import libnbd-1.6.0-5.module+el8.6.0+14156+faad4bd2

2022-05-03 14:03:13 +00:00 · 2022-05-03 14:03:13 +00:00 · b708f948ee
parent 80454192e2
commit b708f948ee
9 changed files with 496 additions and 9 deletions
--- a/SOURCES/0001-copy-copy-nbd-to-sparse-file.sh-Skip-test-unless-nbd.patch
+++ b/SOURCES/0001-copy-copy-nbd-to-sparse-file.sh-Skip-test-unless-nbd.patch
@ -26,5 +26,5 @@ index aa2cb1b..47ff09a 100755
 requires test -r /dev/zero
 
 -- 
-2.18.4
+2.31.1

--- a/SOURCES/0002-generator-Refactor-CONNECT.START-state.patch
+++ b/SOURCES/0002-generator-Refactor-CONNECT.START-state.patch
@ -53,5 +53,5 @@ index 392879d..03b34c7 100644
 
  CONNECT.CONNECTING:
 -- 
-2.18.4
+2.31.1

--- a/SOURCES/0003-generator-Print-a-better-error-message-if-connect-2-.patch
+++ b/SOURCES/0003-generator-Print-a-better-error-message-if-connect-2-.patch
@ -44,5 +44,5 @@ index 03b34c7..98c26e5 100644
   set_error (errno, "connect");
   return 0;
 -- 
-2.18.4
+2.31.1

--- a/SOURCES/0004-opt_go-Tolerate-unplanned-server-death.patch
+++ b/SOURCES/0004-opt_go-Tolerate-unplanned-server-death.patch
@ -55,5 +55,5 @@ index 2317b72..e5802f4 100644
     return -1;
   }
 -- 
-2.18.4
+2.31.1

--- a/SOURCES/0005-security-Document-assignment-of-CVE-2021-20286.patch
+++ b/SOURCES/0005-security-Document-assignment-of-CVE-2021-20286.patch
@ -36,5 +36,5 @@ index d8ead87..0cae846 100644
 -Copyright (C) 2019 Red Hat Inc.
 +Copyright (C) 2019-2021 Red Hat Inc.
 -- 
-2.18.4
+2.31.1

