Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 915353 (CVE-2023-5215)

Summary: <sys-libs/libnbd-1.18.1: nbd_get_size API weakness
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: arsen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [stable?]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-08 05:08:35 UTC 
See https://listman.redhat.com/archives/libguestfs/2023-September/032711.html.

"""
Lifecycle
---------

Reported: 2023-09-17  Fixed: 2023-09-22  Published: 2023-09-26

At the time of this email, the Red Hat security team is analyzing
potential security impacts to determine if a CVE is warranted against
libnbd; if one is assigned, a followup email will announce that
identifier.  However, even if a CVE is not assigned to libnbd, the
issues documented here warrant an audit of clients that utilize the
nbd_get_size() API from libnbd, to see if they might be subject to a
weakness when interpreting a large size as a negative value.  The
libnbd developers felt it more important to issue this security notice
prior to the release of v1.18 than to hold up the release schedule
waiting for final analysis on whether libnbd needs a CVE.
"""

(A CVE was later assigned as CVE-2023-5215).

Please bump to 1.16.5/1.18.0.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-11-13 03:28:59 UTC 
ping
Comment 2 Arsen Arsenović gentoo-dev 2023-11-13 10:00:09 UTC 
huh, apparently I don't have libnbd in my feed reader.. strange.

working on a bump now.
Comment 3 Larry the Git Cow gentoo-dev 2023-11-13 11:00:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bd36b8ff84d387ec31c43817c5b5d985cf71759

commit 2bd36b8ff84d387ec31c43817c5b5d985cf71759
Author:     Arsen Arsenović <arsen@gentoo.org>
AuthorDate: 2023-11-13 10:43:23 +0000
Commit:     Arsen Arsenović <arsen@gentoo.org>
CommitDate: 2023-11-13 10:56:08 +0000

    sys-libs/libnbd: add 1.18.1
    
    Bug: https://bugs.gentoo.org/915353
    Signed-off-by: Arsen Arsenović <arsen@gentoo.org>

 sys-libs/libnbd/Manifest             |  1 +
 sys-libs/libnbd/libnbd-1.18.1.ebuild | 81 ++++++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+)