Rebase to new stable branch version 1.30.8

resolves: rhbz#2059289

- Fix multiple Coverity problems
- Fix bounds error in nbdkit-checkwrite-filter
  resolves: rhbz#2108545

0001-ssh-Allow-the-remote-file-to-be-created.patch

@@ -1,4 +1,4 @@
-From 9f9f1edb5a93574bf717e2d884a30a87b231a572 Mon Sep 17 00:00:00 2001
+From 6a2b0aac8be655524ea223e32cac0395fcc9f975 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Fri, 15 Apr 2022 12:08:37 +0100
 Subject: [PATCH] ssh: Allow the remote file to be created

0002-readahead-Rewrite-this-filter-so-it-prefetches-using.patch

@@ -1,4 +1,4 @@
-From c9c5a1455096822264df02cc157a693310144a62 Mon Sep 17 00:00:00 2001
+From ac40ae11bc9983e11185749b23e793568cb366cc Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sat, 16 Apr 2022 18:39:13 +0100
 Subject: [PATCH] readahead: Rewrite this filter so it prefetches using .cache

0003-readahead-Fix-test.patch

@@ -1,4 +1,4 @@
-From ce5607d2bf2f895464d0cb2ba9c285c67325e7f5 Mon Sep 17 00:00:00 2001
+From b41b7d7ddf6d3fba23ac7978c8b272f2ff84265d Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Thu, 21 Apr 2022 16:14:46 +0100
 Subject: [PATCH] readahead: Fix test

0004-New-filter-luks.patch

@@ -1,4 +1,4 @@
-From f69d0db070ee3a02351c3c4ada0ab00c33bc76ef Mon Sep 17 00:00:00 2001
+From c19936170cf8b385687cf40f5a9507d87ae08267 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sat, 30 Apr 2022 12:35:07 +0100
 Subject: [PATCH] New filter: luks
@@ -55,7 +55,7 @@ index 4d2a9796..0f5dc41d 100644
  
  * The filter should open a new connection to the plugin per background
 diff --git a/configure.ac b/configure.ac
-index 10729d8a..78af16d5 100644
+index a402921b..de85b4da 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -127,6 +127,7 @@ filters="\
@@ -76,7 +76,7 @@ index 10729d8a..78af16d5 100644
 +AS_IF([test "x$GNUTLS_LIBS" != "x"],[
      AC_MSG_CHECKING([for default TLS session priority string])
      AC_ARG_WITH([tls-priority],
-         [AS_HELP_STRING([--with-tls-priority],
+         [AS_HELP_STRING([--with-tls-priority=...],
 @@ -1383,6 +1385,7 @@ AC_CONFIG_FILES([Makefile
                   filters/ip/Makefile
                   filters/limit/Makefile
@@ -1596,10 +1596,10 @@ index f8f0e198..b95e7349 100644
  
  =head1 AUTHORS
 diff --git a/tests/Makefile.am b/tests/Makefile.am
-index b9c1137c..b041b186 100644
+index b310e8a2..c29453ba 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
-@@ -1594,6 +1594,18 @@ EXTRA_DIST += \
+@@ -1596,6 +1596,18 @@ EXTRA_DIST += \
  	test-log-script-info.sh \
  	$(NULL)
  

0005-luks-Disable-filter-with-old-GnuTLS-in-Debian-10.patch

@@ -1,4 +1,4 @@
-From cc0bc042e260334b7f5b39ea4c283c9ad9bac164 Mon Sep 17 00:00:00 2001
+From 66daae1a7daf680e06f884e9af6a14830263c932 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sun, 8 May 2022 12:13:39 +0100
 Subject: [PATCH] luks: Disable filter with old GnuTLS in Debian 10
@@ -36,7 +36,7 @@ Fixes: commit 468919dce6c5eb57503eacac0f67e5dd87c58e6c
  3 files changed, 6 insertions(+), 3 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 78af16d5..7089f937 100644
+index de85b4da..1d209f67 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -636,12 +636,15 @@ AS_IF([test "x$GNUTLS_LIBS" != "x"],[
@@ -78,10 +78,10 @@ index 30089621..622e5c3d 100644
  filter_LTLIBRARIES = nbdkit-luks-filter.la
  
 diff --git a/tests/Makefile.am b/tests/Makefile.am
-index b041b186..937d2919 100644
+index c29453ba..5585b3b7 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
-@@ -1595,7 +1595,7 @@ EXTRA_DIST += \
+@@ -1597,7 +1597,7 @@ EXTRA_DIST += \
  	$(NULL)
  
