Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 116314

Summary: sys-block/nbd Buffer overflow (CVE-2005-3534)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: kutsuya
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.debian.org/security/2005/dsa-924
Whiteboard: C1? [glsa]
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen gentoo-dev 2005-12-21 11:51:28 UTC
Debian released an advisory for nbd, not sure wether we are affected.

Kurt Fitzner discovered a buffer overflow in nbd, the network block device client and server that could potentially allow arbitrary cod on the NBD server.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-21 12:18:36 UTC
base-system please advise and provide updated ebuilds if necessary. the CVE seems to be wrong, but maybe that helps: http://sourceforge.net/mailarchive/forum.php?thread_id=9201144&forum_id=40388
Comment 2 SpanKY gentoo-dev 2005-12-21 20:50:13 UTC
2.8.2-r1 in portage with fix
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-12-21 22:30:19 UTC
Arches please test and mark stable.
Comment 4 Simon Stelling (RETIRED) gentoo-dev 2005-12-22 10:53:56 UTC
amd64 stable
Comment 5 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-12-22 11:33:08 UTC
Stable on ppc.
Comment 6 Paul Varner (RETIRED) gentoo-dev 2005-12-22 19:31:19 UTC
x86 stable
Comment 7 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-22 21:01:57 UTC
ready for glsa
Comment 8 Jason Shoemaker (RETIRED) gentoo-dev 2005-12-23 03:43:15 UTC
Forwarding this from #gentoo:

Yoe: Hi! I'm the maintainer of the NBD utilities (not in Gentoo; upstream, and in Debian). There's been a security issue with that one, and Gentoo is preparing a GLSA.

Yoe: However, they're not doing it right; the update is preparing with 2.8.2, but you need at least 2.8.3 to plug the hole.

Yoe: I sent mail to dercorney@gentoo.org with that information (who's declared it "ready for GLSA"), but I'd like to avoid that you guys get it wrong. Could anyone please add some comment to that bug?

(1) it's CVE-2005-3534 rather than 3354, and (2) you need NBD 2.8.3 to plug the hole, rather than 2.8.2; the latter is still vulnerable.

Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-23 03:53:55 UTC
Thanks for the headsup, the mail didn't make it through, i'm sorry (maybe because email addy was wrong?). We ship 2.8.2-r1, -r1 for revision one, including a security patch - so in fact we should be fine here and can keep the GLSA status. Updating CVE number.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-12-23 11:33:19 UTC
GLSA 200512-14