diff --git a/0001-lib-uri.c-Replace-nbd-user-with-tls-username.patch b/0001-lib-uri.c-Replace-nbd-user-with-tls-username.patch deleted file mode 100644 index 807da84..0000000 --- a/0001-lib-uri.c-Replace-nbd-user-with-tls-username.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 1f2ba448ffd703d3e19016fdc52bc181fb902346 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Sun, 24 Aug 2025 13:58:33 +0100 -Subject: [PATCH] lib/uri.c: Replace nbd-user with tls-username - -Commit f9df1ba621 added a new nbd-user parameter which let you -override the TLS username. It was misnamed, and should have been -called tls-username, both to reflect its actual use and to fit in with -the other tls-* parameters, so let's rename it. - -Renaming it also allows simplifying the loop which checks for other -query parameters. - -Updates: commit f9df1ba621cffc3ef74fdb27650c9258b0abd3fc ---- - generator/API.ml | 16 ++++++++-------- - lib/uri.c | 25 ++++++++++++------------- - 2 files changed, 20 insertions(+), 21 deletions(-) - -diff --git a/generator/API.ml b/generator/API.ml -index ab135004..c434e3e6 100644 ---- a/generator/API.ml -+++ b/generator/API.ml -@@ -2075,14 +2075,6 @@ For SSH transport, this specifies the port used to connect to - the NBD server, but the port in the authority field is used for - the SSH connection. - --=item BC -- --Override the username from the authority part of the URI. -- --For SSH transport, this specifies the user for connecting to --the NBD server, but the user in the authority field is used --for the SSH connection. -- - =item BF - - Specifies the Unix domain socket to connect on. -@@ -2103,6 +2095,14 @@ this is not allowed by default - see next section. - - Set the TLS hostname. See L. - -+=item BC -+ -+Override the username from the authority part of the URI. -+ -+For SSH transport, this specifies the TLS username for connecting to -+the NBD server, but the user in the authority field is used -+for the SSH connection. -+ - =item B - - Do not verify the server certificate. See L. -diff --git a/lib/uri.c b/lib/uri.c -index e110bc34..45ba531c 100644 ---- a/lib/uri.c -+++ b/lib/uri.c -@@ -350,7 +350,7 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) - uri_query_list queries = empty_vector; - int i, r; - int ret = -1; -- const char *nbd_user = NULL, *nbd_port = NULL; -+ const char *nbd_port = NULL; - const char *tls_username = NULL; - const char *unixsocket = NULL; - -@@ -489,9 +489,12 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) - if (tls && nbd_unlocked_set_tls (h, LIBNBD_TLS_REQUIRE) == -1) - goto cleanup; - -- /* Look for some tls-* parameters. */ -+ /* Look for some other query parameters. */ - for (i = 0; i < queries.len; i++) { -- if (strcasecmp (queries.ptr[i].name, "tls-certificates") == 0) { -+ if (strcasecmp (queries.ptr[i].name, "nbd-port") == 0) { -+ nbd_port = queries.ptr[i].value; -+ } -+ else if (strcasecmp (queries.ptr[i].name, "tls-certificates") == 0) { - if (! h->uri_allow_local_file) { - set_error (EPERM, - "local file access (tls-certificates) is not allowed, " -@@ -515,6 +518,9 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) - if (nbd_unlocked_set_tls_hostname (h, queries.ptr[i].value) == -1) - goto cleanup; - } -+ else if (strcasecmp (queries.ptr[i].name, "tls-username") == 0) { -+ tls_username = queries.ptr[i].value; /* set below */ -+ } - else if (strcasecmp (queries.ptr[i].name, "tls-verify-peer") == 0) { - int v = parse_bool ("tls-verify-peer", queries.ptr[i].value); - if (v == -1) -@@ -524,16 +530,9 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) - } - } - -- /* NBD user and port overrides.. */ -- for (i = 0; i < queries.len; i++) { -- if (strcasecmp (queries.ptr[i].name, "nbd-user") == 0) -- nbd_user = queries.ptr[i].value; -- else