  # luks filter test.

0006-luks-Various-fixes-for-Clang.patch

@@ -1,4 +1,4 @@
-From 9961cd8018d6287af45d7691656c56d9443660cf Mon Sep 17 00:00:00 2001
+From b3c05065801c723966a3e8d93c9b84e808ff38b9 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sun, 8 May 2022 12:30:09 +0100
 Subject: [PATCH] luks: Various fixes for Clang

0007-luks-Link-with-libcompat-on-Windows.patch

@@ -1,4 +1,4 @@
-From 24963801a0a0a4eb1c33d2cfa213e0564fef889c Mon Sep 17 00:00:00 2001
+From 9416effd73a5cb2e1c929449fca88fd7152aa1be Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sun, 8 May 2022 12:38:00 +0100
 Subject: [PATCH] luks: Link with libcompat on Windows

0008-luks-Refactor-the-filter.patch

@@ -1,4 +1,4 @@
-From 22b56fee6d3ed2a5ea37f9b1ed62b9d5144e5369 Mon Sep 17 00:00:00 2001
+From e8279107801bb93303b22e1b927929ce18279dc5 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sun, 8 May 2022 16:13:13 +0100
 Subject: [PATCH] luks: Refactor the filter

0009-tests-luks-Reduce-time-taken-to-run-these-tests.patch

@@ -1,4 +1,4 @@
-From b3989481c7c605f1872ac15d42cf6a9ac738ab00 Mon Sep 17 00:00:00 2001
+From 387bd4c6fee8ab339fd04e0b841b0c67e6020c8a Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sun, 8 May 2022 18:05:45 +0100
 Subject: [PATCH] tests: luks: Reduce time taken to run these tests

0010-Add-nbdkit.parse_size-Python-function.patch

@@ -1,4 +1,4 @@
-From 509c71f425945e219ceb507f06bbac546fb26c7c Mon Sep 17 00:00:00 2001
+From 52ee1dab95436128b44c37cc495022ff90108b2e Mon Sep 17 00:00:00 2001
 From: Nikolaus Rath <Nikolaus@rath.org>
 Date: Mon, 9 May 2022 10:04:30 +0100
 Subject: [PATCH] Add nbdkit.parse_size() Python function.

0011-cache-Fix-cross-reference-nbdkit-readahead-filter.patch

@@ -1,4 +1,4 @@
-From cf7bb8134726263b8f0f1dc0478ca82cdc22dbd4 Mon Sep 17 00:00:00 2001
+From 644e0ed6333cf5fe2c1e39da157e8f1ce97267b9 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sat, 14 May 2022 13:47:19 +0100
 Subject: [PATCH] cache: Fix cross-reference nbdkit-readahead-filter

0012-curl-Don-t-document-curl-plugin-readahead-filter.patch

@@ -1,4 +1,4 @@
-From 75a84b37dba4907b790ebb2dc56ac689ea8370e7 Mon Sep 17 00:00:00 2001
+From 4a7e5169935c8850fddcea8da79639ded907c549 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sat, 14 May 2022 14:00:16 +0100
 Subject: [PATCH] curl: Don't document curl plugin + readahead filter

