From 774c090ddc144485b47a9bed51c8f0828484841f Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 15 May 2024 07:41:11 +0000 Subject: [PATCH] Import from AlmaLinux stable repository --- .gitignore | 2 +- .libnbd.metadata | 2 +- ...sertion-in-ext-mode-BLOCK_STATUS-CVE.patch | 88 ++++++++ ...ct-xref-in-libnbd-release-notes-for-.patch | 34 +++ ...vior-of-nbd_set_strict_mode-STRICT_A.patch | 206 ++++++++++++++++++ SOURCES/copy-patches.sh | 2 +- SOURCES/libnbd-1.14.2.tar.gz.sig | 17 -- SOURCES/libnbd-1.18.1.tar.gz.sig | 17 ++ SPECS/libnbd.spec | 109 +++++++-- 9 files changed, 438 insertions(+), 39 deletions(-) create mode 100644 SOURCES/0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch create mode 100644 SOURCES/0002-docs-Fix-incorrect-xref-in-libnbd-release-notes-for-.patch create mode 100644 SOURCES/0003-tests-Check-behavior-of-nbd_set_strict_mode-STRICT_A.patch delete mode 100644 SOURCES/libnbd-1.14.2.tar.gz.sig create mode 100644 SOURCES/libnbd-1.18.1.tar.gz.sig diff --git a/.gitignore b/.gitignore index 52055a7..807b2b8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/libguestfs.keyring -SOURCES/libnbd-1.14.2.tar.gz +SOURCES/libnbd-1.18.1.tar.gz diff --git a/.libnbd.metadata b/.libnbd.metadata index ffd5b90..b6a02f4 100644 --- a/.libnbd.metadata +++ b/.libnbd.metadata @@ -1,2 +1,2 @@ cc1b37b9cfafa515aab3eefd345ecc59aac2ce7b SOURCES/libguestfs.keyring -6bc66366a216117c3c451dc7764c790435749b80 SOURCES/libnbd-1.14.2.tar.gz +4f99e6f21edffe62b394aa9c7fb68149e6d4d5e4 SOURCES/libnbd-1.18.1.tar.gz diff --git a/SOURCES/0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch b/SOURCES/0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch new file mode 100644 index 0000000..d660188 --- /dev/null +++ b/SOURCES/0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch @@ -0,0 +1,88 @@ +From 4451e5b61ca07771ceef3e012223779e7a0c7701 Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Mon, 30 Oct 2023 12:50:53 -0500 +Subject: [PATCH] generator: Fix assertion in ext-mode BLOCK_STATUS, + CVE-2023-5871 + +Another round of fuzz testing revealed that when a server negotiates +extended headers and replies with a 64-bit flag value where the client +used the 32-bit API command, we were correctly flagging the server's +response as being an EOVERFLOW condition, but then immediately failing +in an assertion failure instead of reporting it to the application. + +The following one-byte change to qemu.git at commit fd9a38fd43 allows +the creation of an intentionally malicious server: + +| diff --git i/nbd/server.c w/nbd/server.c +| index 859c163d19f..32e1e771a95 100644 +| --- i/nbd/server.c +| +++ w/nbd/server.c +| @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea) +| +| for (i = 0; i < ea->count; i++) { +| ea->extents[i].length = cpu_to_be64(ea->extents[i].length); +| - ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags); +| + ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags); +| } +| } + +and can then be detected with the following command line: + +$ nbdsh -c - <<\EOF +> def f(a,b,c,d): +> pass +> +> h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd", +> "-r", "-f", "raw", "TODO"]) +> h.block_staus(h.get_size(), 0, f) +> EOF +nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed. +Aborted (core dumped) + +whereas a fixed libnbd will give: + +nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type + +We can either relax the assertion (by changing to 'assert ((len | +flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags +to make the existing assertion reliable. This patch goes with the +latter approach. + +Sadly, this crash is possible in all existing 1.18.x stable releases, +if they were built with assertions enabled (most distros do this by +default), meaning a malicious server has an easy way to cause a Denial +of Service attack by triggering the assertion failure in vulnerable +clients, so we have assigned this CVE-2023-5871. Mitigating factors: +the crash only happens for a server that sends a 64-bit status block +reply (no known production servers do so; qemu 8.2 will be the first +known server to support extended headers, but it is not yet released); +and as usual, a client can use TLS to guarantee it is connecting only +to a known-safe server. If libnbd is compiled without assertions, +there is no crash or other mistaken behavior; and when assertions are +enabled, the attacker cannot accomplish anything more than a denial of +service. + +Reported-by: Richard W.M. Jones +Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4) +Signed-off-by: Eric Blake +(cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6) +Signed-off-by: Eric Blake +--- + generator/states-reply-chunk.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/generator/states-reply-chunk.c b/generator/states-reply-chunk.c +index 5a31c19..8ab7e8b 100644 +--- a/generator/states-reply-chunk.c ++++ b/generator/states-reply-chunk.c +@@ -600,6 +600,7 @@ STATE_MACHINE { + break; /* Skip this and later extents; we already made progress */ + /* Expose this extent as an error; we made no progress */ + cmd->error = cmd->error ? : EOVERFLOW; ++ flags = (uint32_t)flags; + } + } + +-- +2.39.3 + diff --git a/SOURCES/0002-docs-Fix-incorrect-xref-in-libnbd-release-notes-for-.patch b/SOURCES/0002-docs-Fix-incorrect-xref-in-libnbd-release-notes-for-.patch new file mode 100644 index 0000000..37101da --- /dev/null +++ b/SOURCES/0002-docs-Fix-incorrect-xref-in-libnbd-release-notes-for-.patch @@ -0,0 +1,34 @@ +From c39e31b7a20c7dc8aa12c5fa3f1742824e1e0c76 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 9 Nov 2023 09:40:30 +0000 +Subject: [libnbd PATCH] docs: Fix incorrect xref in libnbd-release-notes for + 1.18 +Content-type: text/plain + +LIBNBD_STRICT_AUTO_FLAG was added to nbd_set_strict_mode(3). + +Reported-by: Vera Wu +(cherry picked from commit 4fef3dbc07e631fce58487d25d991e83bbb424b1) +Signed-off-by: Eric Blake +--- + docs/libnbd-release-notes-1.18.pod | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/docs/libnbd-release-notes-1.18.pod b/docs/libnbd-release-notes-1.18.pod +index 935fab11..836ebe19 100644 +--- a/docs/libnbd-release-notes-1.18.pod ++++ b/docs/libnbd-release-notes-1.18.pod +@@ -84,8 +84,8 @@ Golang, OCaml and Python language bindings (Eric Blake). + + L now works correctly when in opt mode (Eric Blake). + +-L adds C which allows the +-client to test how servers behave when the payload length flag is ++L adds C which allows ++the client to test how servers behave when the payload length flag is + adjusted (Eric Blake). + + =head2 Protocol +-- +2.41.0 + diff --git a/SOURCES/0003-tests-Check-behavior-of-nbd_set_strict_mode-STRICT_A.patch