Univention Bugzilla – Bug 54542
nbd: Multiple issues (5.0)
Last modified: 2022-03-16 15:18:11 CET
New Debian nbd 1:3.19-3+deb10u1 fixes: This update addresses the following issues: * In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages. (CVE-2022-26495) * In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO message with an large value as the length of the name. (CVE-2022-26496)
--- mirror/ftp/pool/main/n/nbd/nbd_3.19-3.dsc +++ apt/ucs_5.0-0-errata5.0-1/source/nbd_3.19-3+deb10u1.dsc @@ -1,3 +1,9 @@ +1:3.19-3+deb10u1 [Wed, 09 Mar 2022 11:23:59 +0200] Wouter Verhelst <wouter@debian.org>: + + * Cherry-pick fixes for CVE-2022-26495 and CVE-2022-26496 from git master; + Closes: #1006915. + * Fix parsing of nbdtab in nbd-client; Closes: #1003863. + 1:3.19-3 [Sun, 17 Feb 2019 10:51:59 +0200] Wouter Verhelst <wouter@debian.org>: * debian/control: add docbook-utils to build-depends. This shouldn't <http://piuparts.knut.univention.de/5.0-1/#6844923696850574475>
OK: yaml OK: announce_errata OK: patch OK: piuparts
<https://errata.software-univention.de/#/?erratum=5.0x244>