--- a/SOURCES/0006-copy-Pass-in-dummy-variable-rather-than-errno-to-cal.patch
+++ b/SOURCES/0006-copy-Pass-in-dummy-variable-rather-than-errno-to-cal.patch
@ -0,0 +1,163 @@
+From 22572f8ac13e2e8daf91d227eac2f384303fb5b4 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 3 Feb 2022 14:25:57 -0600
+Subject: [PATCH] copy: Pass in dummy variable rather than &errno to callback
+
+In several places where asynch handlers manually call the provided
+nbd_completion_callback, the value of errno is indeterminate (for
+example, in file-ops.c:file_asynch_read(), the previous call to
+file_synch_read() already triggered exit() on error, but does not
+guarantee what is left in errno on success).  As the callback should
+be paying attention to the value of *error (to be fixed in the next
+patch), we are better off ensuring that we pass in a pointer to a
+known-zero value.  Besides, passing in &errno carries a risk that if
+the callback uses any other library function that alters errno prior
+to dereferncing *error, it will no longer see the value we passed in.
+Thus, it is easier to use a dummy variable on the stack than to mess
+around with errno and it's magic macro expansion into a thread-local
+storage location.
+
+Note that several callsites then check if the callback returned -1,
+and if so assume that the callback has caused errno to now have a sane
+value to pass on to perror.  In theory, the fact that we are no longer
+passing in &errno means that if the callback assigns into *error but
+did not otherwise affect errno (a tenuous assumption, given our
+argument above that we could not even guarantee that the callback does
+not accidentally alter errno prior to reading *error), our perror call
+would no longer reflect the intended error value from the callback.
+But in practice, since the callback never actually returned -1, nor
+even assigned into *error, the call to perror is dead code; although I
+have chosen to defer that additional cleanup to the next patch.
+
+Message-Id: <20220203202558.203013-5-eblake@redhat.com>
+Acked-by: Richard W.M. Jones <rjones@redhat.com>
+Acked-by: Nir Soffer <nsoffer@redhat.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 794c8ce06e995ebd282e8f2b9465a06140572112)
+Conflicts:
+	copy/file-ops.c - no backport of d5f65e56 ("copy: Do not use trim
+ for zeroing"), so asynch_trim needed same treatment
+	copy/multi-thread-copying.c - context due to missing refactoring
+	copy/null-ops.c - no backport of 0b16205e "copy: Implement "null:"
+  destination."
+(cherry picked from commit 26e3dcf80815fe2db320d3046aabc2580c2f7a0d)
+---
+ copy/file-ops.c             | 22 +++++++++++++---------
+ copy/multi-thread-copying.c |  8 +++++---
+ 2 files changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/copy/file-ops.c b/copy/file-ops.c
+index 086348a..cc312b4 100644
+--- a/copy/file-ops.c
+++ b/copy/file-ops.c
+@@ -1,5 +1,5 @@
+ /* NBD client library in userspace.
+- * Copyright (C) 2020 Red Hat Inc.
+ * Copyright (C) 2020-2022 Red Hat Inc.
+  *
+  * This library is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU Lesser General Public
+@@ -158,10 +158,11 @@ file_asynch_read (struct rw *rw,
+                   struct command *command,
+                   nbd_completion_callback cb)
+ {
+  int dummy = 0;
+
+   file_synch_read (rw, slice_ptr (command->slice),
+                    command->slice.len, command->offset);
+-  errno = 0;
+-  if (cb.callback (cb.user_data, &errno) == -1) {
+  if (cb.callback (cb.user_data, &dummy) == -1) {
+     perror (rw->name);
+     exit (EXIT_FAILURE);
+   }
+@@ -172,10 +173,11 @@ file_asynch_write (struct rw *rw,
+                    struct command *command,
+                    nbd_completion_callback cb)
+ {
+  int dummy = 0;
+
+   file_synch_write (rw, slice_ptr (command->slice),
+                     command->slice.len, command->offset);
+-  errno = 0;
+-  if (cb.callback (cb.user_data, &errno) == -1) {
+  if (cb.callback (cb.user_data, &dummy) == -1) {
+     perror (rw->name);
+     exit (EXIT_FAILURE);
+   }
+@@ -185,10 +187,11 @@ static bool
+ file_asynch_trim (struct rw *rw, struct command *command,
+                   nbd_completion_callback cb)
+ {
+  int dummy = 0;
+
+   if (!file_synch_trim (rw, command->offset, command->slice.len))
+     return false;
+-  errno = 0;
+-  if (cb.callback (cb.user_data, &errno) == -1) {
+  if (cb.callback (cb.user_data, &dummy) == -1) {
+     perror (rw->name);
+     exit (EXIT_FAILURE);
+   }
+@@ -199,10 +202,11 @@ static bool
+ file_asynch_zero (struct rw *rw, struct command *command,
+                   nbd_completion_callback cb)
+ {
+  int dummy = 0;
+