b/SOURCES/0003-tests-Check-behavior-of-nbd_set_strict_mode-STRICT_A.patch new file mode 100644 index 0000000..9208a2f --- /dev/null +++ b/SOURCES/0003-tests-Check-behavior-of-nbd_set_strict_mode-STRICT_A.patch @@ -0,0 +1,206 @@ +From 32cb9ab9f1701b1a1a826b48f2083cb75adf1e87 Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Thu, 9 Nov 2023 20:11:08 -0600 +Subject: [libnbd PATCH] tests: Check behavior of + nbd_set_strict_mode(STRICT_AUTO_FLAG) +Content-type: text/plain + +While developing extended header support for qemu 8.2, I needed a way +to make libnbd quickly behave as a non-compliant client to test corner +cases in qemu's server code; so I wrote commit 5c1dae9236 ("api: Add +LIBNBD_STRICT_AUTO_FLAG to nbd_set_strict", v1.18.0) to meet my needs. +However, I failed to codify my manual tests of that bit into a unit +test for libnbd, until now. Most sane clients will never call +nbd_set_strict_mode() in the first place (after all, it is explicitly +documented as an integration tool, which is how I used it with my qemu +code development), but it never hurts to make sure we don't break it +even for the relatively small set of users that would ever use it. + +The test added here runs in two parts; if you get a SKIP despite +having qemu-nbd, then the first part ran successfully before the +second half gave up due to lack of extended headers in qemu +(presumably qemu 8.1 or older); if you get a PASS, then both parts +were run. However, both parts are inherently fragile, depending on +behavior known to be in qemu 8.2 - while it is unlikely to change in +future qemu releases (at least as long as I continue to maintain NBD +code there), the fact that we are intentionally violating the NBD +protocol means a different server is within its rights to behave +differently than qemu 8.2 did. Hence this test lives in interop/ +rather than tests/ because of its strong ties to a particular qemu. + +Signed-off-by: Eric Blake +(cherry picked from commit 54d4426394c372413f55f648d4ad1d21b3395e07) +Signed-off-by: Eric Blake +--- + interop/Makefile.am | 2 + + interop/strict-mode-auto-flag.sh | 138 +++++++++++++++++++++++++++++++ + 2 files changed, 140 insertions(+) + create mode 100755 interop/strict-mode-auto-flag.sh + +diff --git a/interop/Makefile.am b/interop/Makefile.am +index d6485adf..ac12d84a 100644 +--- a/interop/Makefile.am ++++ b/interop/Makefile.am +@@ -28,6 +28,7 @@ EXTRA_DIST = \ + structured-read.sh \ + opt-extended-headers.sh \ + block-status-payload.sh \ ++ strict-mode-auto-flag.sh \ + $(NULL) + + TESTS_ENVIRONMENT = \ +@@ -153,6 +154,7 @@ TESTS += \ + interop-qemu-block-size.sh \ + opt-extended-headers.sh \ + block-status-payload.sh \ ++ strict-mode-auto-flag.sh \ + $(NULL) + + interop_qemu_nbd_SOURCES = \ +diff --git a/interop/strict-mode-auto-flag.sh b/interop/strict-mode-auto-flag.sh +new file mode 100755 +index 00000000..8f73ea73 +--- /dev/null ++++ b/interop/strict-mode-auto-flag.sh +@@ -0,0 +1,138 @@ ++#!