Richard W.M. Jones
2022-Jun-28 09:24 UTC
[Libguestfs] LUKS decryption with Clevis+Tang | CVE-2022-2211
[Adding packagers to CC for visibility.] On Tue, Jun 28, 2022 at 11:00:43AM +0200, Laszlo Ersek wrote:> Hi, > > * in response to this cover letter, I'm going to post four series (one > for each of libguestfs-common, libguestfs, guestfs-tools, virt-v2v). > These four series implement LUKS decryption with Clevis+Tang: > > https://bugzilla.redhat.com/show_bug.cgi?id=1809453 > > * The first patch in the libguestfs-common series fixes a bug that I'd > found while working on the feature, and ended up receiving a CVE number > (CVE-2022-2211): > > https://bugzilla.redhat.com/show_bug.cgi?id=2100862 > > This patch is an integral part of the larger Clevis+Tang feature. > However, it can be backported easily to stable branches that only want > the bugfix. > > * Correspondingly, the first patch in the libguestfs series documents > the new CVE (and updates the common submodule just enough to get the CVE > fix). This patch should also be easy to backport to stable branches. > > A later patch in the libguestfs series updates the "common" submodule > checkout to the end of the libguestfs-common series. > > * In each of the guestfs-tools and virt-v2v series, the full "common" > submodule series is consumed right in the first patch, covering both the > CVE fix and the new stuff needed for the Clevis feature. > > Thanks, > Laszlo > _______________________________________________ > Libguestfs mailing list > Libguestfs at redhat.com > https://listman.redhat.com/mailman/listinfo/libguestfs-- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com nbdkit - Flexible, fast NBD server with plugins https://gitlab.com/nbdkit/nbdkit
Laszlo Ersek
2022-Jun-29 13:48 UTC
[Libguestfs] LUKS decryption with Clevis+Tang | CVE-2022-2211
On 06/28/22 11:24, Richard W.M. Jones wrote:> [Adding packagers to CC for visibility.] > > On Tue, Jun 28, 2022 at 11:00:43AM +0200, Laszlo Ersek wrote: >> Hi, >> >> * in response to this cover letter, I'm going to post four series (one >> for each of libguestfs-common, libguestfs, guestfs-tools, virt-v2v). >> These four series implement LUKS decryption with Clevis+Tang: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1809453 >> >> * The first patch in the libguestfs-common series fixes a bug that I'd >> found while working on the feature, and ended up receiving a CVE number >> (CVE-2022-2211): >> >> https://bugzilla.redhat.com/show_bug.cgi?id=2100862 >> >> This patch is an integral part of the larger Clevis+Tang feature. >> However, it can be backported easily to stable branches that only want >> the bugfix. >> >> * Correspondingly, the first patch in the libguestfs series documents >> the new CVE (and updates the common submodule just enough to get the CVE >> fix). This patch should also be easy to backport to stable branches. >> >> A later patch in the libguestfs series updates the "common" submodule >> checkout to the end of the libguestfs-common series. >> >> * In each of the guestfs-tools and virt-v2v series, the full "common" >> submodule series is consumed right in the first patch, covering both the >> CVE fix and the new stuff needed for the Clevis feature.The CVE fix is now upstream: - libguestfs-common 35467027f657 ("options: fix buffer overflow in get_keys() [CVE-2022-2211]", 2022-06-29) - libguestfs 99844660b48e ("docs/guestfs-security: document CVE-2022-2211", 2022-06-29) - guestfs-tools b2e7de29b413 ("update common submodule for CVE-2022-2211 fix", 2022-06-29) - virt-v2v 795d5dfcef77 ("update common submodule for CVE-2022-2211 fix", 2022-06-29) Thanks Laszlo