Re: [Libguestfs] LUKS decryption with Clevis+Tang | CVE-2022-2211

On 06/28/22 11:24, Richard W.M. Jones wrote: > [Adding packagers to CC for visibility.] > > On Tue, Jun 28, 2022 at 11:00:43AM +0200, Laszlo Ersek wrote: > >> Hi, >> >> * in response to this cover letter, I'm going to post four series (one >> for each of libguestfs-common, libguestfs, guestfs-tools, virt-v2v). >> These four series implement LUKS decryption with Clevis+Tang: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1809453 >> >> * The first patch in the libguestfs-common series fixes a bug that I'd >> found while working on the feature, and ended up receiving a CVE number >> (CVE-2022-2211): >> >> https://bugzilla.redhat.com/show_bug.cgi?id=2100862 >> >> This patch is an integral part of the larger Clevis+Tang feature. >> However, it can be backported easily to stable branches that only want >> the bugfix. >> >> * Correspondingly, the first patch in the libguestfs series documents >> the new CVE (and updates the common submodule just enough to get the CVE >> fix). This patch should also be easy to backport to stable branches. >> >> A later patch in the libguestfs series updates the "common" submodule >> checkout to the end of the libguestfs-common series. >> >> * In each of the guestfs-tools and virt-v2v series, the full "common" >> submodule series is consumed right in the first patch, covering both the >> CVE fix and the new stuff needed for the Clevis feature. >> The CVE fix is now upstream: - libguestfs-common 35467027f657 ("options: fix buffer overflow in get_keys() [CVE-2022-2211]", 2022-06-29) - libguestfs 99844660b48e ("docs/guestfs-security: document CVE-2022-2211", 2022-06-29) - guestfs-tools b2e7de29b413 ("update common submodule for CVE-2022-2211 fix", 2022-06-29) - virt-v2v 795d5dfcef77 ("update common submodule for CVE-2022-2211 fix", 2022-06-29) Thanks Laszlo