/usr/bin/env bash ++# nbd client library in userspace ++# Copyright Red Hat ++# ++# This library is free software; you can redistribute it and/or ++# modify it under the terms of the GNU Lesser General Public ++# License as published by the Free Software Foundation; either ++# version 2 of the License, or (at your option) any later version. ++# ++# This library is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# Lesser General Public License for more details. ++# ++# You should have received a copy of the GNU Lesser General Public ++# License along with this library; if not, write to the Free Software ++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ ++# Test effect of AUTO_FLAG bit in set_strict_mode() ++ ++source ../tests/functions.sh ++set -e ++set -x ++ ++requires truncate --version ++requires qemu-nbd --version ++requires nbdsh --version ++ ++file="strict-mode-auto-flag.file" ++rm -f $file ++cleanup_fn rm -f $file ++ ++truncate -s 1M $file ++ ++# Unconditional part of test: behavior when extended headers are not in use ++$VG nbdsh -c ' ++import errno ++ ++h.set_request_extended_headers(False) ++args = ["qemu-nbd", "-f", "raw", "'"$file"'"] ++h.connect_systemd_socket_activation(args) ++assert h.get_extended_headers_negotiated() is False ++ ++# STRICT_AUTO_FLAG and STRICT_COMMANDS are on by default ++flags = h.get_strict_mode() ++assert flags & nbd.STRICT_AUTO_FLAG ++assert flags & nbd.STRICT_COMMANDS ++ ++# Under STRICT_AUTO_FLAG, using or omitting flag does not matter; client ++# side auto-corrects the flag before passing to server ++h.pwrite(b"1"*512, 0, 0) ++h.pwrite(b"2"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN) ++ ++# Without STRICT_AUTO_FLAG but still STRICT_COMMANDS, client side now sees ++# attempts to use the flag as invalid ++flags = flags & ~nbd.STRICT_AUTO_FLAG ++h.set_strict_mode(flags) ++h.pwrite(b"3"*512, 0, 0) ++stats = h.stats_bytes_sent() ++try: ++ h.pwrite(b"4"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN) ++ assert False ++except nbd.Error as e: ++ assert e.errnum == errno.EINVAL ++assert stats == h.stats_bytes_sent() ++ ++# Warning: fragile test ahead. Without STRICT_COMMANDS, we send unexpected ++# flag to qemu, and expect failure. For qemu <= 8.1, this is safe (those ++# versions did not know the flag, and correctly reject unknown flags with ++# NBD_EINVAL). For qemu 8.2, this also works (qemu knows the flag, but warns ++# that we were not supposed to send it without extended headers). But if ++# future qemu versions change to start silently ignoring the flag (after all, ++# a write command obviously has a payload even without extended headers, so ++# the flag is redundant for NBD_CMD_WRITE), then we may need to tweak this. ++flags = flags & ~nbd.STRICT_COMMANDS ++h.set_strict_mode(flags) ++h.pwrite(b"5"*512, 0, 0) ++stats = h.stats_bytes_sent() ++try: ++ h.pwrite(b"6"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN) ++ print("Did newer qemu change behavior?") ++ assert False ++except nbd.Error as e: ++ assert e.errnum == errno.EINVAL ++assert stats < h.stats_bytes_sent() ++ ++h.shutdown() ++' ++ ++# Conditional part of test: only run if qemu supports extended headers ++requires nbdinfo --has extended-headers -- [ qemu-nbd -r -f raw "$file" ] ++$VG nbdsh -c ' ++import errno ++ ++args = ["qemu-nbd", "-f", "raw", "'"$file"'"] ++h.connect_systemd_socket_activation(args) ++assert h.get_extended_headers_negotiated() is True ++ ++# STRICT_AUTO_FLAG and STRICT_COMMANDS are on by default ++flags = h.get_strict_mode() ++assert flags & nbd.STRICT_AUTO_FLAG ++assert flags & nbd.STRICT_COMMANDS ++ ++# Under STRICT_AUTO_FLAG, using or omitting flag