Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 493010 (CVE-2013-6410) - <sys-block/nbd-3.5: Improper Access Restriction (CVE-2013-6410)
Summary: <sys-block/nbd-3.5: Improper Access Restriction (CVE-2013-6410)
Alias: CVE-2013-6410
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2013-12-01 09:08 UTC by Agostino Sarubbo
Modified: 2015-08-28 00:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-12-01 09:08:29 UTC
From ${URL} :

nbd-server has the ability to deny connection requests to clients unless their IP addresses are 
listed in a tcpwrappers-style configuration file.

Due to incorrect use of strncmp() in the parser for this file, however, it would allow clients to 
connect so long as their IP address in ASCII representation would start with something in the ACL 
file; e.g., would be allowed if was listed.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Agostino Sarubbo gentoo-dev 2013-12-02 16:11:03 UTC
Arches, please test and mark stable:
Target keywords : "amd64 arm ppc ppc64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2013-12-06 20:40:14 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-12-06 20:42:15 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-12-07 19:11:42 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-12-07 19:14:04 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-12-07 19:51:39 UTC
arm stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2014-05-21 04:14:12 UTC
Vulnerable packages still in Tree.

Maintainer(s), please drop the vulnerable version.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2014-06-18 01:16:46 UTC
GLSA Vote: No

Maintainer(s), please drop the vulnerable version. Vulnerable versions have been in tree since December of 2013.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2014-08-04 19:29:23 UTC
NO too, keeping open for cleanup.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 02:00:49 UTC
Maintainer(s): Ping on cleanup!
Comment 12 Manuel Rüger (RETIRED) gentoo-dev 2015-08-28 00:01:03 UTC
Vulnerable versions have been removed a while ago. Resolving as it's marked as noglsa.