if (strcasecmp (queries.ptr[i].name, "nbd-port") == 0) -- nbd_port = queries.ptr[i].value; -- } -- -- /* Set the TLS username. Always prefer nbd-user. */ -- tls_username = nbd_user ? : (uri->user ? : NULL); -+ /* Set the TLS username. Always prefer tls-username parameter. */ -+ if (!tls_username) -+ tls_username = uri->user; - if (tls_username && nbd_unlocked_set_tls_username (h, tls_username) == -1) - goto cleanup; - --- -2.47.1 - diff --git a/0002-tests-Add-a-test-of-tls-username-in-NBD-URIs.patch b/0002-tests-Add-a-test-of-tls-username-in-NBD-URIs.patch deleted file mode 100644 index 87d5b58..0000000 --- a/0002-tests-Add-a-test-of-tls-username-in-NBD-URIs.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 2a5c694f7370773cb51e0d344ea8da91cbe8518e Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Sun, 24 Aug 2025 16:32:18 +0100 -Subject: [PATCH] tests: Add a test of tls-username in NBD URIs - -This (or the previously added nbd-user) was not tested. ---- - .gitignore | 1 + - tests/Makefile.am | 18 ++++++++++++++++++ - 2 files changed, 19 insertions(+) - -diff --git a/.gitignore b/.gitignore -index bbe3967f..a373fc29 100644 ---- a/.gitignore -+++ b/.gitignore -@@ -230,6 +230,7 @@ Makefile.in - /tests/connect-uri-nbds-unix-tls-hostname - /tests/connect-uri-nbds-unix-tls-verify-peer-false - /tests/connect-uri-nbds-unix-psk -+/tests/connect-uri-nbds-unix-psk-tls-username - /tests/debug - /tests/debug-environment - /tests/dlopen -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 8aca4c7d..e3b74a1d 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -904,10 +904,12 @@ if HAVE_PSKTOOL - check_PROGRAMS += \ - connect-uri-nbds-psk \ - connect-uri-nbds-unix-psk \ -+ connect-uri-nbds-unix-psk-tls-username \ - $(NULL) - TESTS += \ - connect-uri-nbds-psk \ - connect-uri-nbds-unix-psk \ -+ connect-uri-nbds-unix-psk-tls-username \ - $(NULL) - - connect_uri_nbds_psk_SOURCES = \ -@@ -936,6 +938,22 @@ connect_uri_nbds_unix_psk_CPPFLAGS = \ - $(NULL) - connect_uri_nbds_unix_psk_LDADD = $(top_builddir)/lib/libnbd.la - -+connect_uri_nbds_unix_psk_tls_username_SOURCES = \ -+ connect-uri.c \ -+ requires.c requires.h pick-a-port.c pick-a-port.h \ -+ $(NULL) -+connect_uri_nbds_unix_psk_tls_username_CPPFLAGS = \ -+ $(AM_CPPFLAGS) \ -+ -DDEFINE_STR_AS_UNIX_SOCKET=1 \ -+ -DSERVER_PARAMS='"-U", str, "--tls=require", "--tls-verify-peer", "--tls-psk=keys.psk"' \ -+ -DREQUIRES="requires_nbdkit_tls_verify_peer ();" \ -+ -DURI='"nbds+unix://NOTUSED@/?tls-psk-file=keys.psk&socket=%s&tls-username=alice", str' \ -+ -DSKIP_GET_URI=1 \ -+ $(NULL) -+connect_uri_nbds_unix_psk_tls_username_LDADD = \ -+ $(top_builddir)/lib/libnbd.la \ -+ $(NULL) -+ - endif HAVE_PSKTOOL - - endif HAVE_GNUTLS --- -2.47.1 - diff --git a/0003-docs-Document-which-NBD-URI-features-are-non-standar.patch b/0003-docs-Document-which-NBD-URI-features-are-non-standar.patch deleted file mode 100644 index ac9d812..0000000 --- a/0003-docs-Document-which-NBD-URI-features-are-non-standar.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 2bd353ef0e124c11b79eb3ed15eff5c8a9738086 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Sun, 24 Aug 2025 16:27:50 +0100 -Subject: [PATCH] docs: Document which NBD URI features are non-standard - -Also which version of libnbd implemented each feature (unless the -feature has basically been around since the beginning). ---- - generator/API.ml | 24 +++++++++++++++++++++++- - 1 file changed, 23 insertions(+), 1 deletion(-) - -diff --git a/generator/API.ml b/generator/API.ml -index c434e3e6..3ebc1912 100644 ---- a/generator/API.ml -+++ b/generator/API.ml -@@ -1992,6 +1992,16 @@ to an NBD server listening on port 10809. - - =back - -+=head2 NBD URI standard -+ -+L -+documents the NBD URI standard. -+ -+In the documentation