[Libguestfs] [libguestfs PATCH 1/3] docs/guestfs-security: document CVE-2022-2211

Laszlo Ersek lersek at redhat.com
Wed Jun 29 13:34:30 UTC 2022 

On 06/28/22 16:51, Richard W.M. Jones wrote:
> On Tue, Jun 28, 2022 at 01:54:16PM +0200, Laszlo Ersek wrote:
>> Short log for the common submodule, commit range
>> f8de5508fe75..35b49ce142fb:
>>
>> Laszlo Ersek (2):
>>       mlcustomize: factor out pkg install/update/uninstall from guestfs-tools
>>       options: fix buffer overflow in get_keys() [CVE-2022-2211]
>>
>> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
>> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
>> Signed-off-by: Laszlo Ersek <lersek at redhat.com>
>> ---
>>
>> Notes:
>>     "Commit 35b49ce142fb" needs to updated here, in both the submodule
>>     checkout and the commit message, once the libguestfs-common series is
>>     merged.
>>
>>  common                    |  2 +-
>>  docs/guestfs-security.pod | 28 ++++++++++++++++++++
>>  2 files changed, 29 insertions(+), 1 deletion(-)
>>
>> diff --git a/common b/common
>> index f8de5508fe75..35b49ce142fb 160000
>> --- a/common
>> +++ b/common
>> @@ -1 +1 @@
>> -Subproject commit f8de5508fe755acca99c9ab40c501d6c3e2bcb1e
>> +Subproject commit 35b49ce142fb906bcf91edc6a6718d28c8fca9e3
>> diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod
>> index 9ceef5623370..efa35b29d301 100644
>> --- a/docs/guestfs-security.pod
>> +++ b/docs/guestfs-security.pod
>> @@ -404,10 +404,38 @@ S<C<guestfs_set_network (g, 1)>> (which is not the default).
>>  The libvirt backend is not affected.
>>  
>>  The solution is to update qemu to a version containing the fix (see
>>  L<https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html>).
>>  
>> +=head2 CVE-2022-2211
>> +
>> +L<https://bugzilla.redhat.com/CVE-2022-2211>
>> +
>> +The C<get_keys> function in F<libguestfs-common/options/keys.c> collects
>> +those I<--key> options from the command line into a new array that match
>> +a particular block device that's being decrypted for inspection. The
>> +function intends to size the result array such that potentially all
>> +I<--key> options, plus a terminating C<NULL> element, fit into it. The
>> +code mistakenly uses the C<MIN> macro instead of C<MAX>, and therefore
>> +only one element is allocated before the C<NULL> terminator.
>> +
>> +Passing precisely two I<--key ID:...> options on the command line for
>> +the encrypted block device C<ID> causes C<get_keys> to overwrite the
>> +terminating C<NULL>, leading to an out-of-bounds read in
>> +C<decrypt_mountables>, file F<libguestfs-common/options/decrypt.c>.
>> +
>> +Passing more than two I<--key ID:...> options on the command line for
>> +the encrypted block device C<ID> causes C<get_keys> itself to perform
>> +out-of-bounds writes. The most common symptom is a crash with C<SIGSEGV>
>> +later on.
>> +
>> +This issue affects -- broadly speaking -- all libguestfs-based utilities
>> +that accept I<--key>, namely: C<guestfish>, C<guestmount>, C<virt-cat>,
>> +C<virt-customize>, C<virt-diff>, C<virt-edit>, C<virt-get-kernel>,
>> +C<virt-inspector>, C<virt-log>, C<virt-ls>, C<virt-sparsify>,
>> +C<virt-sysprep>, C<virt-tail>, C<virt-v2v>.
>> +
>>  =head1 SEE ALSO
> 
> Reviewed-by: Richard W.M. Jones <rjones at redhat.com>
> 

I've pushed this one, as commit 99844660b48e:

1:  941dab339f0f ! 1:  99844660b48e docs/guestfs-security: document CVE-2022-2211
    @@ -3,7 +3,7 @@
         docs/guestfs-security: document CVE-2022-2211
     
         Short log for the common submodule, commit range
    -    f8de5508fe75..35b49ce142fb:
    +    f8de5508fe75..35467027f657:
     
         Laszlo Ersek (2):
               mlcustomize: factor out pkg install/update/uninstall from guestfs-tools
    @@ -12,16 +12,15 @@
         Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
         Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
         Signed-off-by: Laszlo Ersek <lersek at redhat.com>
    -    "Commit 35b49ce142fb" needs to updated here, in both the submodule
    -    checkout and the commit message, once the libguestfs-common series is
    -    merged.
    +    Message-Id: <20220628115418.5376-2-lersek at redhat.com>
    +    Reviewed-by: Richard W.M. Jones <rjones at redhat.com>
     
     diff --git a/common b/common
     --- a/common
     +++ b/common
     @@
     -Subproject commit f8de5508fe755acca99c9ab40c501d6c3e2bcb1e
    -+Subproject commit 35b49ce142fb906bcf91edc6a6718d28c8fca9e3
    ++Subproject commit 35467027f657de76aca34b48a6f23e9608b23a57
     
     diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod
     --- a/docs/guestfs-security.pod

Thanks
Laszlo

More information about the Libguestfs mailing list