|Summary:||sys-block/nbd Buffer overflow (CVE-2005-3534)|
|Product:||Gentoo Security||Reporter:||Sune Kloppenborg Jeppesen <jaervosz>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Sune Kloppenborg Jeppesen 2005-12-21 11:51:28 UTC
Debian released an advisory for nbd, not sure wether we are affected. Kurt Fitzner discovered a buffer overflow in nbd, the network block device client and server that could potentially allow arbitrary cod on the NBD server.
Comment 1 Stefan Cornelius (RETIRED) 2005-12-21 12:18:36 UTC
base-system please advise and provide updated ebuilds if necessary. the CVE seems to be wrong, but maybe that helps: http://sourceforge.net/mailarchive/forum.php?thread_id=9201144&forum_id=40388
Comment 2 SpanKY 2005-12-21 20:50:13 UTC
2.8.2-r1 in portage with fix
Comment 3 Sune Kloppenborg Jeppesen 2005-12-21 22:30:19 UTC
Arches please test and mark stable.
Comment 4 Simon Stelling (RETIRED) 2005-12-22 10:53:56 UTC
Comment 5 Michael Hanselmann (hansmi) (RETIRED) 2005-12-22 11:33:08 UTC
Stable on ppc.
Comment 6 Paul Varner (RETIRED) 2005-12-22 19:31:19 UTC
Comment 7 Stefan Cornelius (RETIRED) 2005-12-22 21:01:57 UTC
ready for glsa
Comment 8 Jason Shoemaker (RETIRED) 2005-12-23 03:43:15 UTC
Forwarding this from #gentoo: Yoe: Hi! I'm the maintainer of the NBD utilities (not in Gentoo; upstream, and in Debian). There's been a security issue with that one, and Gentoo is preparing a GLSA. Yoe: However, they're not doing it right; the update is preparing with 2.8.2, but you need at least 2.8.3 to plug the hole. Yoe: I sent mail to firstname.lastname@example.org with that information (who's declared it "ready for GLSA"), but I'd like to avoid that you guys get it wrong. Could anyone please add some comment to that bug? (1) it's CVE-2005-3534 rather than 3354, and (2) you need NBD 2.8.3 to plug the hole, rather than 2.8.2; the latter is still vulnerable.
Comment 9 Stefan Cornelius (RETIRED) 2005-12-23 03:53:55 UTC
Thanks for the headsup, the mail didn't make it through, i'm sorry (maybe because email addy was wrong?). We ship 2.8.2-r1, -r1 for revision one, including a security patch - so in fact we should be fine here and can keep the GLSA status. Updating CVE number.
Comment 10 Thierry Carrez (RETIRED) 2005-12-23 11:33:19 UTC