below, I indicates features -+supported in libnbd which are not a part of the NBD URI standard, -+meaning that other NBD URI parsers might not support them or might -+implement things differently. -+ - =head2 URI scheme - - The scheme is the part before the first C<:>. The following schemes -@@ -2019,6 +2029,8 @@ respectively. The C parameter is required. - - =item C - -+I -+ - Connect over the C transport, without or with - TLS respectively. You can use L to - see if this build of libnbd supports C. -@@ -2027,7 +2039,7 @@ see if this build of libnbd supports C. - - =item C - --I -+I 1.22> - - Tunnel NBD over a Secure Shell connection. This requires - that L is installed locally, and that L (from the -@@ -2069,6 +2081,8 @@ Finally the query part of the URI can contain: - - =item BC - -+I 1.24> -+ - Override the port number from the authority part of the URI. - - For SSH transport, this specifies the port used to connect to -@@ -2083,20 +2097,28 @@ for C<+ssh>, and must not be present for the other transports. - - =item BF - -+I 1.10> -+ - Set the certificates directory. See L. - Note this is not allowed by default - see next section. - - =item BF - -+I -+ - Set the PSK file. See L. Note - this is not allowed by default - see next section. - - =item BC - -+I 1.22> -+ - Set the TLS hostname. See L. - - =item BC - -+I 1.24> -+ - Override the username from the authority part of the URI. - - For SSH transport, this specifies the TLS username for connecting to --- -2.47.1 - diff --git a/0004-docs-Minor-copyediting-to-export-name-documentation.patch b/0004-docs-Minor-copyediting-to-export-name-documentation.patch deleted file mode 100644 index 43b37fd..0000000 --- a/0004-docs-Minor-copyediting-to-export-name-documentation.patch +++ /dev/null @@ -1,64 +0,0 @@ -From a518da9fdc54e3652f67d92d266106017145c62b Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Sun, 24 Aug 2025 18:54:47 +0100 -Subject: [PATCH] docs: Minor copyediting to export name documentation - ---- - generator/API.ml | 24 ++++++++++++++++-------- - 1 file changed, 16 insertions(+), 8 deletions(-) - -diff --git a/generator/API.ml b/generator/API.ml -index 3ebc1912..3ab3aacb 100644 ---- a/generator/API.ml -+++ b/generator/API.ml -@@ -478,15 +478,19 @@ handle with this information."; - permitted_states = [ Created; Negotiating ]; - shortdesc = "set the export name"; - longdesc = "\ --For servers which require an export name or can serve different --content on different exports, set the C to --connect to. The default is the empty string C<\"\">. -+Some NBD servers can serve multiple disk images (\"exports\"). -+The export is picked by the client, by requesting an export name -+during the negotiation phase. The default export is the -+empty string C<\"\">. - -+Some NBD servers ignore this and serve the same content regardless. - This is only relevant when connecting to servers using the - newstyle protocol as the oldstyle protocol did not support --export names. The NBD protocol limits export names to --4096 bytes, but servers may not support the full length. --The encoding of export names is always UTF-8. -+export names. -+ -+The NBD protocol limits export names to 4096 bytes, but servers -+may not support the full length. The encoding of export names -+is always UTF-8. - - When option mode is not in use, the export name must be set - before beginning a connection. However, when L -@@ -498,7 +502,9 @@ be used to learn details about an export before connecting. - - This call may be skipped if using L to connect - to a URI that includes an export name."; -- see_also = [Link "get_export_name"; Link "connect_uri"; -+ see_also = [Link "get_export_name"; -+ Link "get_canonical_export_name"; -+ Link "connect_uri"; - Link "set_opt_mode"; Link "opt_go"; Link "opt_list"; - Link "opt_info"]; - }; -@@ -603,7 +609,9 @@ C<\"\">). - Some servers are unlikely to report a canonical name unless the - client specifically hinted about wanting it, via L."; - example = Some "examples/server-flags.c"; -- see_also = [Link "set_full_info"; Link "get_export_name"; -+ see_also = [Link "set_full_info"; -+ Link "set_export_name"; -+ Link "get_export_name"; - Link "opt_info"]; - }; - --- -2.47.1 - diff --git a/libnbd.spec b/libnbd.spec index f160ac5..2c83658 100644 --- a/libnbd.spec +++ b/libnbd.spec @@ -20,7 +20,7 @@ %global source_directory 1.23-development Name: libnbd -Version: 1.23.7 +Version: 1.23.12 Release: 1%{?dist} Summary: NBD client library in userspace @@ -41,10 +41,7 @@ Source3: copy-patches.sh # https://gitlab.com/nbdkit/libnbd/-/commits/rhel-10.2/ # Patches. -Patch0001: 0001-lib-uri.c-Replace-nbd-user-with-tls-username.patch -Patch0002: 0002-tests-Add-a-test-of-tls-username-in-NBD-URIs.patch -Patch0003: 0003-docs-Document-which-NBD-URI-features-are-non-standar.patch -Patch0004: 0004-docs-Minor-copyediting-to-export-name-documentation.patch +#(nothing) %if 0%{verify_tarball_signature} BuildRequires: gnupg2 @@ -84,7 +81,7 @@ BuildRequires: glib2-devel # For bash-completion. BuildRequires: bash-completion -%if !0%{?rhel} +%if 0%{?fedora} || 0%{?rhel} >= 11 BuildRequires: bash-completion-devel %endif @@ -360,8 +357,12 @@ make %{?_smp_mflags} check || { %{python3_sitearch}/nbd.py %{python3_sitearch}/nbdsh.py %{python3_sitearch}/__pycache__/nbd*.py* +%{_bindir}/nbddiscard %{_bindir}/nbdsh +%{_bindir}/nbdzero +%{_mandir}/man1/nbddiscard.1* %{_mandir}/man1/nbdsh.1* +%{_mandir}/man1/nbdzero.1* %{_mandir}/man3/libnbd-python.3* @@ -378,9 +379,10 @@ make %{?_smp_mflags} check || { %files bash-completion -%if !0%{?rhel} +%if 0%{?fedora} || 0%{?rhel} >= 11 %dir %{bash_completions_dir} %{bash_completions_dir}/nbdcopy +%{bash_completions_dir}/nbddiscard %{bash_completions_dir}/nbddump %{bash_completions_dir}/nbdfuse %{bash_completions_dir}/nbdinfo @@ -388,9 +390,11 @@ make %{?_smp_mflags} check || { %if 0%{?have_ublk} %{bash_completions_dir}/nbdublk %endif +%{bash_completions_dir}/nbdzero %else %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/nbdcopy +%{_datadir}/bash-completion/completions/nbddiscard %{_datadir}/bash-completion/completions/nbddump %{_datadir}/bash-completion/completions/nbdfuse %{_datadir}/bash-completion/completions/nbdinfo @@ -398,13 +402,17 @@ make %{?_smp_mflags} check || { %if 0%{?have_ublk} %{_datadir}/bash-completion/completions/nbdublk %endif +%{_datadir}/bash-completion/completions/nbdzero %endif %changelog -* Fri Aug 29 2025 Richard W.M. Jones - 1.23.7-1 -- Rebase to libnbd 1.23.7 - resolves: RHEL-111243 +* Tue Nov 18 2025 Richard W.M. Jones - 1.23.11-1 +- Rebase to libnbd 1.23.11 + resolves: RHEL-111243 +- Synch spec file with Fedora +- Fix unsanitized hostnames in nbd+ssh URIs allow remote execution + resolves: RHEL-129296 * Wed Jul 16 2025 Richard W.M. Jones - 1.22.2-2 - Rebase to libnbd 1.22.2 diff --git a/sources b/sources index f40889c..3d6436e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (libnbd-1.23.7.tar.gz) = a09a3e273829f17f5ba4b7f723afe31704ecd415f08056b308afd064358816548248cf943060acbe308ad581d4a8d236668606907bfc27f49021238a75897fc6 -SHA512 (libnbd-1.23.7.tar.gz.sig) = 67025852dfcea27a6c91c1fdec8245488699d85db25cdeedb339148d1cb3ae3f9102abd54513cc334345beb7b96180b4be80ec6b9aad628a6f4b14d458b62e03 +SHA512 (libnbd-1.23.12.tar.gz) = 88dce0f8541af6c08022e63dc3b462c0e06200d748bc46d202c4b9ba1b0c1f4e83a51cc18aaa86ac6fd92647b19c00c60a2795fecfcc3255a9b9b89e3cc2f6b5 +SHA512 (libnbd-1.23.12.tar.gz.sig) = 638d1c8fdfec9b5a3f2e4b44a529d81317b9baace6949166669c947d1f54002591ee0a07edd1d024d4c0ab5b6b15b0271aa642f375ab6f55d23d8771f04d4fcb