550996 – (CVE-2013-7441) <sys-block/nbd-3.11: denial of service vulnerability (CVE-2013-7441,CVE-2015-0847)

Bug 550996 (CVE-2013-7441) - <sys-block/nbd-3.11: denial of service vulnerability (CVE-2013-7441,CVE-2015-0847)

Summary: <sys-block/nbd-3.11: denial of service vulnerability (CVE-2013-7441,CVE-2015-...

Status:	RESOLVED FIXED

Alias:	CVE-2013-7441

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://web.nvd.nist.gov/view/vuln/de...
Whiteboard:	B3 [noglsa/cve]
Keywords:

Depends on:
Blocks:

Reported:	2015-06-02 11:57 UTC by Sam James
Modified:	2015-08-10 22:33 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2015-06-02 11:57:09 UTC

From above URL:

The modern style negotiation in Network Block Device (nbd-server) 2.9.22 through 3.3 allows remote attackers to cause a denial of service (root process termination) by (1) closing the connection during negotiation or (2) specifying a name for a non-existent export.

----
Affected versions: >= 2.9.22 && <= 3.3
Versions in tree: 
2.9.22 (stable) (vulnerable)
2.9.23 (stable) (vulnerable)
2.9.24 (stable) (vulnerable)
2.9.25 (stable) (vulnerable)
3.0 (unstable) (vulnerable)
3.1.1 (unstable) (vulnerable)
3.2 (stable) (vunlerable)
3.3 (unstable) (vulnerable)

https://github.com/yoe/nbd/commit/741495cb08503fd32a9d22648e63b64390c601f4
http://www.openwall.com/lists/oss-security/2015/05/21/5
https://www.debian.org/security/2015/dsa-3271

Debian have backported the fix to 3.2.4 in their oldstable. I am unsure if it is useful to extract it, given the amount of successive versions after 3.3 and various old versions in our tree.

Reproducible: Always

Comment 1 Sam James archtester

2015-06-02 12:07:27 UTC

Another DoS (CVE-2015-0847) to the OP.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0847

---
nbd-server.c in Network Block Device (nbd-server) before 3.11 does not properly handle signals, which allows remote attackers to cause a denial of service (deadlock) via unspecified vectors.
---

Versions affected: < 3.11
https://www.debian.org/security/2015/dsa-3271 (as above)
Debian have backported a fix to 3.2.4, 3.8.4, and 3.10.1.
It is possible for these to be extracted if the maintainer decides which of these versions will be purged from the tree given the vulnerabilities reported in the previous comment.

Comment 2 SpanKY gentoo-dev

2015-06-05 03:48:34 UTC

3.11 is in our tree already.  marking it stable should be fine.

Comment 3 Sean Amoss (RETIRED) gentoo-dev

2015-06-06 01:43:08 UTC

(In reply to SpanKY from comment #2)
> 3.11 is in our tree already.  marking it stable should be fine.

Thanks.

Arches, please test and mark stable
=sys-block/nbd-3.11
Target KEYWORDS="~alpha amd64 arm ~ia64 ppc ppc64 ~sparc x86"

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2015-06-08 05:13:59 UTC

Stable for PPC64.

Comment 5 Agostino Sarubbo gentoo-dev

2015-06-08 10:44:52 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2015-06-11 07:18:21 UTC

x86 stable

Comment 7 Markus Meier gentoo-dev

2015-06-11 19:12:50 UTC

arm stable

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2015-06-13 07:11:08 UTC

CVE-2015-0847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0847):
  nbd-server.c in Network Block Device (nbd-server) before 3.11 does not
  properly handle signals, which allows remote attackers to cause a denial of
  service (deadlock) via unspecified vectors.

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2015-06-13 07:11:48 UTC

CVE-2013-7441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7441):
  The modern style negotiation in Network Block Device (nbd-server) 2.9.22
  through 3.3 allows remote attackers to cause a denial of service (root
  process termination) by (1) closing the connection during negotiation or (2)
  specifying a name for a non-existent export.

Comment 10 Agostino Sarubbo gentoo-dev

2015-06-24 08:01:10 UTC

ppc stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 11 Yury German Gentoo Infrastructure

2015-07-06 13:00:36 UTC

Maintainer(s), Thank you for you for cleanup.

Maintainer(s), please drop the vulnerable version(s).

GLSA Vote: No

Comment 12 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-07-16 14:46:05 UTC

GLSA Vote: No

Comment 13 Yury German Gentoo Infrastructure

2015-08-04 14:43:36 UTC

Ping on cleanup.

Comment 14 Chris Reffett (RETIRED) gentoo-dev

2015-08-10 22:33:01 UTC

Cleanup handled, closing.