Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 915353 (CVE-2023-5215) - <sys-libs/libnbd-1.18.1: nbd_get_size API weakness
Summary: <sys-libs/libnbd-1.18.1: nbd_get_size API weakness
Status: IN_PROGRESS
Alias: CVE-2023-5215
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [stable?]
Keywords:
Depends on: 923169
Blocks:
  Show dependency tree
 
Reported: 2023-10-08 05:08 UTC by Sam James
Modified: 2024-06-05 14:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-08 05:08:35 UTC
See https://listman.redhat.com/archives/libguestfs/2023-September/032711.html.

"""
Lifecycle
---------

Reported: 2023-09-17  Fixed: 2023-09-22  Published: 2023-09-26

At the time of this email, the Red Hat security team is analyzing
potential security impacts to determine if a CVE is warranted against
libnbd; if one is assigned, a followup email will announce that
identifier.  However, even if a CVE is not assigned to libnbd, the
issues documented here warrant an audit of clients that utilize the
nbd_get_size() API from libnbd, to see if they might be subject to a
weakness when interpreting a large size as a negative value.  The
libnbd developers felt it more important to issue this security notice
prior to the release of v1.18 than to hold up the release schedule
waiting for final analysis on whether libnbd needs a CVE.
"""

(A CVE was later assigned as CVE-2023-5215).

Please bump to 1.16.5/1.18.0.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-11-13 03:28:59 UTC
ping
Comment 2 Arsen Arsenović gentoo-dev 2023-11-13 10:00:09 UTC
huh, apparently I don't have libnbd in my feed reader.. strange.

working on a bump now.
Comment 3 Larry the Git Cow gentoo-dev 2023-11-13 11:00:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bd36b8ff84d387ec31c43817c5b5d985cf71759

commit 2bd36b8ff84d387ec31c43817c5b5d985cf71759
Author:     Arsen Arsenović <arsen@gentoo.org>
AuthorDate: 2023-11-13 10:43:23 +0000
Commit:     Arsen Arsenović <arsen@gentoo.org>
CommitDate: 2023-11-13 10:56:08 +0000

    sys-libs/libnbd: add 1.18.1
    
    Bug: https://bugs.gentoo.org/915353
    Signed-off-by: Arsen Arsenović <arsen@gentoo.org>

 sys-libs/libnbd/Manifest             |  1 +
 sys-libs/libnbd/libnbd-1.18.1.ebuild | 81 ++++++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+)