Source3: copy-patches.sh
# https://gitlab.com/nbdkit/libnbd/-/commits/rhel-10.2/
# Patches.
Patch0001: 0001-lib-uri.c-Replace-nbd-user-with-tls-username.patch
Patch0002: 0002-tests-Add-a-test-of-tls-username-in-NBD-URIs.patch
Patch0003: 0003-docs-Document-which-NBD-URI-features-are-non-standar.patch
Patch0004: 0004-docs-Minor-copyediting-to-export-name-documentation.patch
#(nothing)
%if 0%{verify_tarball_signature}
BuildRequires: gnupg2
@ -84,7 +81,7 @@ BuildRequires: glib2-devel
# For bash-completion.
BuildRequires: bash-completion
%if !0%{?rhel}
%if 0%{?fedora} || 0%{?rhel} >= 11
BuildRequires: bash-completion-devel
%endif
@ -360,8 +357,12 @@ make %{?_smp_mflags} check || {
%{python3_sitearch}/nbd.py
%{python3_sitearch}/nbdsh.py
%{python3_sitearch}/__pycache__/nbd*.py*
%{_bindir}/nbddiscard
%{_bindir}/nbdsh
%{_bindir}/nbdzero
%{_mandir}/man1/nbddiscard.1*
%{_mandir}/man1/nbdsh.1*
%{_mandir}/man1/nbdzero.1*
%{_mandir}/man3/libnbd-python.3*
@ -378,9 +379,10 @@ make %{?_smp_mflags} check || {
%files bash-completion
%if !0%{?rhel}
%if 0%{?fedora} || 0%{?rhel} >= 11
%dir %{bash_completions_dir}
%{bash_completions_dir}/nbdcopy
%{bash_completions_dir}/nbddiscard
%{bash_completions_dir}/nbddump
%{bash_completions_dir}/nbdfuse
%{bash_completions_dir}/nbdinfo
@ -388,9 +390,11 @@ make %{?_smp_mflags} check || {
%if 0%{?have_ublk}
%{bash_completions_dir}/nbdublk
%endif
%{bash_completions_dir}/nbdzero
%else
%dir %{_datadir}/bash-completion/completions
%{_datadir}/bash-completion/completions/nbdcopy
%{_datadir}/bash-completion/completions/nbddiscard
%{_datadir}/bash-completion/completions/nbddump
%{_datadir}/bash-completion/completions/nbdfuse
%{_datadir}/bash-completion/completions/nbdinfo
@ -398,13 +402,17 @@ make %{?_smp_mflags} check || {
%if 0%{?have_ublk}
%{_datadir}/bash-completion/completions/nbdublk
%endif
%{_datadir}/bash-completion/completions/nbdzero
%endif
%changelog
* Fri Aug 29 2025 Richard W.M. Jones <rjones@redhat.com> - 1.23.7-1
- Rebase to libnbd 1.23.7
resolves: RHEL-111243
* Tue Nov 18 2025 Richard W.M. Jones <rjones@redhat.com> - 1.23.11-1
- Rebase to libnbd 1.23.11
resolves: RHEL-111243
- Synch spec file with Fedora
- Fix unsanitized hostnames in nbd+ssh URIs allow remote execution
resolves: RHEL-129296
* Wed Jul 16 2025 Richard W.M. Jones <rjones@redhat.com> - 1.22.2-2
- Rebase to libnbd 1.22.2

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (libnbd-1.23.7.tar.gz) = a09a3e273829f17f5ba4b7f723afe31704ecd415f08056b308afd064358816548248cf943060acbe308ad581d4a8d236668606907bfc27f49021238a75897fc6
SHA512 (libnbd-1.23.7.tar.gz.sig) = 67025852dfcea27a6c91c1fdec8245488699d85db25cdeedb339148d1cb3ae3f9102abd54513cc334345beb7b96180b4be80ec6b9aad628a6f4b14d458b62e03
SHA512 (libnbd-1.23.12.tar.gz) = 88dce0f8541af6c08022e63dc3b462c0e06200d748bc46d202c4b9ba1b0c1f4e83a51cc18aaa86ac6fd92647b19c00c60a2795fecfcc3255a9b9b89e3cc2f6b5
SHA512 (libnbd-1.23.12.tar.gz.sig) = 638d1c8fdfec9b5a3f2e4b44a529d81317b9baace6949166669c947d1f54002591ee0a07edd1d024d4c0ab5b6b15b0271aa642f375ab6f55d23d8771f04d4fcb