does not matter; client ++# side auto-corrects the flag before passing to server ++h.pwrite(b"1"*512, 0, 0) ++h.pwrite(b"2"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN) ++ ++# Without STRICT_AUTO_FLAG but still STRICT_COMMANDS, client side now sees ++# attempts to omit the flag as invalid ++flags = flags & ~nbd.STRICT_AUTO_FLAG ++h.set_strict_mode(flags) ++h.pwrite(b"3"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN) ++stats = h.stats_bytes_sent() ++try: ++ h.pwrite(b"4"*512, 0, 0) ++ assert False ++except nbd.Error as e: ++ assert e.errnum == errno.EINVAL ++assert stats == h.stats_bytes_sent() ++ ++# Warning: fragile test ahead. Without STRICT_COMMANDS, omitting the flag ++# is a protocol violation. qemu 8.2 silently ignores the violation; but a ++# future qemu might start failing the command, at which point we would need ++# to tweak this part of the test. ++flags = flags & ~nbd.STRICT_COMMANDS ++h.set_strict_mode(flags) ++h.pwrite(b"5"*512, 0, nbd.CMD_FLAG_PAYLOAD_LEN) ++stats = h.stats_bytes_sent() ++try: ++ h.pwrite(b"6"*512, 0, 0) ++except nbd.Error: ++ print("Did newer qemu change behavior?") ++ assert False ++assert stats < h.stats_bytes_sent() ++ ++h.shutdown() ++' +-- +2.41.0 + diff --git a/SOURCES/copy-patches.sh b/SOURCES/copy-patches.sh index 8edca8d..991798c 100755 --- a/SOURCES/copy-patches.sh +++ b/SOURCES/copy-patches.sh @@ -6,7 +6,7 @@ set -e # directory. Use it like this: # ./copy-patches.sh -rhel_version=9.2 +rhel_version=9.4 # Check we're in the right directory. if [ ! -f libnbd.spec ]; then diff --git a/SOURCES/libnbd-1.14.2.tar.gz.sig b/SOURCES/libnbd-1.14.2.tar.gz.sig deleted file mode 100644 index 7be2f79..0000000 --- a/SOURCES/libnbd-1.14.2.tar.gz.sig +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmO0NR0RHHJpY2hAYW5u -ZXhpYS5vcmcACgkQkXOPc+G3aKBAzw//ZRKoT32ixiD1aL21Trbv8NTobPFy9We1 -hjdt6CYETBC71aTiaDONhBbXzyX0gv31WmCHWLYrxaE9edS9oaUD4l763ZCuYr9O -6JR3CW8NG9/soh5INESzl7cm0i4WHofhKjMkmoZt+vPlCnBfUuZ+GOQHlzYNc41N -3h2rjuIZZNRD0op6FmgnrY0Y2IYYtzR1kiUh47JQanHwwDHhdaaz4x348LQk/FlI -s0qQv8wYe2kRfLvCgNVaPgywp8dx3cb+JmxcRcmolHLWM171XBkrYl2cJjBnYBAr -5/pYU6wpzun3R53fTxHRBddLkLOOy2mbGDvyc0lsnc2Jh0RWKEThvC9A216KcSyL -vIVwXnH5zq4mbEApK6G+hO34SWOmT5f8sIWm2vfsaQ7QncBO3fmBkge1o9roGmHy -97nOPbx2+070gGz5tvCdCcZ4cq+K4Xh4OjikrBj/O0vmeA6c7+REJulKTxF9Dp4H -e+zswAGo4kN7uGMSET3U8nbuWxs+RZfYGqCX1ivkfRBj8271CEh3rFNrlAxq3M8v -dEUB8d3LIwlKMrc/ZpjL3x9zuM7dR7ZTQkYKJGRIL5GPUO9jwRDLBPCnx5Krjiyk -JyN7Uxd52k09GDcLNKHDa3qLiU7Ye+DFTZqF23DOgXwlEWP/Gbg0Xe6DRVIM2gwM -ateF79dey/4= -=Le0m ------END PGP SIGNATURE----- diff --git a/SOURCES/libnbd-1.18.1.tar.gz.sig b/SOURCES/libnbd-1.18.1.tar.gz.sig new file mode 100644 index 0000000..7bd7214 --- /dev/null +++ b/SOURCES/libnbd-1.18.1.tar.gz.sig @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmU2izoRHHJpY2hAYW5u +ZXhpYS5vcmcACgkQkXOPc+G3aKA+txAAkLeWdvH2ryibEyqMeyejvh9vMgQO5I46 +LaygI8jDi+XG+rGy7imiwIxxWvyCZI3y2U5MFudLZoFi+gCyVAC+LeBxjF41NBGz +fbgwFaQHrCbxyLlsj9OcR6M0+EPU8NXXPPGgXZNcnf7tHNZkTO0OGS9chml0wXHA +Zx9WheHl6wbLTVIAtLWOJqzRQj80RlcPC+De1wZL+WFMPMkfF8L8K5FRNsfeTIXn +l31d1R0g5QOMTTqBiKE2iopPmVmA5uC/adWCuqF3mzzjzCkHp+Ux/Ys99tkCETrU +jUuHgJ+1pYjn4Lmt/HUwXQZD3L+RkNAWWQziY/3ejK31tGxZqR/XTwq5RPrc6Qs1 +/zuoWvSWJZZo9yvX1Iq2RQAaZF5724V/svm+HgaCakaK8EJEj6sntM0OhAl2pRC4 +G45Kb2o7k016WgL8plNOlrbHNxaruBcPrkFYDMoyy3KLnWaw3OYMARTD5w/Pd4dC +CJa3tIXIKedhXw9xDtEWfxiKIHfO+LBHBMjpW9KzP/oxE2akmcJZJT+JNpsrpdzV +O6mbVDPedWd5LQQ1bNmwzxkCsMEC9HFhVbCaTuYuSXe/By04Norns4xyEJyDXlG/ +QqFgEUS8R+V9xwYHoAPg5RUmycXubSmm64iTAQNqc46QsxeP0Va7gpbrPLe5qVk/ +irUsxdBhGIM= +=pgmp +-----END PGP SIGNATURE----- diff --git a/SPECS/libnbd.spec b/SPECS/libnbd.spec index ca93c65..b523ea2 100644 --- a/SPECS/libnbd.spec +++ b/SPECS/libnbd.spec @@ -1,21 +1,18 @@ -# Do this until the feature is fixed in Fedora. -%undefine _package_note_flags - # If we should verify tarball signature with GPGv2. %global verify_tarball_signature 1 # If there are patches which touch autotools files, set this to 1. -%global patches_touch_autotools %{nil} +%global patches_touch_autotools 1 # The source directory. -%global source_directory 1.14-stable +%global source_directory 1.18-stable Name: libnbd -Version: 1.14.2 -Release: 1%{?dist} +Version: 1.18.1 +Release: 3%{?dist} Summary: NBD client library in userspace -License: LGPLv2+ +License: LGPL-2.0-or-later AND BSD-3-Clause URL: https://gitlab.com/nbdkit/libnbd Source0: http://libguestfs.org/download/libnbd/%{source_directory}/%{name}-%{version}.tar.gz @@ -29,9 +26,12 @@ Source2: libguestfs.keyring Source3: copy-patches.sh # Patches are stored in the upstream repository: -# https://gitlab.com/nbdkit/libnbd/-/commits/rhel-9.2/ +# https://gitlab.com/nbdkit/libnbd/-/commits/rhel-9.4/ -# (no patches) +# Patches. +Patch0001: 0001-generator-Fix-assertion-in-ext-mode-BLOCK_STATUS-CVE.patch +Patch0002: 0002-docs-Fix-incorrect-xref-in-libnbd-release-notes-for-.patch +Patch0003: 0003-tests-Check-behavior-of-nbd_set_strict_mode-STRICT_A.patch %if 0%{patches_touch_autotools} BuildRequires: autoconf, automake, libtool @@ -51,13 +51,21 @@ BuildRequires: libxml2-devel # For nbdfuse. BuildRequires: fuse3, fuse3-devel +%if !0%{?rhel} +# For nbdublk +BuildRequires: liburing-devel >= 2.2 +BuildRequires: ubdsrv-devel >= 1.0-3.rc6 +%endif + # For the Python 3 bindings. BuildRequires: python3-devel +%ifnarch %{ix86} # For the OCaml bindings. BuildRequires: ocaml BuildRequires: ocaml-findlib-devel BuildRequires: ocaml-ocamldoc +%endif # Only for building the examples. BuildRequires: glib2-devel @@ -92,6 +100,11 @@ BuildRequires: nbdkit-sh-plugin BuildRequires: nbdkit-sparse-random-plugin %endif +%ifnarch %{ix86} +# The OCaml runtime system does not provide this symbol +%global __ocaml_requires_opts -x Stdlib__Callback +%endif + %description NBD — Network Block Device — is a protocol for accessing Block Devices @@ -116,7 +129,6 @@ The key features are: %package devel Summary: Development headers for %{name} -License: LGPLv2+ and BSD Requires: %{name}%{?_isa} = %{version}-%{release} @@ -124,6 +136,7 @@ Requires: %{name}%{?_isa} = %{version}-%{release} This package contains development headers for %{name}. +%ifnarch %{ix86} %package -n ocaml-%{name} Summary: OCaml language bindings for %{name} Requires: %{name}%{?_isa} = %{version}-%{release} @@ -142,6 +155,7 @@ Requires: ocaml-%{name}%{?_isa} = %{version}-%{release} This package contains OCaml language development package for %{name}. Install this if you want to compile OCaml software which uses %{name}. +%endif %package -n python3-%{name} @@ -160,7 +174,6 @@ python3-%{name} contains Python 3 bindings for %{name}. %package -n nbdfuse Summary: FUSE support for %{name} -License: LGPLv2+ and BSD Requires: %{name}%{?