0013-New-filter-scan.patch

@@ -1,4 +1,4 @@
-From 46b2d3954011b2f0ebf5203ce549cb7e8f822b09 Mon Sep 17 00:00:00 2001
+From 8bfe6512d07caf778fd001425435b048c45513eb Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sat, 14 May 2022 13:46:56 +0100
 Subject: [PATCH] New filter: scan
@@ -54,7 +54,7 @@ index 0f5dc41d..8600d9e4 100644
    single context into the backend shared among multiple client
    connections.  This may even allow a filter to offer a more parallel
 diff --git a/configure.ac b/configure.ac
-index 7089f937..a02d16d9 100644
+index 1d209f67..466dbd9b 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -142,6 +142,7 @@ filters="\
@@ -896,10 +896,10 @@ index ea5899dc..3991e86b 100644
  L<https://libvirt.org/drvesx.html>,
  L<https://www.vmware.com/support/developer/vddk/>,
 diff --git a/tests/Makefile.am b/tests/Makefile.am
-index 937d2919..6a63e4e8 100644
+index 5585b3b7..799aa6c2 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
-@@ -1752,6 +1752,16 @@ test_retry_request_mirror_LDADD = \
+@@ -1754,6 +1754,16 @@ test_retry_request_mirror_LDADD = \
  	$(LIBNBD_LIBS) \
  	$(NULL)
  

0014-scan-Remove-condition-variable.patch

@@ -1,4 +1,4 @@
-From fd743f16847520207304e7f7f66839708abaffd9 Mon Sep 17 00:00:00 2001
+From 91677241184ab1aa77adadd612fa069d084863ec Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sat, 14 May 2022 18:54:32 +0100
 Subject: [PATCH] scan: Remove condition variable

0015-scan-Small-typographical-fix-in-manual.patch

@@ -1,4 +1,4 @@
-From f5e7beb490131d5674b7c1ff8b312da3f6d5e078 Mon Sep 17 00:00:00 2001
+From c191f45530d4dd7f978803c0bfa402ca0fc950df Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sat, 14 May 2022 19:02:48 +0100
 Subject: [PATCH] scan: Small typographical fix in manual

0016-ssh-Don-t-reference-readahead-or-scan-filters-from-t.patch

@@ -1,4 +1,4 @@
-From 1bd582bce19ed3beb27879a1bfcee247d22c7fba Mon Sep 17 00:00:00 2001
+From 651045d703804d7dafab04a0387ca92573f52467 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sat, 14 May 2022 20:57:38 +0100
 Subject: [PATCH] ssh: Don't reference readahead or scan filters from this

0017-scan-Fix-bound-so-we-don-t-try-to-prefetch-beyond-en.patch

@@ -1,4 +1,4 @@
-From cad7357b2d4dd70bd75adbbd44aa1715bd0d090c Mon Sep 17 00:00:00 2001
+From f58d2a04338edc647e2334ff58b49508424e3f3b Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Tue, 17 May 2022 13:20:17 +0100
 Subject: [PATCH] scan: Fix bound so we don't try to prefetch beyond end of

0018-tests-Add-a-regression-test-for-LUKS-zeroing-crash.patch

@@ -1,4 +1,4 @@
-From ec7154cb4010e5c20ae8b1df8a95550bc5e42ee2 Mon Sep 17 00:00:00 2001
+From d1d2f43223bcda062d10c8e68776590956892f71 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Fri, 10 Jun 2022 22:11:44 +0100
 Subject: [PATCH] tests: Add a regression test for LUKS zeroing crash
@@ -12,10 +12,10 @@ https://listman.redhat.com/archives/libguestfs/2022-June/029188.html
  create mode 100755 tests/test-luks-copy-zero.sh
 
 diff --git a/tests/Makefile.am b/tests/Makefile.am
-index 6a63e4e8..824232d1 100644
+index 799aa6c2..0f4b0746 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
-@@ -1599,11 +1599,13 @@ if HAVE_GNUTLS_PBKDF2
+@@ -1601,11 +1601,13 @@ if HAVE_GNUTLS_PBKDF2
  TESTS += \
  	test-luks-info.sh \
  	test-luks-copy.sh \

0019-rate-Allow-burstiness-to-be-controlled.patch

@@ -1,4 +1,4 @@
-From 7c7557d9954eb7d8fa6249af316879dada22829d Mon Sep 17 00:00:00 2001
+From c1a7c87fb9710fb29d699d1f39d0da19caf98da0 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sat, 11 Jun 2022 12:34:02 +0100
 Subject: [PATCH] rate: Allow burstiness to be controlled