+   if (!file_synch_zero (rw, command->offset, command->slice.len))
+     return false;
+-  errno = 0;
+-  if (cb.callback (cb.user_data, &errno) == -1) {
+  if (cb.callback (cb.user_data, &dummy) == -1) {
+     perror (rw->name);
+     exit (EXIT_FAILURE);
+   }
+diff --git a/copy/multi-thread-copying.c b/copy/multi-thread-copying.c
+index a7aaa7d..2593ff7 100644
+--- a/copy/multi-thread-copying.c
+++ b/copy/multi-thread-copying.c
+@@ -1,5 +1,5 @@
+ /* NBD client library in userspace.
+- * Copyright (C) 2020 Red Hat Inc.
+ * Copyright (C) 2020-2022 Red Hat Inc.
+  *
+  * This library is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU Lesser General Public
+@@ -391,6 +391,7 @@ finished_read (void *vp, int *error)
+     bool last_is_hole = false;
+     uint64_t i;
+     struct command *newcommand;
+    int dummy = 0;
+ 
+     /* Iterate over whole blocks in the command, starting on a block
+      * boundary.
+@@ -473,7 +474,7 @@ finished_read (void *vp, int *error)
+     /* Free the original command since it has been split into
+      * subcommands and the original is no longer needed.
+      */
+-    free_command (command, &errno);
+    free_command (command, &dummy);
+   }
+ 
+   return 1; /* auto-retires the command */
+@@ -498,6 +499,7 @@ static void
+ fill_dst_range_with_zeroes (struct command *command)
+ {
+   char *data;
+  int dummy = 0;
+ 
+   if (destination_is_zero)
+     goto free_and_return;
+@@ -541,7 +543,7 @@ fill_dst_range_with_zeroes (struct command *command)
+   free (data);
+ 
+  free_and_return:
+-  free_command (command, &errno);
+  free_command (command, &dummy);
+ }
+ 
+ static int
+-- 
+2.31.1
+
--- a/SOURCES/0007-copy-CVE-2022-0485-Fail-nbdcopy-if-NBD-read-or-write.patch
+++ b/SOURCES/0007-copy-CVE-2022-0485-Fail-nbdcopy-if-NBD-read-or-write.patch
@ -0,0 +1,318 @@
+From 1b0b732e6a9b4979fccf6a09eb6704264edf675d Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 3 Feb 2022 14:25:58 -0600
+Subject: [PATCH] copy: CVE-2022-0485: Fail nbdcopy if NBD read or write fails
+
+nbdcopy has a nasty bug when performing multi-threaded copies using
+asynchronous nbd calls - it was blindly treating the completion of an
+asynchronous command as successful, rather than checking the *error
+parameter.  This can result in the silent creation of a corrupted
+image in two different ways: when a read fails, we blindly wrote
+garbage to the destination; when a write fails, we did not flag that
+the destination was not written.
+
+Since nbdcopy already calls exit() on a synchronous read or write
+failure to a file, doing the same for an asynchronous op to an NBD
+server is the simplest solution.  A nicer solution, but more invasive
+to code and thus not done here, might be to allow up to N retries of
+the transaction (in case the read or write failure was transient), or
+even having a mode where as much data is copied as possible (portions
+of the copy that failed would be logged on stderr, and nbdcopy would
+still fail with a non-zero exit status, but this would copy more than
+just stopping at the first error, as can be done with rsync or
+ddrescue).
+
+Note that since we rely on auto-retiring and do NOT call
+nbd_aio_command_completed, our completion callbacks must always return
+1 (if they do not exit() first), even when acting on *error, so as not
+leave the command allocated until nbd_close.  As such, there is no
+sane way to return an error to a manual caller of the callback, and
+therefore we can drop dead code that calls perror() and exit() if the
+callback "failed".  It is also worth documenting the contract on when
+we must manually call the callback during the asynch_zero callback, so
+that we do not leak or double-free the command; thankfully, all the
+existing code paths were correct.
+
+The added testsuite script demonstrates several scenarios, some of
+which fail without the rest of this patch in place, and others which
+showcase ways in which sparse images can bypass errors.
+
+Once backports are complete, a followup patch on the main branch will
+edit docs/libnbd-security.pod with the mailing list announcement of
+the stable branch commit ids and release versions that incorporate
+this fix.
+
+Reported-by: Nir Soffer <nsoffer@redhat.com>
+Fixes: bc896eec4d ("copy: Implement multi-conn, multiple threads, multiple requests in flight.", v1.5.6)
+Fixes: https://bugzilla.redhat.com/2046194
+Message-Id: <20220203202558.203013-6-eblake@redhat.com>
+Acked-by: Richard W.M. Jones <rjones@redhat.com>
+Acked-by: Nir Soffer <nsoffer@redhat.com>
+[eblake: fix error message per Nir, tweak requires lines in unit test per Rich]
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+
