From b708f948ee8013708f6e816d47129b7eea81a6e4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 3 May 2022 14:03:13 +0000 Subject: [PATCH] import libnbd-1.6.0-5.module+el8.6.0+14156+faad4bd2 --- ...-sparse-file.sh-Skip-test-unless-nbd.patch | 2 +- ...nerator-Refactor-CONNECT.START-state.patch | 2 +- ...a-better-error-message-if-connect-2-.patch | 2 +- ...t_go-Tolerate-unplanned-server-death.patch | 2 +- ...ocument-assignment-of-CVE-2021-20286.patch | 2 +- ...my-variable-rather-than-errno-to-cal.patch | 163 +++++++++ ...85-Fail-nbdcopy-if-NBD-read-or-write.patch | 318 ++++++++++++++++++ SOURCES/copy-patches.sh | 2 +- SPECS/libnbd.spec | 12 +- 9 files changed, 496 insertions(+), 9 deletions(-) create mode 100644 SOURCES/0006-copy-Pass-in-dummy-variable-rather-than-errno-to-cal.patch create mode 100644 SOURCES/0007-copy-CVE-2022-0485-Fail-nbdcopy-if-NBD-read-or-write.patch diff --git a/SOURCES/0001-copy-copy-nbd-to-sparse-file.sh-Skip-test-unless-nbd.patch b/SOURCES/0001-copy-copy-nbd-to-sparse-file.sh-Skip-test-unless-nbd.patch index 80626fa..173aae4 100644 --- a/SOURCES/0001-copy-copy-nbd-to-sparse-file.sh-Skip-test-unless-nbd.patch +++ b/SOURCES/0001-copy-copy-nbd-to-sparse-file.sh-Skip-test-unless-nbd.patch @@ -26,5 +26,5 @@ index aa2cb1b..47ff09a 100755 requires test -r /dev/zero -- -2.18.4 +2.31.1 diff --git a/SOURCES/0002-generator-Refactor-CONNECT.START-state.patch b/SOURCES/0002-generator-Refactor-CONNECT.START-state.patch index 35eac86..ca013dc 100644 --- a/SOURCES/0002-generator-Refactor-CONNECT.START-state.patch +++ b/SOURCES/0002-generator-Refactor-CONNECT.START-state.patch @@ -53,5 +53,5 @@ index 392879d..03b34c7 100644 CONNECT.CONNECTING: -- -2.18.4 +2.31.1 diff --git a/SOURCES/0003-generator-Print-a-better-error-message-if-connect-2-.patch b/SOURCES/0003-generator-Print-a-better-error-message-if-connect-2-.patch index 071d901..6ac2a69 100644 --- a/SOURCES/0003-generator-Print-a-better-error-message-if-connect-2-.patch +++ b/SOURCES/0003-generator-Print-a-better-error-message-if-connect-2-.patch @@ -44,5 +44,5 @@ index 03b34c7..98c26e5 100644 set_error (errno, "connect"); return 0; -- -2.18.4 +2.31.1 diff --git a/SOURCES/0004-opt_go-Tolerate-unplanned-server-death.patch b/SOURCES/0004-opt_go-Tolerate-unplanned-server-death.patch index 3cc5b76..9080ea6 100644 --- a/SOURCES/0004-opt_go-Tolerate-unplanned-server-death.patch +++ b/SOURCES/0004-opt_go-Tolerate-unplanned-server-death.patch @@ -55,5 +55,5 @@ index 2317b72..e5802f4 100644 return -1; } -- -2.18.4 +2.31.1 diff --git a/SOURCES/0005-security-Document-assignment-of-CVE-2021-20286.patch b/SOURCES/0005-security-Document-assignment-of-CVE-2021-20286.patch index 0969d47..8732515 100644 --- a/SOURCES/0005-security-Document-assignment-of-CVE-2021-20286.patch +++ b/SOURCES/0005-security-Document-assignment-of-CVE-2021-20286.patch @@ -36,5 +36,5 @@ index d8ead87..0cae846 100644 -Copyright (C) 2019 Red Hat Inc. +Copyright (C) 2019-2021 Red Hat Inc. -- -2.18.4 +2.31.1 diff --git a/SOURCES/0006-copy-Pass-in-dummy-variable-rather-than-errno-to-cal.patch b/SOURCES/0006-copy-Pass-in-dummy-variable-rather-than-errno-to-cal.patch new file mode 100644 index 0000000..896876f --- /dev/null +++ b/SOURCES/0006-copy-Pass-in-dummy-variable-rather-than-errno-to-cal.patch @@ -0,0 +1,163 @@ +From 22572f8ac13e2e8daf91d227eac2f384303fb5b4 Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Thu, 3 Feb 2022 14:25:57 -0600 +Subject: [PATCH] copy: Pass in dummy variable rather than &errno to callback + +In several places where asynch handlers manually call the provided +nbd_completion_callback, the value of errno is indeterminate (for +example, in file-ops.c:file_asynch_read(), the previous call to +file_synch_read() already triggered exit() on error, but does not +guarantee what is left in errno on success). As the callback should +be paying attention to the value of *error (to be fixed in the next +patch), we are better off ensuring that we pass in a pointer to a +known-zero value. Besides, passing in &errno carries a risk that if +the callback uses any other library function that alters errno prior +to dereferncing *error, it will no longer see the value we passed in. +Thus, it is easier to use a dummy variable on the stack than to mess +around with errno and it's magic macro expansion into a thread-local +storage location. + +Note that several callsites then check if the callback returned -1, +and if so assume that the callback has caused errno to now have a sane +value to pass on to perror. In theory, the fact that we are no longer +passing in &errno means that if the callback assigns into *error but +did not otherwise affect errno (a tenuous assumption, given our +argument above that we could not even guarantee that the callback does +not accidentally alter errno prior to reading *error), our perror call +would no longer reflect the intended error value from the callback. +But in practice, since the callback never actually returned -1, nor +even assigned into *error, the call to perror is dead code; although I +have chosen to defer that additional cleanup to the next patch. + +Message-Id: <20220203202558.203013-5-eblake@redhat.com> +Acked-by: Richard W.M. Jones +Acked-by: Nir Soffer +Reviewed-by: Laszlo Ersek +(cherry picked from commit 794c8ce06e995ebd282e8f2b9465a06140572112) +Conflicts: + copy/file-ops.c - no backport of d5f65e56 ("copy: Do not use trim + for zeroing"), so asynch_trim needed same treatment + copy/multi-thread-copying.c - context due to missing refactoring + copy/null-ops.c - no backport of 0b16205e "copy: Implement "null:" + destination." +(cherry picked from commit 26e3dcf80815fe2db320d3046aabc2580c2f7a0d) +--- + copy/file-ops.c | 22 +++++++++++++--------- + copy/multi-thread-copying.c | 8 +++++--- + 2 files changed, 18 insertions(+), 12 deletions(-) + +diff --git a/copy/file-ops.c b/copy/file-ops.c +index 086348a..cc312b4 100644 +--- a/copy/file-ops.c ++++ b/copy/file-ops.c +@@ -1,5 +1,5 @@ + /* NBD client library in userspace. +- * Copyright (C) 2020 Red Hat Inc. ++ * Copyright (C) 2020-2022 Red Hat Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public +@@ -158,10 +158,11 @@ file_asynch_read (struct rw *rw, + struct command *command, + nbd_completion_callback cb) + { ++ int dummy = 0; ++ + file_synch_read (rw, slice_ptr (command->slice), + command->slice.len, command->offset); +- errno = 0; +- if (cb.callback (cb.user_data, &errno) == -1) { ++ if (cb.callback (cb.user_data, &dummy) == -1) { + perror (rw->name); + exit (EXIT_FAILURE); + } +@@ -172,10 +173,11 @@ file_asynch_write (struct rw *rw, + struct command *command, + nbd_completion_callback cb) + { ++ int dummy = 0; ++ + file_synch_write (rw, slice_ptr (command->slice), + command->slice.len, command->offset); +- errno = 0; +- if (cb.callback (cb.user_data, &errno) == -1) { ++ if (cb.callback (cb.user_data, &dummy) == -1) { + perror (rw->name); + exit (EXIT_FAILURE); + } +@@ -185,10 +187,11 @@ static bool + file_asynch_trim (struct rw *rw, struct command *command, + nbd_completion_callback cb) + { ++ int dummy = 0; ++ + if (!file_synch_trim (rw, command->offset, command->slice.len)) + return false; +- errno = 0; +- if (cb.callback (cb.user_data, &errno) == -1) { ++ if (cb.callback (cb.user_data, &dummy) == -1) { + perror (rw->name); + exit (EXIT_FAILURE); + } +@@ -199,10 +202,11 @@ static bool + file_asynch_zero (struct rw *rw, struct command *command, + nbd_completion_callback cb) + { ++ int dummy = 0; ++ + if (!file_synch_zero (rw, command->offset, command->slice.len)) + return false; +- errno = 0; +- if (cb.callback (cb.user_data, &errno) == -1) { ++ if (cb.callback (cb.user_data, &dummy) == -1) { + perror (rw->name); + exit (EXIT_FAILURE); + } +diff --git a/copy/multi-thread-copying.c b/copy/multi-thread-copying.c +index a7aaa7d..2593ff7 100644 +--- a/copy/multi-thread-copying.c ++++ b/copy/multi-thread-copying.c +@@ -1,5 +1,5 @@ + /* NBD client library in userspace. +- * Copyright (C) 2020 Red Hat Inc. ++ * Copyright (C) 2020-2022 Red Hat Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public +@@ -391,6 +391,7 @@ finished_read (void *vp, int *error) + bool last_is_hole = false; + uint64_t i; + struct command *newcommand; ++ int dummy = 0; + + /* Iterate over whole blocks in the command, starting on a block + * boundary. +@@ -473,7 +474,7 @@ finished_read (void *vp, int *error) + /* Free the original command since it has been split into + * subcommands and the original is no longer needed. + */ +- free_command (command, &errno); ++ free_command (command, &dummy); + } + + return 1; /* auto-retires the command */ +@@ -498,6 +499,7 @@ static void + fill_dst_range_with_zeroes (struct command *command) + { + char *data; ++ int dummy = 0; + + if (destination_is_zero) + goto free_and_return; +@@ -541,7 +543,7 @@ fill_dst_range_with_zeroes (struct command *command) + free (data); + + free_and_return: +- free_command (command, &errno); ++ free_command (command, &dummy); + } + + static int +-- +2.31.1 + diff --git a/SOURCES/0007-copy-CVE-2022-0485-Fail-nbdcopy-if-NBD-read-or-write.patch b/SOURCES/0007-copy-CVE-2022-0485-Fail-nbdcopy-if-NBD-read-or-write.patch new file mode 100644 index 0000000..b191e8b --- /dev/null +++ b/SOURCES/0007-copy-CVE-2022-0485-Fail-nbdcopy-if-NBD-read-or-write.patch @@ -0,0 +1,318 @@ +From 1b0b732e6a9b4979fccf6a09eb6704264edf675d Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Thu, 3 Feb 2022 14:25:58 -0600 +Subject: [PATCH] copy: CVE-2022-0485: Fail nbdcopy if NBD read or write fails + +nbdcopy has a nasty bug when performing multi-threaded copies using +asynchronous nbd calls - it was blindly treating the completion of an +asynchronous command as successful, rather than checking the *error +parameter. This can result in the silent creation of a corrupted +image in two different ways: when a read fails, we blindly wrote +garbage to the destination; when a write fails, we did not flag that +the destination was not written. + +Since nbdcopy already calls exit() on a synchronous