0020-luks-Check-return-values-from-malloc-more-carefully.patch

@@ -0,0 +1,104 @@
+From 4e8599886ba4802fef1683811a725e7c4bc4fe72 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Tue, 12 Jul 2022 18:00:38 +0100
+Subject: [PATCH] luks: Check return values from malloc more carefully
+
+Found by Coverity:
+
+  Error: GCC_ANALYZER_WARNING (CWE-688): [#def53]
+  nbdkit-1.30.7/filters/luks/luks-encryption.c: scope_hint: In function 'calculate_iv'
+  nbdkit-1.30.7/filters/luks/luks-encryption.c:175:5: warning[-Wanalyzer-possible-null-argument]: use of possibly-NULL 'iv' where non-null expected
+  nbdkit-1.30.7/filters/luks/luks-encryption.c:39: included_from: Included from here.
+  /usr/include/string.h:43:14: note: argument 1 of 'memcpy' must be non-null
+  #  173|       sector32 = (uint32_t) sector; /* truncate to only lower bits */
+  #  174|       sector32 = htole32 (sector32);
+  #  175|->     memcpy (iv, &sector32, prefixlen);
+  #  176|       memset (iv + prefixlen, 0, ivlen - prefixlen);
+  #  177|       break;
+
+  Error: GCC_ANALYZER_WARNING (CWE-688): [#def54]
+  nbdkit-1.30.7/filters/luks/luks-encryption.c:184:5: warning[-Wanalyzer-possible-null-argument]: use of possibly-NULL 'iv' where non-null expected
+  nbdkit-1.30.7/filters/luks/luks-encryption.c:39: included_from: Included from here.
+  /usr/include/string.h:43:14: note: argument 1 of 'memcpy' must be non-null
+  #  182|         prefixlen = ivlen;
+  #  183|       sector = htole64 (sector);
+  #  184|->     memcpy (iv, &sector, prefixlen);
+  #  185|       memset (iv + prefixlen, 0, ivlen - prefixlen);
+  #  186|       break;
+
+  Error: NULL_RETURNS (CWE-476): [#def55]
+  nbdkit-1.30.7/filters/luks/luks-encryption.c:498: returned_null: "malloc" returns "NULL" (checked 86 out of 94 times).
+  nbdkit-1.30.7/filters/luks/luks-encryption.c:498: var_assigned: Assigning: "temp" = "NULL" return value from "malloc".
+  nbdkit-1.30.7/filters/luks/luks-encryption.c:523: dereference: Dereferencing a pointer that might be "NULL" "temp" when calling "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
+  #  521|       gnutls_hash_deinit (hash, temp);
+  #  522|
+  #  523|->     memcpy (&block[i*digest_bytes], temp, blen);
+  #  524|     }
+  #  525|
+
+Fixes: commit 468919dce6c5eb57503eacac0f67e5dd87c58e6c
+(cherry picked from commit 00c8bbd9e321681843140f697985505de7177f34)
+---
+ filters/luks/luks-encryption.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/filters/luks/luks-encryption.c b/filters/luks/luks-encryption.c
+index 8ee0eb35..19aaf06a 100644
+--- a/filters/luks/luks-encryption.c
++++ b/filters/luks/luks-encryption.c
+@@ -495,9 +495,15 @@ af_hash (gnutls_digest_algorithm_t hash_alg, uint8_t *block, size_t len)
+   size_t digest_bytes = gnutls_hash_get_len (hash_alg);
+   size_t nr_blocks, last_block_len;
+   size_t i;
+-  CLEANUP_FREE uint8_t *temp = malloc (digest_bytes);
+   int r;
+   gnutls_hash_hd_t hash;
++  CLEANUP_FREE uint8_t *temp;
++
++  temp = malloc (digest_bytes);
++  if (!temp) {
++    nbdkit_error ("malloc: %m");
++    return -1;
++  }
+ 
+   nr_blocks = len / digest_bytes;
+   last_block_len = len % digest_bytes;
+@@ -874,9 +880,15 @@ int
+ do_decrypt (struct luks_data *h, gnutls_cipher_hd_t cipher,
+             uint64_t sector, uint8_t *buf, size_t nr_sectors)
+ {
+-  const size_t ivlen = cipher_alg_iv_len (h->cipher_alg, h->cipher_mode);
+-  CLEANUP_FREE uint8_t *iv = malloc (ivlen);
+   int r;
++  const size_t ivlen = cipher_alg_iv_len (h->cipher_alg, h->cipher_mode);
++  CLEANUP_FREE uint8_t *iv;
++
++  iv = malloc (ivlen);
++  if (!iv) {
++    nbdkit_error ("malloc: %m");
++    return -1;
++  }
+ 
+   while (nr_sectors) {
+     calculate_iv (h->ivgen_alg, iv, ivlen, sector);
+@@ -902,9 +914,15 @@ int
+ do_encrypt (struct luks_data *h, gnutls_cipher_hd_t cipher,
+             uint64_t sector, uint8_t *buf, size_t nr_sectors)
+ {
+-  const size_t ivlen = cipher_alg_iv_len (h->cipher_alg, h->cipher_mode);
+-  CLEANUP_FREE uint8_t *iv = malloc (ivlen);
+   int r;
++  const size_t ivlen = cipher_alg_iv_len (h->cipher_alg, h->cipher_mode);
++  CLEANUP_FREE uint8_t *iv;
++
++  iv = malloc (ivlen);
++  if (!iv) {
++    nbdkit_error ("malloc: %m");
++    return -1;
++  }
+ 
+   while (nr_sectors) {
+     calculate_iv (h->ivgen_alg, iv, ivlen, sector);
+-- 
+2.31.1
+