+(cherry picked from commit 8d444b41d09a700c7ee6f9182a649f3f2d325abb)
+Conflicts:
+	copy/nbdcopy.h - copyright context
+	copy/null-ops.c - no backport of 0b16205e "copy: Implement "null:"
+ destination."
+        copy/copy-nbd-error.sh - no backport of d5f65e56 ("copy: Do not use
+ trim for zeroing"), so one test needed an additional error-trim-rate;
+ no backport of 4ff9e62d (copy: Add --request-size option") and friends, so
+ this version uses larger transactions, so change error rate of 0.5 to 1;
+ no backport of 0b16205e "copy: Implement "null:" destination.", so use
+ nbdkit null instead
+Note that while the use of NBD_CMD_TRIM can create data corruption, it is
+not as severe as what this patch fixes, since trim corruption will only
+expose what had previously been on the disk, compared to this patch fixing
+a potential leak of nbdcopy heap contents into the destination.
+(cherry picked from commit 6c8f2f859926b82094fb5e85c446ea099700fa10)
+---
+ TODO                        |  1 +
+ copy/Makefile.am            |  4 +-
+ copy/copy-nbd-error.sh      | 81 +++++++++++++++++++++++++++++++++++++
+ copy/file-ops.c             | 17 +++-----
+ copy/multi-thread-copying.c | 13 ++++++
+ copy/nbdcopy.h              |  7 ++--
+ 6 files changed, 107 insertions(+), 16 deletions(-)
+ create mode 100755 copy/copy-nbd-error.sh
+
+diff --git a/TODO b/TODO
+index 510c219..19c21d4 100644
+--- a/TODO
+++ b/TODO
+@@ -35,6 +35,7 @@ nbdcopy:
+  - Better page cache usage, see nbdkit-file-plugin options
+    fadvise=sequential cache=none.
+  - Consider io_uring if there are performance bottlenecks.
+ - Configurable retries in response to read or write failures.
+ 
+ nbdfuse:
+  - If you write beyond the end of the virtual file, it returns EIO.
+diff --git a/copy/Makefile.am b/copy/Makefile.am
+index d318388..3406cd8 100644
+--- a/copy/Makefile.am
+++ b/copy/Makefile.am
+@@ -1,5 +1,5 @@
+ # nbd client library in userspace
+-# Copyright (C) 2020 Red Hat Inc.
+# Copyright (C) 2020-2022 Red Hat Inc.
+ #
+ # This library is free software; you can redistribute it and/or
+ # modify it under the terms of the GNU Lesser General Public
+@@ -30,6 +30,7 @@ EXTRA_DIST = \
+ 	copy-nbd-to-small-nbd-error.sh \
+ 	copy-nbd-to-sparse-file.sh \
+ 	copy-nbd-to-stdout.sh \
+	copy-nbd-error.sh \
+ 	copy-progress-bar.sh \
+ 	copy-sparse.sh \
+ 	copy-sparse-allocated.sh \
+@@ -105,6 +106,7 @@ TESTS += \
+ 	copy-nbd-to-sparse-file.sh \
+ 	copy-stdin-to-nbd.sh \
+ 	copy-nbd-to-stdout.sh \
+	copy-nbd-error.sh \
+ 	copy-progress-bar.sh \
+ 	copy-sparse.sh \
+ 	copy-sparse-allocated.sh \
+diff --git a/copy/copy-nbd-error.sh b/copy/copy-nbd-error.sh
+new file mode 100755
+index 0000000..bba71db
+--- /dev/null
+++ b/copy/copy-nbd-error.sh
+@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+# nbd client library in userspace
+# Copyright (C) 2022 Red Hat Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+# Tests several scenarios of handling NBD server errors
+# Serves as a regression test for the CVE-2022-0485 fix.
+
+. ../tests/functions.sh
+
+set -e
+set -x
+
+requires nbdkit --exit-with-parent --version
+requires nbdkit --filter=noextents null --version
+requires nbdkit --filter=error pattern --version
+requires nbdkit --filter=nozero memory --version
+
+fail=0
+
+# Failure to get block status should not be fatal, but merely downgrade to
+# reading the entire image as if data
+echo "Testing extents failures on source"
+$VG nbdcopy -- [ nbdkit --exit-with-parent -v --filter=error pattern 5M \
+    error-extents-rate=1 ] [ nbdkit --exit-with-parent -v null 5M ] || fail=1
+
+# Failure to read should be fatal
+echo "Testing read failures on non-sparse source"
+$VG nbdcopy -- [ nbdkit --exit-with-parent -v --filter=error pattern 5M \
+    error-pread-rate=1 ] [ nbdkit --exit-with-parent -v null 5M ] && fail=1
+
+# However, reliable block status on a sparse image can avoid the need to read
+echo "Testing read failures on sparse source"
+$VG nbdcopy -- [ nbdkit --exit-with-parent -v --filter=error null 5M \
+    error-pread-rate=1 ] [ nbdkit --exit-with-parent -v null 5M ] || fail=1
+
+# Failure to write data should be fatal
+echo "Testing write data failures on arbitrary destination"
+$VG nbdcopy -- [ nbdkit --exit-with-parent -v pattern 5M ] \
+    [ nbdkit --exit-with-parent -v --filter=error --filter=noextents \
+        memory 5M error-pwrite-rate=1 ] && fail=1
+
+# However, writing zeroes can bypass the need for normal writes
+echo "Testing write data failures from sparse source"
+$VG nbdcopy -- [ nbdkit --exit-with-parent -v null 5M ] \
+    [ nbdkit --exit-with-parent -v --filter=error --filter=noextents \
+        memory 5M error-pwrite-rate=1 ] || fail=1
