New upstream version 1.0.3.

- Contains fix for remote code execution vulnerability.
- Add new libnbd-security(3) man page.

0002-nbd_connect_tcp-Try-to-return-errno-from-underlying-.patch

@@ -0,0 +1,83 @@
+From d2d3940a65dab60a2caeaf824eaff12fcc85e1f0 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Thu, 12 Sep 2019 10:28:19 +0100
+Subject: [PATCH 2/3] nbd_connect_tcp: Try to return errno from underlying
+ connect(2) call.
+
+When we make a TCP connection we have to make multiple underlying
+connect(2) calls, once for each address returned by getaddrinfo.
+Unfortunately this meant that we lost the errno from any of these
+calls:
+
+$ nbdsh -c 'h.connect_tcp ("localhost", "nbd")'
+nbd.Error: nbd_connect_tcp: connect: localhost:nbd: could not connect to remote host
+
+This commit saves the errno from the first failed connect(2):
+
+$ ./run nbdsh -c 'h.connect_tcp ("localhost", "nbd")'
+nbd.Error: nbd_connect_tcp: connect: localhost:nbd: could not connect to remote host: Connection refused (ECONNREFUSED)
+---
+ generator/states-connect.c | 12 ++++++++++--
+ lib/internal.h             |  1 +
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/generator/states-connect.c b/generator/states-connect.c
+index 9e2e1d4..e9b3582 100644
+--- a/generator/states-connect.c
++++ b/generator/states-connect.c
+@@ -128,6 +128,8 @@ disable_nagle (int sock)
+     h->result = NULL;
+   }
+ 
++  h->connect_errno = 0;
++
+   memset (&h->hints, 0, sizeof h->hints);
+   h->hints.ai_family = AF_UNSPEC;
+   h->hints.ai_socktype = SOCK_STREAM;
+@@ -160,7 +162,8 @@ disable_nagle (int sock)
+      * Save errno from most recent connect(2) call. XXX
+      */
+     SET_NEXT_STATE (%^START);
+-    set_error (0, "connect: %s:%s: could not connect to remote host",
++    set_error (h->connect_errno,
++               "connect: %s:%s: could not connect to remote host",
+                h->hostname, h->port);
+     return -1;
+   }
+@@ -182,6 +185,8 @@ disable_nagle (int sock)
+ 
+   if (connect (fd, h->rp->ai_addr, h->rp->ai_addrlen) == -1) {
+     if (errno != EINPROGRESS) {
++      if (h->connect_errno == 0)
++        h->connect_errno = errno;
+       SET_NEXT_STATE (%NEXT_ADDRESS);
+       return 0;
+     }
+@@ -203,8 +208,11 @@ disable_nagle (int sock)
+   /* This checks the status of the original connect call. */
+   if (status == 0)
+     SET_NEXT_STATE (%^MAGIC.START);
+-  else
++  else {
++    if (h->connect_errno == 0)
++      h->connect_errno = status;
+     SET_NEXT_STATE (%NEXT_ADDRESS);
++  }
+   return 0;
+ 
+  CONNECT_TCP.NEXT_ADDRESS:
+diff --git a/lib/internal.h b/lib/internal.h
+index a48edff..ccaca32 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -188,6 +188,7 @@ struct nbd_handle {
+   char *hostname, *port;
+   struct addrinfo hints;
+   struct addrinfo *result, *rp;
++  int connect_errno;
+ 
+   /* When sending metadata contexts, this is used. */
+   size_t querynum;
+-- 
+2.23.0
+

0003-interop-Retry-TCP-connections-to-qemu-nbd.patch

@@ -0,0 +1,71 @@
+From b23b5b32250e5a03e4cc38ccf973e25e63ccc6d9 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Thu, 12 Sep 2019 10:38:48 +0100
+Subject: [PATCH 3/3] interop: Retry TCP connections to qemu-nbd.
+
+The test interop-qemu-nbd-tls-certs frequently fails on slow (32 bit)
+machines in Fedora Koji.  (Is crypto slow on these already overloaded
+machines?)
+
+As we cannot wait for a signal when qemu-nbd is ready start serving,
+we have to use a sleep.  The current sleep is 5 seconds, which is not
+long enough.  Making the sleep longer would work but is inconsiderate
+for people using faster machines.  Therefore replace this with a retry
+loop with exponential backoff.
+
+I tested this with a simple wrapper around qemu-nbd which did:
+
+  sleep 5; exec /usr/bin/qemu-nbd "$@"
+---
+ interop/interop.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/interop/interop.c b/interop/interop.c
+index 662d871..a3ab39b 100644
+--- a/interop/interop.c
++++ b/interop/interop.c
+@@ -28,6 +28,7 @@
+ #include <fcntl.h>
+ #include <time.h>
+ #include <signal.h>
++#include <errno.h>
+ #include <sys/types.h>
+ 
+ #include <libnbd.h>
+@@ -44,6 +45,7 @@ main (int argc, char *argv[])
+   int port;
+   char port_str[16];
+   pid_t pid = -1;
++  int retry;
+ #endif
+   int64_t actual_size;
+   char buf[512];
+@@ -114,14 +116,19 @@ main (int argc, char *argv[])
+   }
+ 
+   /* Unfortunately there's no good way to wait for qemu-nbd to start
+-   * serving, so ...
++   * serving, so we need to retry here.
+    */
+-  sleep (5);
+-
+-  if (nbd_connect_tcp (nbd, "localhost", port_str) == -1) {
+-    fprintf (stderr, "%s\n", nbd_get_error ());
+-    goto out;
++  for (retry = 0; retry < 5; ++retry) {
++    sleep (1 << retry);
++    if (nbd_connect_tcp (nbd, "localhost", port_str) == -1) {
++      fprintf (stderr, "%s\n", nbd_get_error ());
++      if (nbd_get_errno () != ECONNREFUSED)
++        goto out;
++    }
++    else break;
+   }
++  if (retry == 5)
++    goto out;
+ 
+ #else /* !SERVE_OVER_TCP */
+ 
+-- 
+2.23.0
+

libnbd.spec

@@ -5,10 +5,10 @@
 %global patches_touch_autotools %{nil}
 
 # The source directory.
-%global source_directory 0.x-unstable-api
+%global source_directory 1.0-stable
 
 Name:           libnbd
-Version:        1.0.0
+Version:        1.0.3
 Release:        1%{?dist}
 Summary:        NBD client library in userspace
 
@@ -22,6 +22,11 @@ Source1:        http://libguestfs.org/download/libnbd/%{source_directory}/%{name
 # https://pgp.key-server.io/pks/lookup?search=rjones%40redhat.com&fingerprint=on&op=vindex
 Source2:       libguestfs.keyring
 
+# These patches are upstream in the master branch but not in the
+# stable-1.0 branch.  They make the tests more stable.
+Patch0002:     0002-nbd_connect_tcp-Try-to-return-errno-from-underlying-.patch
+Patch0003:     0003-interop-Retry-TCP-connections-to-qemu-nbd.patch
+
 %if 0%{patches_touch_autotools}
 BuildRequires: autoconf, automake, libtool
 %endif
@@ -186,6 +191,7 @@ make %{?_smp_mflags} check || {
 %{_libdir}/libnbd.so
 %{_libdir}/pkgconfig/libnbd.pc
 %{_mandir}/man3/libnbd.3*
+%{_mandir}/man3/libnbd-security.3*
 %{_mandir}/man3/nbd_*.3*
 
 
@@ -219,6 +225,24 @@ make %{?_smp_mflags} check || {
 
 
 %changelog
+* Wed Oct  9 2019 Richard W.M. Jones <rjones@redhat.com> - 1.0.3-1
+- New upstream version 1.0.3.
+- Contains fix for remote code execution vulnerability.
+- Add new libnbd-security(3) man page.
+
+* Tue Sep 17 2019 Richard W.M. Jones <rjones@redhat.com> - 1.0.2-1
+- New upstream version 1.0.2.
+- Remove patches which are upstream.
+- Contains fix for NBD Protocol Downgrade Attack (CVE-2019-14842).
+- Fix previous commit message.
+
+* Thu Sep 12 2019 Richard W.M. Jones <rjones@redhat.com> - 1.0.1-2
+- Add upstream patch to fix nbdsh (for nbdkit tests).
+- Fix interop tests on slow machines.
+
+* Sun Sep 08 2019 Richard W.M. Jones <rjones@redhat.com> - 1.0.1-1
+- New stable version 1.0.1.
+
 * Wed Aug 28 2019 Richard W.M. Jones <rjones@redhat.com> - 1.0.0-1
 - New upstream version 1.0.0.
 

sources

@@ -1,2 +1,2 @@
-SHA512 (libnbd-1.0.0.tar.gz) = 9d9a60d172b9a0dff0d882db72be7243b6fccceb76d240bc385a55ea2358e317a6792288d443ee068d6c894dc0d80f1a900c8ac7f681babcde98c1b7caf9e61a
-SHA512 (libnbd-1.0.0.tar.gz.sig) = 982f723233951bac6f24b0c3a9a2a60379ff1a35bb37058259164666a4e9511634653c2c8f5bed32fc8d4c23083144a9ed73cae159e948e66f52a43734246f8d
+SHA512 (libnbd-1.0.3.tar.gz) = 47980c6b323046e983ee3c717b832e7cf29ba89e7c2f001a27ecb17ed55a2259ece78d71d661ddec3af45d316a198d80f253d13a265f60ae5a28c30ef84477a1
+SHA512 (libnbd-1.0.3.tar.gz.sig) = 07637d69abea513dfb03982776292a5e8cf5bc2962a3dd6ed36f9ed32e58d52795fa4eb3ba7ca7eee916a7271dba37bb3c2ee57f04a585070e0ba986da3f5cfc