diff --git a/0001-server-reset-meta-context-replies-on-starttls.patch b/0001-server-reset-meta-context-replies-on-starttls.patch new file mode 100644 index 0000000..47ab2a6 --- /dev/null +++ b/0001-server-reset-meta-context-replies-on-starttls.patch @@ -0,0 +1,38 @@ +From 6c5faac6a37077cf2366388a80862bb00616d0d8 Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Mon, 16 Aug 2021 13:43:29 -0500 +Subject: [nbdkit PATCH] server: reset meta context replies on starttls + +Related to CVE-2021-3716, but not as severe. No compliant client will +send NBD_CMD_BLOCK_STATUS unless it first negotiates +NBD_OPT_SET_META_CONTEXT. If an attacker injects a premature +SET_META_CONTEXT, either the client will never notice (because it +never uses BLOCK_STATUS), or the client will overwrite the attacker's +attempt with the client's own SET_META_CONTEXT request after +encryption is enabled. So I don't class this as having the potential +to trigger denial-of-service due to any protocol mismatch between +compliant client and server (I don't care what happens with +non-compliant clients). + +Fixes: 26455d45 (server: protocol: Implement Block Status "base:allocation".) +--- + server/protocol-handshake-newstyle.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/server/protocol-handshake-newstyle.c b/server/protocol-handshake-newstyle.c +index 7e6b7b1b..79b2c8ce 100644 +--- a/server/protocol-handshake-newstyle.c ++++ b/server/protocol-handshake-newstyle.c +@@ -497,6 +497,9 @@ negotiate_handshake_newstyle_options (void) + debug ("using TLS on this connection"); + /* Wipe out any cached state. */ + conn->structured_replies = false; ++ free (conn->exportname_from_set_meta_context); ++ conn->exportname_from_set_meta_context = NULL; ++ conn->meta_context_base_allocation = false; + for_each_backend (b) { + free (conn->default_exportname[b->i]); + conn->default_exportname[b->i] = NULL; +-- +2.31.1 + diff --git a/nbdkit.spec b/nbdkit.spec index 78bcd55..73e3cbb 100644 --- a/nbdkit.spec +++ b/nbdkit.spec @@ -51,7 +51,7 @@ ExclusiveArch: x86_64 Name: nbdkit Version: 1.27.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: NBD server License: BSD @@ -72,6 +72,9 @@ Source2: libguestfs.keyring # Maintainer script which helps with handling patches. Source3: copy-patches.sh +# Fix SET_META_CONTEXT leaking state across STARTTLS +Patch1: 0001-server-reset-meta-context-replies-on-starttls.patch + BuildRequires: make %if 0%{patches_touch_autotools} BuildRequires: autoconf, automake, libtool @@ -1241,6 +1244,9 @@ export LIBGUESTFS_TRACE=1 %changelog +* Thu Aug 19 2021 Eric Blake - 1.27.7-2 +- Include followup patch related to CVE-2021-3716. + * Thu Aug 19 2021 Eric Blake - 1.27.7-1 - New upstream development version 1.27.7; addresses CVE-2021-3716.