+
+# Failure to write zeroes should be fatal
+echo "Testing write zero failures on arbitrary destination"
+$VG nbdcopy -- [ nbdkit --exit-with-parent -v null 5M ] \
+    [ nbdkit --exit-with-parent -v --filter=error memory 5M \
+        error-trim-rate=1 error-zero-rate=1 ] && fail=1
+
+# However, assuming/learning destination is zero can skip need to write
+echo "Testing write failures on pre-zeroed destination"
+$VG nbdcopy --destination-is-zero -- \
+    [ nbdkit --exit-with-parent -v null 5M ] \
+    [ nbdkit --exit-with-parent -v --filter=error memory 5M \
+        error-pwrite-rate=1 error-zero-rate=1 ] || fail=1
+
+# Likewise, when write zero is not advertised, fallback to normal write works
+echo "Testing write zeroes to destination without zero support"
+$VG nbdcopy -- [ nbdkit --exit-with-parent -v null 5M ] \
+    [ nbdkit --exit-with-parent -v --filter=nozero --filter=error memory 5M \
+        error-zero-rate=1 ] || fail=1
+
+exit $fail
+diff --git a/copy/file-ops.c b/copy/file-ops.c
+index cc312b4..b19af04 100644
+--- a/copy/file-ops.c
+++ b/copy/file-ops.c
+@@ -162,10 +162,8 @@ file_asynch_read (struct rw *rw,
+ 
+   file_synch_read (rw, slice_ptr (command->slice),
+                    command->slice.len, command->offset);
+-  if (cb.callback (cb.user_data, &dummy) == -1) {
+-    perror (rw->name);
+-    exit (EXIT_FAILURE);
+-  }
+  /* file_synch_read called exit() on error */
+  cb.callback (cb.user_data, &dummy);
+ }
+ 
+ static void
+@@ -177,10 +175,8 @@ file_asynch_write (struct rw *rw,
+ 
+   file_synch_write (rw, slice_ptr (command->slice),
+                     command->slice.len, command->offset);
+-  if (cb.callback (cb.user_data, &dummy) == -1) {
+-    perror (rw->name);
+-    exit (EXIT_FAILURE);
+-  }
+  /* file_synch_write called exit() on error */
+  cb.callback (cb.user_data, &dummy);
+ }
+ 
+ static bool
+@@ -206,10 +202,7 @@ file_asynch_zero (struct rw *rw, struct command *command,
+ 
+   if (!file_synch_zero (rw, command->offset, command->slice.len))
+     return false;
+-  if (cb.callback (cb.user_data, &dummy) == -1) {
+-    perror (rw->name);
+-    exit (EXIT_FAILURE);
+-  }
+  cb.callback (cb.user_data, &dummy);
+   return true;
+ }
+ 
+diff --git a/copy/multi-thread-copying.c b/copy/multi-thread-copying.c
+index 2593ff7..28749ae 100644
+--- a/copy/multi-thread-copying.c
+++ b/copy/multi-thread-copying.c
+@@ -28,6 +28,7 @@
+ #include <errno.h>
+ #include <assert.h>
+ #include <sys/stat.h>
+#include <inttypes.h>
+ 
+ #include <pthread.h>
+ 
+@@ -374,6 +375,12 @@ finished_read (void *vp, int *error)
+ {
+   struct command *command = vp;
+ 
+  if (*error) {
+    fprintf (stderr, "read at offset %" PRId64 " failed: %s\n",
+             command->offset, strerror (*error));
+    exit (EXIT_FAILURE);
+  }
+
+   if (allocated || sparse_size == 0) {
+     /* If sparseness detection (see below) is turned off then we write
+      * the whole command.
+@@ -552,6 +559,12 @@ free_command (void *vp, int *error)
+   struct command *command = vp;
+   struct buffer *buffer = command->slice.buffer;
+ 
+  if (*error) {
+    fprintf (stderr, "write at offset %" PRId64 " failed: %s\n",
+             command->offset, strerror (*error));
+    exit (EXIT_FAILURE);
+  }
+
+   if (buffer != NULL) {
+     if (--buffer->refs == 0) {
+       free (buffer->data);
+diff --git a/copy/nbdcopy.h b/copy/nbdcopy.h
+index 3dcc6df..9626a52 100644
+--- a/copy/nbdcopy.h
+++ b/copy/nbdcopy.h
+@@ -1,5 +1,5 @@
+ /* NBD client library in userspace.
+- * Copyright (C) 2020 Red Hat Inc.
+ * Copyright (C) 2020-2022 Red Hat Inc.
+  *
+  * This library is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU Lesser General Public
+@@ -134,7 +134,8 @@ struct rw_ops {
+   bool (*synch_zero) (struct rw *rw, uint64_t offset, uint64_t count);
+ 
+   /* Asynchronous I/O operations.  These start the operation and call
+-   * 'cb' on completion.
+   * 'cb' on completion.  'cb' will return 1, for auto-retiring with
+   * asynchronous libnbd calls.
+    *
+    * The file_ops versions are actually implemented synchronously, but
+    * still call 'cb'.
+@@ -156,7 +157,7 @@ struct rw_ops {
+                        nbd_completion_callback cb);
+ 
+   /* Asynchronously zero.  command->slice.buffer is not used.  If not possible,
+-   * returns false.
+   * returns false.  'cb' must be called only if returning true.
+    */
+   bool (*asynch_zero) (struct rw *rw, struct command *command,
+                        nbd_completion_callback cb);
+-- 
+2.31.1
+
--- a/SOURCES/copy-patches.sh
+++ b/SOURCES/copy-patches.sh
@ -6,7 +6,7 @@ set -e
 # directory.  Use it like this:
 #   ./copy-patches.sh

