Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
libguestfs
CVE-2022-2211-docs-guestfs-security-document.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2022-2211-docs-guestfs-security-document.patch of Package libguestfs
Subject: docs/guestfs-security: document CVE-2022-2211 From: Laszlo Ersek lersek@redhat.com Tue Jun 28 13:54:16 2022 +0200 Date: Wed Jun 29 15:29:37 2022 +0200: Git: 99844660b48ed809e37378262c65d63df6ce4a53 Short log for the common submodule, commit range f8de5508fe75..35467027f657: Laszlo Ersek (2): mlcustomize: factor out pkg install/update/uninstall from guestfs-tools options: fix buffer overflow in get_keys() [CVE-2022-2211] Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100862 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Message-Id: <20220628115418.5376-2-lersek@redhat.com> Reviewed-by: Richard W.M. Jones <rjones@redhat.com> --- a/docs/guestfs-security.pod +++ b/docs/guestfs-security.pod @@ -406,6 +406,34 @@ The libvirt backend is not affected. The solution is to update qemu to a version containing the fix (see L<https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html>). +=head2 CVE-2022-2211 + +L<https://bugzilla.redhat.com/CVE-2022-2211> + +The C<get_keys> function in F<libguestfs-common/options/keys.c> collects +those I<--key> options from the command line into a new array that match +a particular block device that's being decrypted for inspection. The +function intends to size the result array such that potentially all +I<--key> options, plus a terminating C<NULL> element, fit into it. The +code mistakenly uses the C<MIN> macro instead of C<MAX>, and therefore +only one element is allocated before the C<NULL> terminator. + +Passing precisely two I<--key ID:...> options on the command line for +the encrypted block device C<ID> causes C<get_keys> to overwrite the +terminating C<NULL>, leading to an out-of-bounds read in +C<decrypt_mountables>, file F<libguestfs-common/options/decrypt.c>. + +Passing more than two I<--key ID:...> options on the command line for +the encrypted block device C<ID> causes C<get_keys> itself to perform +out-of-bounds writes. The most common symptom is a crash with C<SIGSEGV> +later on. + +This issue affects -- broadly speaking -- all libguestfs-based utilities +that accept I<--key>, namely: C<guestfish>, C<guestmount>, C<virt-cat>, +C<virt-customize>, C<virt-diff>, C<virt-edit>, C<virt-get-kernel>, +C<virt-inspector>, C<virt-log>, C<virt-ls>, C<virt-sparsify>, +C<virt-sysprep>, C<virt-tail>, C<virt-v2v>. + =head1 SEE ALSO L<guestfs(3)>,
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
