[AUTO-CHERRYPICK] libnbd: cve-2024-7383 (mariner 2.0) - branch main (#10343)

Co-authored-by: bfjelds <bfjelds@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/libnbd/CVE-2024-7383.patch

@@ -0,0 +1,119 @@
+From c6cc19319f39c09c4ff74b47101eb217e75d3b43 Mon Sep 17 00:00:00 2001
+From: Brian Fjeldstad <bfjelds@microsoft.com>
+Date: Mon, 19 Aug 2024 21:59:46 +0000
+Subject: [PATCH 1/3] port patch #1
+
+---
+ configure.ac | 6 ++----
+ lib/crypto.c | 4 ----
+ 2 files changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index b6e2c9f..07e417b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -150,12 +150,12 @@ AC_ARG_WITH([gnutls],
+     [],
+     [with_gnutls=check])
+ AS_IF([test "$with_gnutls" != "no"],[
+-    PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.3.0], [
++    PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.5.18], [
+         AC_SUBST([GNUTLS_CFLAGS])
+         AC_SUBST([GNUTLS_LIBS])
+         AC_DEFINE([HAVE_GNUTLS],[1],[gnutls found at compile time.])
+     ], [
+-        AC_MSG_WARN([gnutls not found or < 3.3.0, TLS support will be disabled.])
++        AC_MSG_WARN([gnutls not found or < 3.5.18, TLS support will be disabled.])
+     ])
+ ])
+ AM_CONDITIONAL([HAVE_GNUTLS], [test "x$GNUTLS_LIBS" != "x"])
+@@ -174,8 +174,6 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[
+     # Check for APIs which may not be present.
+     old_LIBS="$LIBS"
+     LIBS="$GNUTLS_LIBS $LIBS"
+-    AC_CHECK_FUNCS([\
+-        gnutls_session_set_verify_cert])
+     LIBS="$old_LIBS"
+ ])
+ 
+diff --git a/lib/crypto.c b/lib/crypto.c
+index 340a6a0..964a871 100644
+--- a/lib/crypto.c
++++ b/lib/crypto.c
+@@ -514,12 +514,8 @@ set_up_certificate_credentials (struct nbd_handle *h,
+   return NULL;
+ 
+  found_certificates:
+-#ifdef HAVE_GNUTLS_SESSION_SET_VERIFY_CERT
+   if (h->hostname && h->tls_verify_peer)
+     gnutls_session_set_verify_cert (session, h->hostname, 0);
+-#else
+-  debug (h, "ignoring nbd_set_tls_verify_peer, this requires GnuTLS >= 3.4.6");
+-#endif
+ 
+   err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
+   if (err < 0) {
+-- 
+2.34.1
+
+From 7ece17bfb16d437975ac40d63b0f20162601d3bf Mon Sep 17 00:00:00 2001
+From: Brian Fjeldstad <bfjelds@microsoft.com>
+Date: Mon, 19 Aug 2024 22:01:17 +0000
+Subject: [PATCH 2/3] port patch #2
+
+---
+ lib/crypto.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/crypto.c b/lib/crypto.c
+index 964a871..97884b8 100644
+--- a/lib/crypto.c
++++ b/lib/crypto.c
+@@ -514,9 +514,6 @@ set_up_certificate_credentials (struct nbd_handle *h,
+   return NULL;
+ 
+  found_certificates:
+-  if (h->hostname && h->tls_verify_peer)
+-    gnutls_session_set_verify_cert (session, h->hostname, 0);
+-
+   err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
+   if (err < 0) {
+     set_error (0, "gnutls_credentials_set: %s", gnutls_strerror (err));
+@@ -626,6 +623,9 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
+       gnutls_deinit (session);
+       return NULL;
+     }
++
++    if (h->hostname && h->tls_verify_peer)
++      gnutls_session_set_verify_cert (session, h->hostname, 0);
+   }
+ 
+   /* Wrap the underlying socket with GnuTLS. */
+-- 
+2.34.1
+
+From 811a9bc9797b539dafb4423933243950b3aae3c1 Mon Sep 17 00:00:00 2001
+From: Brian Fjeldstad <bfjelds@microsoft.com>
+Date: Mon, 19 Aug 2024 22:01:56 +0000
+Subject: [PATCH 3/3] port patch #3
+
+---
+ lib/crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/crypto.c b/lib/crypto.c
+index 97884b8..c6a21d2 100644
+--- a/lib/crypto.c
++++ b/lib/crypto.c
+@@ -624,7 +624,7 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
+       return NULL;
+     }
+ 
+-    if (h->hostname && h->tls_verify_peer)
++    if (h->tls_verify_peer)
+       gnutls_session_set_verify_cert (session, h->hostname, 0);
+   }
+ 
+-- 
+2.34.1
+

SPECS/libnbd/libnbd.spec

@@ -3,13 +3,16 @@
 Summary:        NBD client library in userspace
 Name:           libnbd
 Version:        1.12.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://gitlab.com/nbdkit/libnbd
 Source0:        https://libguestfs.org/download/libnbd/%{source_directory}/%{name}-%{version}.tar.gz
 Patch0:         CVE-2023-5215.patch
+
+Patch001:       CVE-2024-7383.patch
+
 # For the core library.
 BuildRequires:  gcc
 BuildRequires:  make
@@ -232,6 +235,9 @@ skip_test tests/connect-tcp6
 
 
 %changelog
+* Mon Aug 19 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 1.12.1-4
+- Add patch to fix CVE-2024-7383
+
 * Thu Oct 19 2023 Neha Agarwal <nehaagarwal@microsoft.com> - 1.12.1-3
 - Add patch to fix CVE-2023-5215