-rhel_version=8.4
+rhel_version=8.6

 # Check we're in the right directory.
 if [ ! -f libnbd.spec ]; then
--- a/SPECS/libnbd.spec
+++ b/SPECS/libnbd.spec
@ -2,14 +2,14 @@
 %global verify_tarball_signature 1

 # If there are patches which touch autotools files, set this to 1.
-%global patches_touch_autotools %{nil}
+%global patches_touch_autotools 1

 # The source directory.
 %global source_directory 1.6-stable

 Name:           libnbd
 Version:        1.6.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        NBD client library in userspace

 License:        LGPLv2+
@ -26,7 +26,7 @@ Source2:       libguestfs.keyring
 Source3:        copy-patches.sh

 # Patches come from this upstream branch:
-# https://github.com/libguestfs/libnbd/tree/rhel-8.4
+# https://github.com/libguestfs/libnbd/tree/rhel-8.6

 # Patches.
 Patch0001:     0001-copy-copy-nbd-to-sparse-file.sh-Skip-test-unless-nbd.patch
@ -34,6 +34,8 @@ Patch0002:     0002-generator-Refactor-CONNECT.START-state.patch
 Patch0003:     0003-generator-Print-a-better-error-message-if-connect-2-.patch
 Patch0004:     0004-opt_go-Tolerate-unplanned-server-death.patch
 Patch0005:     0005-security-Document-assignment-of-CVE-2021-20286.patch
+Patch0006:     0006-copy-Pass-in-dummy-variable-rather-than-errno-to-cal.patch
+Patch0007:     0007-copy-CVE-2022-0485-Fail-nbdcopy-if-NBD-read-or-write.patch

 %if 0%{patches_touch_autotools}
 BuildRequires: autoconf, automake, libtool
@ -310,6 +312,10 @@ make %{?_smp_mflags} check || {


 %changelog
+* Mon Feb  7 2022 Richard W.M. Jones <rjones@redhat.com> - 1.6.0-5.el8
+- Fix CVE-2022-0485: Fail nbdcopy if NBD read or write fails
+  resolves: rhbz#2045718
+
 * Thu Sep 2 2021 Danilo C. L. de Paula <ddepaula@redhat.com> - 1.6.0-4.el8
 - Resolves: bz#2000225
  (Rebase virt:rhel module:stream based on AV-8.6)