Skip to content

[AUTO-CHERRYPICK] libnbd: cve-2024-7383 (mariner 2.0) - branch main #10343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
PawelWMS merged 1 commit into from
Sep 10, 2024
Merged

[AUTO-CHERRYPICK] libnbd: cve-2024-7383 (mariner 2.0) - branch main #10343

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
119 changes: 119 additions & 0 deletions SPECS/libnbd/CVE-2024-7383.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
From c6cc19319f39c09c4ff74b47101eb217e75d3b43 Mon Sep 17 00:00:00 2001
From: Brian Fjeldstad <bfjelds@microsoft.com>
Date: Mon, 19 Aug 2024 21:59:46 +0000
Subject: [PATCH 1/3] port patch #1

---
configure.ac | 6 ++----
lib/crypto.c | 4 ----
2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/configure.ac b/configure.ac
index b6e2c9f..07e417b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -150,12 +150,12 @@ AC_ARG_WITH([gnutls],
[],
[with_gnutls=check])
AS_IF([test "$with_gnutls" != "no"],[
- PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.3.0], [
+ PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.5.18], [
AC_SUBST([GNUTLS_CFLAGS])
AC_SUBST([GNUTLS_LIBS])
AC_DEFINE([HAVE_GNUTLS],[1],[gnutls found at compile time.])
], [
- AC_MSG_WARN([gnutls not found or < 3.3.0, TLS support will be disabled.])
+ AC_MSG_WARN([gnutls not found or < 3.5.18, TLS support will be disabled.])
])
])
AM_CONDITIONAL([HAVE_GNUTLS], [test "x$GNUTLS_LIBS" != "x"])
@@ -174,8 +174,6 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[
# Check for APIs which may not be present.
old_LIBS="$LIBS"
LIBS="$GNUTLS_LIBS $LIBS"
- AC_CHECK_FUNCS([\
- gnutls_session_set_verify_cert])
LIBS="$old_LIBS"
])

diff --git a/lib/crypto.c b/lib/crypto.c
index 340a6a0..964a871 100644
--- a/lib/crypto.c
+++ b/lib/crypto.c
@@ -514,12 +514,8 @@ set_up_certificate_credentials (struct nbd_handle *h,
return NULL;

found_certificates:
-#ifdef HAVE_GNUTLS_SESSION_SET_VERIFY_CERT
if (h->hostname && h->tls_verify_peer)
gnutls_session_set_verify_cert (session, h->hostname, 0);
-#else
- debug (h, "ignoring nbd_set_tls_verify_peer, this requires GnuTLS >= 3.4.6");
-#endif

err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
if (err < 0) {
--
2.34.1

From 7ece17bfb16d437975ac40d63b0f20162601d3bf Mon Sep 17 00:00:00 2001
From: Brian Fjeldstad <bfjelds@microsoft.com>
Date: Mon, 19 Aug 2024 22:01:17 +0000
Subject: [PATCH 2/3] port patch #2

---
lib/crypto.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/crypto.c b/lib/crypto.c
index 964a871..97884b8 100644
--- a/lib/crypto.c
+++ b/lib/crypto.c
@@ -514,9 +514,6 @@ set_up_certificate_credentials (struct nbd_handle *h,
return NULL;

found_certificates:
- if (h->hostname && h->tls_verify_peer)
- gnutls_session_set_verify_cert (session, h->hostname, 0);
-
err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
if (err < 0) {
set_error (0, "gnutls_credentials_set: %s", gnutls_strerror (err));
@@ -626,6 +623,9 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
gnutls_deinit (session);
return NULL;
}
+
+ if (h->hostname && h->tls_verify_peer)
+ gnutls_session_set_verify_cert (session, h->hostname, 0);
}

/* Wrap the underlying socket with GnuTLS. */
--
2.34.1

From 811a9bc9797b539dafb4423933243950b3aae3c1 Mon Sep 17 00:00:00 2001
From: Brian Fjeldstad <bfjelds@microsoft.com>
Date: Mon, 19 Aug 2024 22:01:56 +0000
Subject: [PATCH 3/3] port patch #3

---
lib/crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/crypto.c b/lib/crypto.c
index 97884b8..c6a21d2 100644
--- a/lib/crypto.c
+++ b/lib/crypto.c
@@ -624,7 +624,7 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
return NULL;
}

- if (h->hostname && h->tls_verify_peer)
+ if (h->tls_verify_peer)
gnutls_session_set_verify_cert (session, h->hostname, 0);
}

--
2.34.1

8 changes: 7 additions & 1 deletion SPECS/libnbd/libnbd.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,16 @@
Summary: NBD client library in userspace
Name: libnbd
Version: 1.12.1
Release: 3%{?dist}
Release: 4%{?dist}
License: LGPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://gitlab.com/nbdkit/libnbd
Source0: https://libguestfs.org/download/libnbd/%{source_directory}/%{name}-%{version}.tar.gz
Patch0: CVE-2023-5215.patch

Patch001: CVE-2024-7383.patch

# For the core library.
BuildRequires: gcc
BuildRequires: make
Expand Down Expand Up @@ -232,6 +235,9 @@ skip_test tests/connect-tcp6


%changelog
* Mon Aug 19 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 1.12.1-4
- Add patch to fix CVE-2024-7383

* Thu Oct 19 2023 Neha Agarwal <nehaagarwal@microsoft.com> - 1.12.1-3
- Add patch to fix CVE-2023-5215

Expand Down