0021-luks-Avoid-potential-overflow-when-computing-key-mat.patch

@@ -0,0 +1,57 @@
+From 1d593a76796574845d7e32aaadd9f7d1ed4e7987 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Tue, 12 Jul 2022 18:07:25 +0100
+Subject: [PATCH] luks: Avoid potential overflow when computing key material
+ offset and length
+
+Found by Coverity:
+
+  Error: OVERFLOW_BEFORE_WIDEN (CWE-190): [#def58]
+  nbdkit-1.30.7/filters/luks/luks-encryption.c:558: overflow_before_widen: Potentially overflowing expression "h->phdr.master_key_len * h->phdr.keyslot[i].stripes" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
+  nbdkit-1.30.7/filters/luks/luks-encryption.c:558: remediation: To avoid overflow, cast either "h->phdr.master_key_len" or "h->phdr.keyslot[i].stripes" to type "uint64_t".
+  #  556|     uint64_t len, r;
+  #  557|
+  #  558|->   len = h->phdr.master_key_len * h->phdr.keyslot[i].stripes;
+  #  559|     r = DIV_ROUND_UP (len, LUKS_SECTOR_SIZE);
+  #  560|     r = ROUND_UP (r, LUKS_ALIGN_KEYSLOTS / LUKS_SECTOR_SIZE);
+
+  Error: OVERFLOW_BEFORE_WIDEN (CWE-190): [#def62]
+  nbdkit-1.30.7/filters/luks/luks-encryption.c:616: overflow_before_widen: Potentially overflowing expression "ks->key_material_offset * 512U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
+  nbdkit-1.30.7/filters/luks/luks-encryption.c:616: remediation: To avoid overflow, cast either "ks->key_material_offset" or "512U" to type "uint64_t".
+  #  614|
+  #  615|     /* Read master key material from plugin. */
+  #  616|->   start = ks->key_material_offset * LUKS_SECTOR_SIZE;
+  #  617|     if (next->pread (next, split_key, split_key_len, start, 0, &err) == -1) {
+  #  618|       errno = err;
+
+Fixes: commit 468919dce6c5eb57503eacac0f67e5dd87c58e6c
+(cherry picked from commit 808d88fbc7b58b7c95e05f41fec729cba92ef518)
+---
+ filters/luks/luks-encryption.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/filters/luks/luks-encryption.c b/filters/luks/luks-encryption.c
+index 19aaf06a..06435b27 100644
+--- a/filters/luks/luks-encryption.c
++++ b/filters/luks/luks-encryption.c
+@@ -561,7 +561,7 @@ key_material_length_in_sectors (struct luks_data *h, size_t i)
+ {
+   uint64_t len, r;
+ 
+-  len = h->phdr.master_key_len * h->phdr.keyslot[i].stripes;
++  len = (uint64_t) h->phdr.master_key_len * h->phdr.keyslot[i].stripes;
+   r = DIV_ROUND_UP (len, LUKS_SECTOR_SIZE);
+   r = ROUND_UP (r, LUKS_ALIGN_KEYSLOTS / LUKS_SECTOR_SIZE);
+   return r;
+@@ -619,7 +619,7 @@ try_passphrase_in_keyslot (nbdkit_next *next, struct luks_data *h,
+   }
+ 
+   /* Read master key material from plugin. */
+-  start = ks->key_material_offset * LUKS_SECTOR_SIZE;
++  start = (uint64_t) ks->key_material_offset * LUKS_SECTOR_SIZE;
+   if (next->pread (next, split_key, split_key_len, start, 0, &err) == -1) {
+     errno = err;
+     return -1;
+-- 
+2.31.1
+

