Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 116314
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 116314 depends on: Show dependency tree
Bug 116314 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-12-21 11:51 0000 
Debian released an advisory for nbd, not sure wether we are affected.

Kurt Fitzner discovered a buffer overflow in nbd, the network block device
client and server that could potentially allow arbitrary cod on the NBD server.

------- Comment #1 From Stefan Cornelius (RETIRED) 2005-12-21 12:18:36 0000 ------- 
base-system please advise and provide updated ebuilds if necessary. the CVE
seems to be wrong, but maybe that helps:
http://sourceforge.net/mailarchive/forum.php?thread_id=9201144&forum_id=40388

------- Comment #2 From SpanKY 2005-12-21 20:50:13 0000 ------- 
2.8.2-r1 in portage with fix

------- Comment #3 From Sune Kloppenborg Jeppesen 2005-12-21 22:30:19 0000 ------- 
Arches please test and mark stable.

------- Comment #4 From Simon Stelling (RETIRED) 2005-12-22 10:53:56 0000 ------- 
amd64 stable

------- Comment #5 From Michael Hanselmann (hansmi) (RETIRED) 2005-12-22 11:33:08 0000 ------- 
Stable on ppc.

------- Comment #6 From Paul Varner 2005-12-22 19:31:19 0000 ------- 
x86 stable

------- Comment #7 From Stefan Cornelius (RETIRED) 2005-12-22 21:01:57 0000 ------- 
ready for glsa

------- Comment #8 From Jason Shoemaker (RETIRED) 2005-12-23 03:43:15 0000 ------- 
Forwarding this from #gentoo:

Yoe: Hi! I'm the maintainer of the NBD utilities (not in Gentoo; upstream, and
in Debian). There's been a security issue with that one, and Gentoo is
preparing a GLSA.

Yoe: However, they're not doing it right; the update is preparing with 2.8.2,
but you need at least 2.8.3 to plug the hole.

Yoe: I sent mail to dercorney@gentoo.org with that information (who's declared
it "ready for GLSA"), but I'd like to avoid that you guys get it wrong. Could
anyone please add some comment to that bug?

(1) it's CVE-2005-3534 rather than 3354, and (2) you need NBD 2.8.3 to plug the
hole, rather than 2.8.2; the latter is still vulnerable.

------- Comment #9 From Stefan Cornelius (RETIRED) 2005-12-23 03:53:55 0000 ------- 
Thanks for the headsup, the mail didn't make it through, i'm sorry (maybe
because email addy was wrong?). We ship 2.8.2-r1, -r1 for revision one,
including a security patch - so in fact we should be fine here and can keep the
GLSA status. Updating CVE number.

------- Comment #10 From Thierry Carrez (RETIRED) 2005-12-23 11:33:19 0000 ------- 
GLSA 200512-14
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug