Re: [Libguestfs] LUKS decryption with Clevis+Tang | CVE-2022-2211

[Adding packagers to CC for visibility.] On Tue, Jun 28, 2022 at 11:00:43AM +0200, Laszlo Ersek wrote: > Hi, > > * in response to this cover letter, I'm going to post four series (one > for each of libguestfs-common, libguestfs, guestfs-tools, virt-v2v). > These four series implement LUKS decryption with Clevis+Tang: > > https://bugzilla.redhat.com/show_bug.cgi?id=1809453 > > * The first patch in the libguestfs-common series fixes a bug that I'd > found while working on the feature, and ended up receiving a CVE number > (CVE-2022-2211): > > https://bugzilla.redhat.com/show_bug.cgi?id=2100862 > > This patch is an integral part of the larger Clevis+Tang feature. > However, it can be backported easily to stable branches that only want > the bugfix. > > * Correspondingly, the first patch in the libguestfs series documents > the new CVE (and updates the common submodule just enough to get the CVE > fix). This patch should also be easy to backport to stable branches. > > A later patch in the libguestfs series updates the "common" submodule > checkout to the end of the libguestfs-common series. > > * In each of the guestfs-tools and virt-v2v series, the full "common" > submodule series is consumed right in the first patch, covering both the > CVE fix and the new stuff needed for the Clevis feature.