Include followup patch related to CVE-2021-3716.
This commit is contained in:
Eric Blake
parent
03411c4a44
commit
034cff3866
38
0001-server-reset-meta-context-replies-on-starttls.patch
Normal file
38
0001-server-reset-meta-context-replies-on-starttls.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 6c5faac6a37077cf2366388a80862bb00616d0d8 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Blake <eblake@redhat.com>
|
||||
Date: Mon, 16 Aug 2021 13:43:29 -0500
|
||||
Subject: [nbdkit PATCH] server: reset meta context replies on starttls
|
||||
|
||||
Related to CVE-2021-3716, but not as severe. No compliant client will
|
||||
send NBD_CMD_BLOCK_STATUS unless it first negotiates
|
||||
NBD_OPT_SET_META_CONTEXT. If an attacker injects a premature
|
||||
SET_META_CONTEXT, either the client will never notice (because it
|
||||
never uses BLOCK_STATUS), or the client will overwrite the attacker's
|
||||
attempt with the client's own SET_META_CONTEXT request after
|
||||
encryption is enabled. So I don't class this as having the potential
|
||||
to trigger denial-of-service due to any protocol mismatch between
|
||||
compliant client and server (I don't care what happens with
|
||||
non-compliant clients).
|
||||
|
||||
Fixes: 26455d45 (server: protocol: Implement Block Status "base:allocation".)
|
||||
---
|
||||
server/protocol-handshake-newstyle.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/server/protocol-handshake-newstyle.c b/server/protocol-handshake-newstyle.c
|
||||
index 7e6b7b1b..79b2c8ce 100644
|
||||
--- a/server/protocol-handshake-newstyle.c
|
||||
+++ b/server/protocol-handshake-newstyle.c
|
||||
@@ -497,6 +497,9 @@ negotiate_handshake_newstyle_options (void)
|
||||
debug ("using TLS on this connection");
|
||||
/* Wipe out any cached state. */
|
||||
conn->structured_replies = false;
|
||||
+ free (conn->exportname_from_set_meta_context);
|
||||
+ conn->exportname_from_set_meta_context = NULL;
|
||||
+ conn->meta_context_base_allocation = false;
|
||||
for_each_backend (b) {
|
||||
free (conn->default_exportname[b->i]);
|
||||
conn->default_exportname[b->i] = NULL;
|
||||
--
|
||||
2.31.1
|
||||
|
||||
@ -51,7 +51,7 @@ ExclusiveArch: x86_64
|
||||
|
||||
Name: nbdkit
|
||||
Version: 1.27.7
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: NBD server
|
||||
|
||||
License: BSD
|
||||
@ -72,6 +72,9 @@ Source2: libguestfs.keyring
|
||||
# Maintainer script which helps with handling patches.
|
||||
Source3: copy-patches.sh
|
||||
|
||||
# Fix SET_META_CONTEXT leaking state across STARTTLS
|
||||
Patch1: 0001-server-reset-meta-context-replies-on-starttls.patch
|
||||
|
||||
BuildRequires: make
|
||||
%if 0%{patches_touch_autotools}
|
||||
BuildRequires: autoconf, automake, libtool
|
||||
@ -1241,6 +1244,9 @@ export LIBGUESTFS_TRACE=1
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Aug 19 2021 Eric Blake <eblake@redhat.com> - 1.27.7-2
|
||||
- Include followup patch related to CVE-2021-3716.
|
||||
|
||||
* Thu Aug 19 2021 Eric Blake <eblake@redhat.com> - 1.27.7-1
|
||||
- New upstream development version 1.27.7; addresses CVE-2021-3716.
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user