CVE-2022-26496: In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO message with an large value as the length of the name. CVE-2022-26495: In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages. https://lists.debian.org/nbd/2022/01/msg00036.html https://lists.debian.org/nbd/2022/01/msg00037.html Seems like there's an incorrect patch attached.
3.24 is released. https://github.com/NetworkBlockDevice/nbd/releases/tag/nbd-3.24 Seems to have commits for both issues.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8a350785778feb0ced49ff5077174e0ea10c195 commit c8a350785778feb0ced49ff5077174e0ea10c195 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-06-01 00:39:08 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-06-01 01:25:09 +0000 sys-block/nbd: add 3.24 Bug: https://bugs.gentoo.org/834678 Signed-off-by: Sam James <sam@gentoo.org> sys-block/nbd/Manifest | 1 + sys-block/nbd/nbd-3.24.ebuild | 75 +++++++++++++++++++++++++++++++++++++++++++ sys-block/nbd/nbd-9999.ebuild | 22 +++++++++---- 3 files changed, 91 insertions(+), 7 deletions(-)
