CVE Request: nbd denial of service

[Alessandro Ghedini <alessandro () ghedini me>]

Hello,

the following vulnerability was reported in the Debian bug tracker for nbd:

> There's a remotely exploitable denial of service flaw, similar/identical
> to CVE-2011-1925 in nbd-server. It has been documented publicly in
> 2013-01-28[1]. It has been fixed in upstream version 3.4 [2] and hence
> affects only the stable release (1:3.2-4~deb7u4).
>
> [1]: http://sourceforge.net/p/nbd/mailman/message/30410146/
> [2]: https://github.com/yoe/nbd/commit/741495cb08503fd32a9d22648e63b64390c601f4
>
> The flaw can be exploited easily by connecting to a server (listening at
> 10.0.0.1 in this example) and asking for a non-existing export:
>
>   nbd-client 10.0.0.1 -N some-non-existing-export-name /dev/nbd1
>
> The root (listener) nbd-server process will exit because of failed
> negotiation procedure, effectively denying the service from others.

See https://bugs.debian.org/781547

According to the upstream author (Wouter Verhelst):

> versions <= 2.9.16 and >= 3.4 are definitely not vulnerable. Versions released
> immediately after CVE-2011-1925 are *probably* not vulnerable, but I'm not
> sure (and I don't want to go test all of them...). Versions released between
> 2.9.16 and 2.9.22 (which fixes CVE-2011-1925) are vulnerable in the sense that
> the bad design is still there, but I don't believe they would crash in that
> manner.

Can a CVE be assigned for this please?

Cheers

Attachment: signature.asc
Description: Digital signature