Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 116314 - sys-block/nbd Buffer overflow (CVE-2005-3534)
Summary: sys-block/nbd Buffer overflow (CVE-2005-3534)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: C1? [glsa]
Depends on:
Reported: 2005-12-21 11:51 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-12-23 11:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-21 11:51:28 UTC
Debian released an advisory for nbd, not sure wether we are affected.

Kurt Fitzner discovered a buffer overflow in nbd, the network block device client and server that could potentially allow arbitrary cod on the NBD server.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-21 12:18:36 UTC
base-system please advise and provide updated ebuilds if necessary. the CVE seems to be wrong, but maybe that helps:
Comment 2 SpanKY gentoo-dev 2005-12-21 20:50:13 UTC
2.8.2-r1 in portage with fix
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-21 22:30:19 UTC
Arches please test and mark stable.
Comment 4 Simon Stelling (RETIRED) gentoo-dev 2005-12-22 10:53:56 UTC
amd64 stable
Comment 5 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-12-22 11:33:08 UTC
Stable on ppc.
Comment 6 Paul Varner (RETIRED) gentoo-dev 2005-12-22 19:31:19 UTC
x86 stable
Comment 7 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-22 21:01:57 UTC
ready for glsa
Comment 8 Jason Shoemaker (RETIRED) gentoo-dev 2005-12-23 03:43:15 UTC
Forwarding this from #gentoo:

Yoe: Hi! I'm the maintainer of the NBD utilities (not in Gentoo; upstream, and in Debian). There's been a security issue with that one, and Gentoo is preparing a GLSA.

Yoe: However, they're not doing it right; the update is preparing with 2.8.2, but you need at least 2.8.3 to plug the hole.

Yoe: I sent mail to with that information (who's declared it "ready for GLSA"), but I'd like to avoid that you guys get it wrong. Could anyone please add some comment to that bug?

(1) it's CVE-2005-3534 rather than 3354, and (2) you need NBD 2.8.3 to plug the hole, rather than 2.8.2; the latter is still vulnerable.

Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-23 03:53:55 UTC
Thanks for the headsup, the mail didn't make it through, i'm sorry (maybe because email addy was wrong?). We ship 2.8.2-r1, -r1 for revision one, including a security patch - so in fact we should be fine here and can keep the GLSA status. Updating CVE number.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-12-23 11:33:19 UTC
GLSA 200512-14