0022-luks-Avoid-memory-leak-on-error-path.patch

@@ -0,0 +1,36 @@
+From ee25c1be953bf385caf23f96384a9834c1f1c250 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Tue, 12 Jul 2022 18:10:30 +0100
+Subject: [PATCH] luks: Avoid memory leak on error path
+
+Found by Coverity:
+
+  Error: CPPCHECK_WARNING (CWE-401): [#def65] [important]
+  nbdkit-1.30.7/filters/luks/luks-encryption.c:707: error[memleak]: Memory leak: h
+  #  705|     if (memcmp (h->phdr.magic, expected_magic, LUKS_MAGIC_LEN) != 0) {
+  #  706|       nbdkit_error ("this disk does not contain a LUKS header");
+  #  707|->     return NULL;
+  #  708|     }
+  #  709|     h->phdr.version = be16toh (h->phdr.version);
+
+Fixes: commit 468919dce6c5eb57503eacac0f67e5dd87c58e6c
+(cherry picked from commit a345cff137763f105f07bb8942c1bbefd0959cff)
+---
+ filters/luks/luks-encryption.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/filters/luks/luks-encryption.c b/filters/luks/luks-encryption.c
+index 06435b27..207a4e46 100644
+--- a/filters/luks/luks-encryption.c
++++ b/filters/luks/luks-encryption.c
+@@ -710,6 +710,7 @@ load_header (nbdkit_next *next, const char *passphrase)
+ 
+   if (memcmp (h->phdr.magic, expected_magic, LUKS_MAGIC_LEN) != 0) {
+     nbdkit_error ("this disk does not contain a LUKS header");
++    free (h);
+     return NULL;
+   }
+   h->phdr.version = be16toh (h->phdr.version);
+-- 
+2.31.1
+

0023-tests-Hoist-some-EXTRA_DIST-out-of-automake-conditio.patch

@@ -0,0 +1,48 @@
+From 5ccf1068703d300c8b5579b3a6ef0e409b5a713e Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Tue, 19 Jul 2022 11:56:47 +0100
+Subject: [PATCH] tests: Hoist some EXTRA_DIST out of automake conditionals
+
+We can fail to add some test files (test.tcl, test.lua) to the tarball
+if compiling with those languages disabled, which would cause knock-on
+failures when the tarball was used with the languages enabled.  We
+already fixed this for Ruby etc, this commit fixes it for Tcl and Lua.
+
+(cherry picked from commit 3b6763c82909c95431ff57c2fe9be1b98316b057)
+---
+ tests/Makefile.am | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 0f4b0746..2667be32 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -1203,10 +1203,11 @@ EXTRA_DIST += \
+ 	$(NULL)
+ 
+ # Tcl plugin test.
++EXTRA_DIST += test.tcl
++
+ if HAVE_TCL
+ 
+ LIBGUESTFS_TESTS += test-tcl
+-EXTRA_DIST += test.tcl
+ 
+ test_tcl_SOURCES = test-lang-plugins.c test.h
+ test_tcl_CFLAGS = \
+@@ -1219,10 +1220,11 @@ test_tcl_LDADD = libtest.la $(LIBGUESTFS_LIBS)
+ endif HAVE_TCL
+ 
+ # Lua plugin test.
++EXTRA_DIST += test.lua
++
+ if HAVE_LUA
+ 
+ LIBGUESTFS_TESTS += test-lua
+-EXTRA_DIST += test.lua
+ 
+ test_lua_SOURCES = test-lang-plugins.c test.h
+ test_lua_CFLAGS = \
+-- 
+2.31.1
+

