[Libguestfs] LUKS decryption with Clevis+Tang | CVE-2022-2211

Laszlo Ersek lersek at redhat.com
Tue Jun 28 09:00:43 UTC 2022


* in response to this cover letter, I'm going to post four series (one
for each of libguestfs-common, libguestfs, guestfs-tools, virt-v2v).
These four series implement LUKS decryption with Clevis+Tang:


* The first patch in the libguestfs-common series fixes a bug that I'd
found while working on the feature, and ended up receiving a CVE number


This patch is an integral part of the larger Clevis+Tang feature.
However, it can be backported easily to stable branches that only want
the bugfix.

* Correspondingly, the first patch in the libguestfs series documents
the new CVE (and updates the common submodule just enough to get the CVE
fix). This patch should also be easy to backport to stable branches.

A later patch in the libguestfs series updates the "common" submodule
checkout to the end of the libguestfs-common series.

* In each of the guestfs-tools and virt-v2v series, the full "common"
submodule series is consumed right in the first patch, covering both the
CVE fix and the new stuff needed for the Clevis feature.


More information about the Libguestfs mailing list