Message ID | 20220313113333.1125977-1-fontaine.fabrice@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [v2,1/1] package/nbd: security bump to version 3.24 | expand |
On 13/03/2022 12:33, Fabrice Fontaine wrote: > Fix CVE-2022-26495: In nbd-server in nbd before 3.24, there is an > integer overflow with a resultant heap-based buffer overflow. A value of > 0xffffffff in the name length field will cause a zero-sized buffer to be > allocated for the name, resulting in a write to a dangling pointer. This > issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME > messages. > > Fix CVE-2022-26496: In nbd-server in nbd before 3.24, there is a > stack-based buffer overflow. An attacker can cause a buffer overflow in > the parsing of the name field by sending a crafted NBD_OPT_INFO or > NBD_OPT_GO message with an large value as the length of the name. > > https://github.com/NetworkBlockDevice/nbd/compare/nbd-3.21...nbd-3.24 > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Applied to master, thanks. Regards, Arnout > --- > Changes v1 -> v2: > - Tag as a security bump and add CVEs > > package/nbd/nbd.hash | 8 ++++---- > package/nbd/nbd.mk | 2 +- > 2 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/package/nbd/nbd.hash b/package/nbd/nbd.hash > index f0df35bc27..f58a89bf9a 100644 > --- a/package/nbd/nbd.hash > +++ b/package/nbd/nbd.hash > @@ -1,7 +1,7 @@ > -# From http://sourceforge.net/projects/nbd/files/nbd/3.21/ > -md5 c51c4c500fe1ed84c3d5d5dd2ca71d23 nbd-3.21.tar.xz > -sha1 88c3296d43d20d7bda97e0f1bab0243a4f6fa880 nbd-3.21.tar.xz > +# From http://sourceforge.net/projects/nbd/files/nbd/3.24/ > +md5 a6d9e7bbc311a2ed07ef84a58b82b5dd nbd-3.24.tar.xz > +sha1 72c59ef5186ae355de6f539a1b348e18cbb8314e nbd-3.24.tar.xz > > # Locally calculated > -sha256 e7688af39d91733bbcd2db08062c44fe503d004e51528740139c44aff6a6bef9 nbd-3.21.tar.xz > +sha256 6877156d23a7b33f75eee89d2f5c2c91c542afc3cdcb636dea5a88539a58d10c nbd-3.24.tar.xz > sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING > diff --git a/package/nbd/nbd.mk b/package/nbd/nbd.mk > index 0a7f08b2cf..f0fb23910e 100644 > --- a/package/nbd/nbd.mk > +++ b/package/nbd/nbd.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -NBD_VERSION = 3.21 > +NBD_VERSION = 3.24 > NBD_SOURCE = nbd-$(NBD_VERSION).tar.xz > NBD_SITE = http://downloads.sourceforge.net/project/nbd/nbd/$(NBD_VERSION) > NBD_CONF_OPTS = --enable-lfs
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > Fix CVE-2022-26495: In nbd-server in nbd before 3.24, there is an > integer overflow with a resultant heap-based buffer overflow. A value of > 0xffffffff in the name length field will cause a zero-sized buffer to be > allocated for the name, resulting in a write to a dangling pointer. This > issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME > messages. > Fix CVE-2022-26496: In nbd-server in nbd before 3.24, there is a > stack-based buffer overflow. An attacker can cause a buffer overflow in > the parsing of the name field by sending a crafted NBD_OPT_INFO or > NBD_OPT_GO message with an large value as the length of the name. > https://github.com/NetworkBlockDevice/nbd/compare/nbd-3.21...nbd-3.24 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > --- > Changes v1 -> v2: > - Tag as a security bump and add CVEs Committed to 2021.02.x and 2022.02.x, thanks.
diff --git a/package/nbd/nbd.hash b/package/nbd/nbd.hash index f0df35bc27..f58a89bf9a 100644 --- a/package/nbd/nbd.hash +++ b/package/nbd/nbd.hash @@ -1,7 +1,7 @@ -# From http://sourceforge.net/projects/nbd/files/nbd/3.21/ -md5 c51c4c500fe1ed84c3d5d5dd2ca71d23 nbd-3.21.tar.xz -sha1 88c3296d43d20d7bda97e0f1bab0243a4f6fa880 nbd-3.21.tar.xz +# From http://sourceforge.net/projects/nbd/files/nbd/3.24/ +md5 a6d9e7bbc311a2ed07ef84a58b82b5dd nbd-3.24.tar.xz +sha1 72c59ef5186ae355de6f539a1b348e18cbb8314e nbd-3.24.tar.xz # Locally calculated -sha256 e7688af39d91733bbcd2db08062c44fe503d004e51528740139c44aff6a6bef9 nbd-3.21.tar.xz +sha256 6877156d23a7b33f75eee89d2f5c2c91c542afc3cdcb636dea5a88539a58d10c nbd-3.24.tar.xz sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/package/nbd/nbd.mk b/package/nbd/nbd.mk index 0a7f08b2cf..f0fb23910e 100644 --- a/package/nbd/nbd.mk +++ b/package/nbd/nbd.mk @@ -4,7 +4,7 @@ # ################################################################################ -NBD_VERSION = 3.21 +NBD_VERSION = 3.24 NBD_SOURCE = nbd-$(NBD_VERSION).tar.xz NBD_SITE = http://downloads.sourceforge.net/project/nbd/nbd/$(NBD_VERSION) NBD_CONF_OPTS = --enable-lfs
Fix CVE-2022-26495: In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages. Fix CVE-2022-26496: In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO message with an large value as the length of the name. https://github.com/NetworkBlockDevice/nbd/compare/nbd-3.21...nbd-3.24 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- Changes v1 -> v2: - Tag as a security bump and add CVEs package/nbd/nbd.hash | 8 ++++---- package/nbd/nbd.mk | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-)