nbdkit.spec

@@ -52,7 +52,7 @@ ExclusiveArch:  x86_64
 %global source_directory 1.30-stable
 
 Name:           nbdkit
-Version:        1.30.7
+Version:        1.30.8
 Release:        1%{?dist}
 Summary:        NBD server
 
@@ -97,6 +97,10 @@ Patch0016:     0016-ssh-Don-t-reference-readahead-or-scan-filters-from-t.patch
 Patch0017:     0017-scan-Fix-bound-so-we-don-t-try-to-prefetch-beyond-en.patch
 Patch0018:     0018-tests-Add-a-regression-test-for-LUKS-zeroing-crash.patch
 Patch0019:     0019-rate-Allow-burstiness-to-be-controlled.patch
+Patch0020:     0020-luks-Check-return-values-from-malloc-more-carefully.patch
+Patch0021:     0021-luks-Avoid-potential-overflow-when-computing-key-mat.patch
+Patch0022:     0022-luks-Avoid-memory-leak-on-error-path.patch
+Patch0023:     0023-tests-Hoist-some-EXTRA_DIST-out-of-automake-conditio.patch
 
 # For automatic RPM Provides generation.
 # See: https://rpm-software-management.github.io/rpm/manual/dependency_generators.html
@@ -1204,8 +1208,8 @@ export LIBGUESTFS_TRACE=1
 
 
 %changelog
-* Tue Jul 12 2022 Richard W.M. Jones <rjones@redhat.com> - 1.30.7-1
-- Rebase to new stable branch version 1.30.7
+* Tue Jul 19 2022 Richard W.M. Jones <rjones@redhat.com> - 1.30.8-1
+- Rebase to new stable branch version 1.30.8
   resolves: rhbz#2059289
 - Add automatic provides generator and subpackage nbdkit-srpm-macros
   resolves: rhbz#2059291
@@ -1231,6 +1235,9 @@ export LIBGUESTFS_TRACE=1
   resolves: rhbz#1905772
 - Fix memory allocator=malloc,mlock=true
   resolves: rhbz#2044432
+- Fix multiple Coverity problems
+- Fix bounds error in nbdkit-checkwrite-filter
+  resolves: rhbz#2108545
 
 * Mon Jan 24 2022 Richard W.M. Jones <rjones@redhat.com> - 1.28.5-1
 - Rebase to new stable branch version 1.28.5

sources

@@ -1,2 +1,2 @@
-SHA512 (nbdkit-1.30.7.tar.gz) = acf48dc8f2b2d8967aca106f9c267cd8f022c54dbe07d1f32c8b5d14df33215f71029622f095fef1a442a2ab495618e81844b0b5f4a24b2be2869b3b3c990bf1
-SHA512 (nbdkit-1.30.7.tar.gz.sig) = 46f5c265240b447af7703ec8bce473e5951452c163c8f302291e3495c4c6ca5790b9382063c68613390bccf998d8c18efddda4878870af72029b854bb69e308e
+SHA512 (nbdkit-1.30.8.tar.gz) = 984e2ef921b0f339d2950cc87b9e5cfd3a6c45c107116a2ff8b5d30aa08bb9c9edbb8e16aa0a57c93b160ad411df842f1fa72f90f80fc261a0c30ec6a7d99795
+SHA512 (nbdkit-1.30.8.tar.gz.sig) = 2794da218bd052d9bed818343ae186945304a467ebd7ae75373faf471ff4fd18ed161dc1f866f17e4f190b5acc18141ff92e914ddb497a5e07065ebac3461f3b