[Libguestfs] LUKS decryption with Clevis+Tang | CVE-2022-2211
info at sick.codes
info at sick.codes
Thu Jun 30 23:45:00 UTC 2022
Hi team,
Thanks so much for the update, I send to coderobe two days ago too.
Can you please add cve at coderobe.net who maintains the official Arch Community libguestfs package https://archlinux.org/packages/community/x86_64/libguestfs/
While I just maintain another commit on libguestfs-dev on the arch user repo https://aur.archlinux.org/packages/libguestfs-dev
Happy to adopt any new naming conventions or major changes as suggested
In good faith,
Sick Codes of the Security Research Team @SickCodes <https://twitter.com/sickcodes>
https://sick.codes
https://github.com/sickcodes
https://twitter.com/sickcodes
https://www.linkedin.com/in/sickcodes/
https://www.youtube.com/c/sickcodes
https://parler.com/profile/sickcodes/
https://hackerone.com/sickcodes
https://bugcrowd.com/sickcodes
https://hub.docker.com/r/sickcodes
Jun 29, 2022, 20:48 by lersek at redhat.com:
> On 06/28/22 11:24, Richard W.M. Jones wrote:
>
>> [Adding packagers to CC for visibility.]
>>
>> On Tue, Jun 28, 2022 at 11:00:43AM +0200, Laszlo Ersek wrote:
>>
>>> Hi,
>>>
>>> * in response to this cover letter, I'm going to post four series (one
>>> for each of libguestfs-common, libguestfs, guestfs-tools, virt-v2v).
>>> These four series implement LUKS decryption with Clevis+Tang:
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1809453
>>>
>>> * The first patch in the libguestfs-common series fixes a bug that I'd
>>> found while working on the feature, and ended up receiving a CVE number
>>> (CVE-2022-2211):
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=2100862
>>>
>>> This patch is an integral part of the larger Clevis+Tang feature.
>>> However, it can be backported easily to stable branches that only want
>>> the bugfix.
>>>
>>> * Correspondingly, the first patch in the libguestfs series documents
>>> the new CVE (and updates the common submodule just enough to get the CVE
>>> fix). This patch should also be easy to backport to stable branches.
>>>
>>> A later patch in the libguestfs series updates the "common" submodule
>>> checkout to the end of the libguestfs-common series.
>>>
>>> * In each of the guestfs-tools and virt-v2v series, the full "common"
>>> submodule series is consumed right in the first patch, covering both the
>>> CVE fix and the new stuff needed for the Clevis feature.
>>>
>
> The CVE fix is now upstream:
> - libguestfs-common 35467027f657 ("options: fix buffer overflow in get_keys() [CVE-2022-2211]", 2022-06-29)
> - libguestfs 99844660b48e ("docs/guestfs-security: document CVE-2022-2211", 2022-06-29)
> - guestfs-tools b2e7de29b413 ("update common submodule for CVE-2022-2211 fix", 2022-06-29)
> - virt-v2v 795d5dfcef77 ("update common submodule for CVE-2022-2211 fix", 2022-06-29)
>
> Thanks
> Laszlo
>
More information about the Libguestfs
mailing list