read or write +failure to a file, doing the same for an asynchronous op to an NBD +server is the simplest solution. A nicer solution, but more invasive +to code and thus not done here, might be to allow up to N retries of +the transaction (in case the read or write failure was transient), or +even having a mode where as much data is copied as possible (portions +of the copy that failed would be logged on stderr, and nbdcopy would +still fail with a non-zero exit status, but this would copy more than +just stopping at the first error, as can be done with rsync or +ddrescue). + +Note that since we rely on auto-retiring and do NOT call +nbd_aio_command_completed, our completion callbacks must always return +1 (if they do not exit() first), even when acting on *error, so as not +leave the command allocated until nbd_close. As such, there is no +sane way to return an error to a manual caller of the callback, and +therefore we can drop dead code that calls perror() and exit() if the +callback "failed". It is also worth documenting the contract on when +we must manually call the callback during the asynch_zero callback, so +that we do not leak or double-free the command; thankfully, all the +existing code paths were correct. + +The added testsuite script demonstrates several scenarios, some of +which fail without the rest of this patch in place, and others which +showcase ways in which sparse images can bypass errors. + +Once backports are complete, a followup patch on the main branch will +edit docs/libnbd-security.pod with the mailing list announcement of +the stable branch commit ids and release versions that incorporate +this fix. + +Reported-by: Nir Soffer +Fixes: bc896eec4d ("copy: Implement multi-conn, multiple threads, multiple requests in flight.", v1.5.6) +Fixes: https://bugzilla.redhat.com/2046194 +Message-Id: <20220203202558.203013-6-eblake@redhat.com> +Acked-by: Richard W.M. Jones +Acked-by: Nir Soffer +[eblake: fix error message per Nir, tweak requires lines in unit test per Rich] +Reviewed-by: Laszlo Ersek + +(cherry picked from commit 8d444b41d09a700c7ee6f9182a649f3f2d325abb) +Conflicts: + copy/nbdcopy.h - copyright context + copy/null-ops.c - no backport of 0b16205e "copy: Implement "null:" + destination." + copy/copy-nbd-error.sh - no backport of d5f65e56 ("copy: Do not use + trim for zeroing"), so one test needed an additional error-trim-rate; + no backport of 4ff9e62d (copy: Add --request-size option") and friends, so + this version uses larger transactions, so change error rate of 0.5 to 1; + no backport of 0b16205e "copy: Implement "null:" destination.", so use + nbdkit null instead +Note that while the use of NBD_CMD_TRIM can create data corruption, it is +not as severe as what this patch fixes, since trim corruption will only +expose what had previously been on the disk, compared to this patch fixing +a potential leak of nbdcopy heap contents into the destination. +(cherry picked from commit 6c8f2f859926b82094fb5e85c446ea099700fa10) +--- + TODO | 1 + + copy/Makefile.am | 4 +- + copy/copy-nbd-error.sh | 81 +++++++++++++++++++++++++++++++++++++ + copy/file-ops.c | 17 +++----- + copy/multi-thread-copying.c | 13 ++++++ + copy/nbdcopy.h | 7 ++-- + 6 files changed, 107 insertions(+), 16 deletions(-) + create mode 100755 copy/copy-nbd-error.sh + +diff --git a/TODO b/TODO +index 510c219..19c21d4 100644 +--- a/TODO ++++ b/TODO +@@ -35,6 +35,7 @@ nbdcopy: + - Better page cache usage, see nbdkit-file-plugin options + fadvise=sequential cache=none. + - Consider io_uring if there are performance bottlenecks. ++ - Configurable retries in response to read or write failures. + + nbdfuse: + - If you write beyond the end of the virtual file, it returns EIO. +diff --git a/copy/Makefile.am b/copy/Makefile.am +index d318388..3406cd8 100644 +--- a/copy/Makefile.am ++++ b/copy/Makefile.am +@@ -1,5 +1,5 @@ + # nbd client library in userspace +-# Copyright (C) 2020 Red Hat Inc. ++# Copyright (C) 2020-2022 Red Hat Inc. + # + # This library is free software; you can redistribute it and/or + # modify it under the terms of the GNU Lesser General Public +@@ -30,6 +30,7 @@ EXTRA_DIST = \ + copy-nbd-to-small-nbd-error.sh \ + copy-nbd-to-sparse-file.sh \ + copy-nbd-to-stdout.sh \ ++ copy-nbd-error.sh \ + copy-progress-bar.sh \ + copy-sparse.sh \ + copy-sparse-allocated.sh \ +@@ -105,6 +106,7 @@ TESTS += \ + copy-nbd-to-sparse-file.sh \ + copy-stdin-to-nbd.sh \ + copy-nbd-to-stdout.sh \ ++ copy-nbd-error.sh \ + copy-progress-bar.sh \ + copy-sparse.sh \ + copy-sparse-allocated.sh \ +diff --git a/copy/copy-nbd-error.sh b/copy/copy-nbd-error.sh +new file mode 100755 +index 0000000..bba71db +--- /dev/null ++++ b/copy/copy-nbd-error.sh +@@ -0,0 +1,81 @@ ++#!/usr/bin/env bash ++# nbd client library in userspace ++# Copyright (C) 2022 Red Hat Inc. ++# ++# This library is free software; you can redistribute it and/or ++# modify it under the terms of the GNU Lesser General Public ++# License as published by the Free Software Foundation; either ++# version 2 of the License, or (at your option) any later version. ++# ++# This library is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# Lesser General Public License for more details. ++# ++# You should have received a copy of the GNU Lesser General Public ++# License along with this library; if not, write to the Free Software ++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ ++# Tests several scenarios of handling NBD server errors ++# Serves as a regression test for the CVE-2022-0485 fix. ++ ++. ../tests/functions.sh ++ ++set -e ++set -x ++ ++requires nbdkit --exit-with-parent --version ++requires nbdkit --filter=noextents null --version ++requires nbdkit --filter=error pattern --version ++requires nbdkit --filter=nozero memory --version ++ ++fail=0 ++ ++# Failure to get block status should not be fatal, but merely downgrade to ++# reading the entire image as if data ++echo "Testing extents failures on source" ++$VG nbdcopy -- [ nbdkit --exit-with-parent -v --filter=error pattern 5M \ ++ error-extents-rate=1 ] [ nbdkit --exit-with-parent -v null 5M ] || fail=1 ++ ++# Failure to read should be fatal ++echo "Testing read failures on non-sparse source" ++$VG nbdcopy -- [ nbdkit --exit-with-parent -v --filter=error pattern 5M \ ++ error-pread-rate=1 ] [ nbdkit --exit-with-parent -v null 5M ] && fail=1 ++ ++# However, reliable block status on a sparse image can avoid the need to read ++echo "Testing read failures on sparse source" ++$VG nbdcopy -- [ nbdkit --exit-with-parent -v --filter=error null 5M \ ++ error-pread-rate=1 ] [ nbdkit --exit-with-parent -v null 5M ] || fail=1 ++ ++# Failure to write data should be fatal ++echo "Testing write data failures on arbitrary destination" ++$VG nbdcopy -- [ nbdkit --exit-with-parent -v pattern 5M ] \ ++ [ nbdkit --exit-with-parent -v --filter=error --filter=noextents \ ++ memory 5M error-pwrite-rate=1 ] && fail=1 ++ ++# However, writing zeroes can bypass the need for normal writes ++echo "Testing write data failures from sparse source" ++$VG nbdcopy -- [ nbdkit --exit-with-parent -v null 5M ] \ ++ [ nbdkit --exit-with-parent -v --filter=error --filter=noextents \ ++ memory 5M error-pwrite-rate=1 ] || fail=1 ++ ++# Failure to write zeroes should be fatal ++echo "Testing write zero failures on arbitrary destination" ++$VG nbdcopy -- [ nbdkit --exit-with-parent -v null 5M ] \ ++ [ nbdkit --exit-with-parent -v --filter=error memory 5M \ ++ error-trim-rate=1 error-zero-rate=1 ] && fail=1 ++ ++# However, assuming/learning destination is zero can skip need to write ++echo "Testing write failures on pre-zeroed destination" ++$VG nbdcopy --destination-is-zero -- \ ++ [ nbdkit --exit-with-parent -v null 5M ] \ ++ [ nbdkit --exit-with-parent -v --filter=error memory 5M \ ++ error-pwrite-rate=1 error-zero-rate=1 ] || fail=1 ++ ++# Likewise, when write zero is not advertised, fallback to normal write works ++echo "Testing write zeroes to destination without zero support" ++$VG nbdcopy -- [ nbdkit --exit-with-parent -v null 5M ] \ ++ [ nbdkit --exit-with-parent -v --filter=nozero --filter=error memory 5M \ ++ error-zero-rate=1 ] || fail=1 ++ ++exit $fail +diff --git a/copy/file-ops.c b/copy/file-ops.c +index cc312b4..b19af04 100644 +--- a/copy/file-ops.c ++++ b/copy/file-ops.c +@@ -162,10 +162,8 @@ file_asynch_read (struct rw *rw, + + file_synch_read (rw, slice_ptr (command->slice), + command->slice.len, command->offset); +- if (cb.callback (cb.user_data, &dummy) == -1) { +- perror (rw->name); +- exit (EXIT_FAILURE); +- } ++ /* file_synch_read called exit() on error */ ++ cb.callback (cb.user_data, &dummy); + } + + static void +@@ -177,10 +175,8 @@ file_asynch_write (struct rw *rw, + + file_synch_write (rw, slice_ptr (command->slice), + command->slice.len, command->offset); +- if (cb.callback (cb.user_data, &dummy) == -1) { +- perror (rw->name); +- exit (EXIT_FAILURE); +- } ++ /* file_synch_write called exit() on error */ ++ cb.callback (cb.user_data, &dummy); + } + + static bool +@@ -206,10 +202,7 @@ file_asynch_zero (struct rw *rw, struct command *command, + + if (!file_synch_zero (rw, command->offset, command->slice.len)) + return false; +- if (cb.callback (cb.user_data, &dummy) == -1) { +- perror (rw->name); +- exit (EXIT_FAILURE); +- } ++ cb.callback (cb.user_data, &dummy); + return true; + } + +diff --git a/copy/multi-thread-copying.c b/copy/multi-thread-copying.c +index 2593ff7..28749ae 100644 +--- a/copy/multi-thread-copying.c ++++ b/copy/multi-thread-copying.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + #include + +@@ -374,6 +375,12 @@ finished_read (void *vp, int *error) + { + struct command *command = vp; + ++ if (*error) { ++ fprintf (stderr, "read at offset %" PRId64 " failed: %s\n", ++ command->offset, strerror (*error)); ++ exit (EXIT_FAILURE); ++ } ++ + if (allocated || sparse_size == 0) { + /* If sparseness detection (see below) is turned off then we write + * the whole command. +@@ -552,6 +559,12 @@ free_command (void *vp, int *error) + struct command *command = vp; + struct buffer *buffer = command->slice.buffer; + ++ if (*error) { ++ fprintf (stderr, "write at offset %" PRId64 " failed: %s\n", ++ command->offset, strerror (*error)); ++ exit (EXIT_FAILURE); ++ } ++ + if (buffer != NULL) { + if (--buffer->refs == 0) { + free (buffer->data); +diff --git a/copy/nbdcopy.h b/copy/nbdcopy.h +index 3dcc6df..9626a52 100644 +--- a/copy/nbdcopy.h ++++ b/copy/nbdcopy.h +@@ -1,5 +1,5 @@ + /* NBD client library in userspace. +- * Copyright (C) 2020 Red Hat Inc. ++ * Copyright (C) 2020-2022 Red Hat Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public +@@ -134,7 +134,8 @@ struct rw_ops { + bool (*synch_zero) (struct rw *rw, uint64_t offset, uint64_t count); + + /* Asynchronous I/O operations. These start the operation and call +- * 'cb' on completion. ++ * 'cb' on completion. 'cb' will return 1, for auto-retiring with ++ * asynchronous libnbd calls. + * + * The file_ops versions are actually implemented synchronously, but + * still call 'cb'. +@@ -156,7 +157,7 @@ struct rw_ops { + nbd_completion_callback cb); + + /* Asynchronously zero. command->slice.buffer is not used. If not possible, +- * returns false. ++ * returns false. 'cb' must be called only if returning true. + */ + bool (*asynch_zero) (struct rw *rw, struct command *command, + nbd_completion_callback cb); +-- +2.31.1 + diff --git a/SOURCES/copy-patches.sh b/SOURCES/copy-patches.sh index 2ebd67d..e00af4e 100755 --- a/SOURCES/copy-patches.sh +++ b/SOURCES/copy-patches.sh @@ -6,7 +6,7 @@ set -e # directory. Use it like this: # ./copy-patches.sh -rhel_version=8.4 +rhel_version=8.6 # Check we're in the right directory. if [ ! -f libnbd.spec ]; then diff --git a/SPECS/libnbd.spec b/SPECS/libnbd.spec index bd89320..0020064 100644 --- a/SPECS/libnbd.spec +++ b/SPECS/libnbd.spec @@ -2,14 +2,14 @@ %global verify_tarball_signature 1 # If there are patches which touch autotools files, set this to 1. -%global patches_touch_autotools %{nil} +%global patches_touch_autotools 1 # The source directory. %global source_directory 1.6-stable Name: libnbd Version: 1.6.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: NBD client library in userspace License: LGPLv2+ @@ -26,7 +26,7 @@ Source2: libguestfs.keyring Source3: copy-patches.sh # Patches come from this upstream branch: -# https://github.com/libguestfs/libnbd/tree/rhel-8.4 +# https://github.com/libguestfs/libnbd/tree/rhel-8.6 # Patches. Patch0001: 0001-copy-copy-nbd-to-sparse-file.sh-Skip-test-unless-nbd.patch @@ -34,6 +34,8 @@ Patch0002: 0002-generator-Refactor-CONNECT.START-state.patch Patch0003: 0003-generator-Print-a-better-error-message-if-connect-2-.patch Patch0004: 0004-opt_go-Tolerate-unplanned-server-death.patch Patch0005: 0005-security-Document-assignment-of-CVE-2021-20286.patch +Patch0006: 0006-copy-Pass-in-dummy-variable-rather-than-errno-to-cal.patch +Patch0007: 0007-copy-CVE-2022-0485-Fail-nbdcopy-if-NBD-read-or-write.patch %if 0%{patches_touch_autotools} BuildRequires: autoconf, automake, libtool @@ -310,6 +312,10 @@ make %{?_smp_mflags} check || { %changelog +* Mon Feb 7 2022 Richard W.M. Jones - 1.6.0-5.el8 +- Fix CVE-2022-0485: Fail nbdcopy if NBD read or write fails + resolves: rhbz#2045718 + * Thu Sep 2 2021 Danilo C. L. de Paula - 1.6.0-4.el8 - Resolves: bz#2000225 (Rebase virt:rhel module:stream based on AV-8.6)