_isa} = %{version}-%{release} Recommends: fuse3 @@ -169,6 +182,20 @@ Recommends: fuse3 This package contains FUSE support for %{name}. +%if !0%{?rhel} +%package -n nbdublk +Summary: Userspace NBD block device +Requires: %{name}%{?_isa} = %{version}-%{release} +Recommends: kernel >= 6.0.0 +Recommends: %{_sbindir}/ublk + + +%description -n nbdublk +This package contains a userspace NBD block device +based on %{name}. +%endif + + %package bash-completion Summary: Bash tab-completion for %{name} BuildArch: noarch @@ -199,9 +226,14 @@ autoreconf -i --with-tls-priority=@LIBNBD,SYSTEM \ PYTHON=%{__python3} \ --enable-python \ +%ifnarch %{ix86} --enable-ocaml \ +%else + --disable-ocaml \ +%endif --enable-fuse \ - --disable-golang + --disable-golang \ + --disable-rust make %{?_smp_mflags} @@ -215,6 +247,16 @@ find $RPM_BUILD_ROOT -name '*.la' -delete # Delete the golang man page since we're not distributing the bindings. rm $RPM_BUILD_ROOT%{_mandir}/man3/libnbd-golang.3* +%ifarch %{ix86} +# Delete the OCaml man page on i686. +rm $RPM_BUILD_ROOT%{_mandir}/man3/libnbd-ocaml.3* +%endif + +%if 0%{?rhel} +# Delete nbdublk on RHEL. +rm $RPM_BUILD_ROOT%{_datadir}/bash-completion/completions/nbdublk +%endif + %check function skip_test () @@ -282,12 +324,12 @@ make %{?_smp_mflags} check || { %{_mandir}/man3/nbd_*.3* +%ifnarch %{ix86} %files -n ocaml-%{name} -%{_libdir}/ocaml/nbd -%exclude %{_libdir}/ocaml/nbd/*.a -%exclude %{_libdir}/ocaml/nbd/*.cmxa -%exclude %{_libdir}/ocaml/nbd/*.cmx -%exclude %{_libdir}/ocaml/nbd/*.mli +%dir %{_libdir}/ocaml/nbd +%{_libdir}/ocaml/nbd/META +%{_libdir}/ocaml/nbd/*.cma +%{_libdir}/ocaml/nbd/*.cmi %{_libdir}/ocaml/stublibs/dllmlnbd.so %{_libdir}/ocaml/stublibs/dllmlnbd.so.owner @@ -295,13 +337,16 @@ make %{?_smp_mflags} check || { %files -n ocaml-%{name}-devel %doc ocaml/examples/*.ml %license ocaml/examples/LICENSE-FOR-EXAMPLES -%{_libdir}/ocaml/nbd/*.a +%ifarch %{ocaml_native_compiler} %{_libdir}/ocaml/nbd/*.cmxa %{_libdir}/ocaml/nbd/*.cmx +%endif +%{_libdir}/ocaml/nbd/*.a %{_libdir}/ocaml/nbd/*.mli %{_mandir}/man3/libnbd-ocaml.3* %{_mandir}/man3/NBD.3* %{_mandir}/man3/NBD.*.3* +%endif %files -n python3-%{name} @@ -318,6 +363,13 @@ make %{?_smp_mflags} check || { %{_mandir}/man1/nbdfuse.1* +%if !0%{?rhel} +%files -n nbdublk +%{_bindir}/nbdublk +%{_mandir}/man1/nbdublk.1* +%endif + + %files bash-completion %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/nbdcopy @@ -325,9 +377,28 @@ make %{?_smp_mflags} check || { %{_datadir}/bash-completion/completions/nbdfuse %{_datadir}/bash-completion/completions/nbdinfo %{_datadir}/bash-completion/completions/nbdsh +%if !0%{?rhel} +%{_datadir}/bash-completion/completions/nbdublk +%endif %changelog +* Mon Nov 13 2023 Eric Blake - 1.18.1-3 +- Backport unit test of recent libnbd API addition + resolves: RHEL-16292 + +* Wed Nov 01 2023 Richard W.M. Jones - 1.18.1-2 +- Fix assertion in ext-mode BLOCK_STATUS (CVE-2023-5871) + resolves: RHEL-15143 + +* Tue Oct 24 2023 Richard W.M. Jones - 1.18.1-1 +- Rebase to 1.18.1 + resolves: RHEL-14476 + +* Tue Apr 18 2023 Richard W.M. Jones - 1.16.0-1 +- Rebase to 1.16.0 + resolves: rhbz#2168628 + * Tue Jan 03 2023 Richard W.M. Jones - 1.14.2-1 - Rebase to new stable branch version 1.14.2 resolves: rhbz#2135764