A buffer overflow was found in get_keys get_keys() When calculating the greatest possible number of matching keys in get_keys(), the current expression MIN (1, ks->nr_keys) is wrong -- it will return at most 1. If all "nr_keys" keys match however, then we require "nr_keys" non-NULL entries in the result array; in other words, we need MAX (1, ks->nr_keys) (The comment just above the expression is correct; the code is wrong.) This buffer overflow is easiest to trigger in those guestfs tools that parse the "--key" option in C; that is, with "OPTION_key". For example, the command $ virt-cat $(seq -f '--key /dev/sda2:key:%g' 200) -d DOMAIN /no-such-file which passes 200 (different) passphrases for the LUKS-encrypted block device "/dev/sda2", crashes with a SIGSEGV.
Created libguestfs tracking bugs for this issue: Affects: fedora-all [bug 2101279]
We also need bugs against: virt-v2v in RHEL 9.1 virt-v2v in RHEL 8.7 guestfs-tools in RHEL 9.1 Don't bother with bugs against z-stream or EUS, I'm not going to through that process for a low severity bug.
[Libguestfs] LUKS decryption with Clevis+Tang | CVE-2022-2211 Message-Id: <e5f2b088-7aef-c3bc-b660-d11dd0f55f1d> https://listman.redhat.com/archives/libguestfs/2022-June/029274.html [libguestfs-common PATCH 00/12] LUKS decryption with Clevis+Tang | CVE-2022-2211 Message-Id: <20220628114915.5030-1-lersek> https://listman.redhat.com/archives/libguestfs/2022-June/029277.html [libguestfs PATCH 0/3] LUKS decryption with Clevis+Tang | CVE-2022-2211 Message-Id: <20220628115418.5376-1-lersek> https://listman.redhat.com/archives/libguestfs/2022-June/029290.html
(In reply to Laszlo Ersek from comment #6) > [libguestfs-common PATCH 00/12] LUKS decryption with Clevis+Tang | CVE-2022-2211 > Message-Id: <20220628114915.5030-1-lersek> > https://listman.redhat.com/archives/libguestfs/2022-June/029277.html The CVE fix (the first patch in this series) has been pushed upstream: commit 35467027f657. > [libguestfs PATCH 0/3] LUKS decryption with Clevis+Tang | CVE-2022-2211 > Message-Id: <20220628115418.5376-1-lersek> > https://listman.redhat.com/archives/libguestfs/2022-June/029290.html The documentation of the CVE (the first patch in this series) has been pushed upstream: commit 99844660b48e.
Additional commits: - guestfs-tools: b2e7de29b413 ("update common submodule for CVE-2022-2211 fix", 2022-06-29) - virt-v2v: 795d5dfcef77 ("update common submodule for CVE-2022-2211 fix", 2022-06-29)
Setting needinfo again, see comment 5.
I'm sorry, I only meant to clear the needinfo flag from myself, from comment 3.
done
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7472 https://access.redhat.com/errata/RHSA-2022:7472
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:7958 https://access.redhat.com/errata/RHSA-2022:7958
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:7959 https://access.redhat.com/errata/RHSA-2022:7959
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:7968 https://access.redhat.com/errata/RHSA-2022:7968
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-2211