Re: CVE request: nbd-server

[Wouter Verhelst <w () uter be>]

On Tue, May 17, 2011 at 11:07:46AM -0600, Vincent Danen wrote:
> * [2011-05-17 10:38:20 +0200] Thijs Kinkhorst wrote:
>
> > Hi,
> >
> > In Debian the following was reported:
> > nbd-server 2.9.21 has a NULL-pointer dereference in its negotiation
> > phase, which allows unauthenticated users to DoS the server by causing
> > the negotiation to fail (e.g., by specifying a non-existing name for an
> > export).
> >
> > Filed as http://bugs.debian.org/627042. This affects only 2.9.21 so for us
> > goes that only our unstable distribution is affected.
> >
> > We'd like to have a CVE name for this.
>
> The Debian bug is really light on details, so here is the git commit
> that fixes this:
>
> http://nbd.git.sourceforge.net/git/gitweb.cgi?p=nbd/nbd;a=commitdiff;h=ebbbe0b3ce5393fa42a259f5e03d549508586aaa
>
> But I don't see any evidence that this _only_ affects 2.9.21.  Are we
> sure that it doesn't affect earlier versions?  The reporter doesn't
> indicate one way or the other.

Yes, absolutely; 2.9.21 and 2.9.21a (diff between .21 and .21a is a
documentation-related file that wasn't added to Makefile.am). The bug
was introduced with this commit:

http://nbd.git.sourceforge.net/git/gitweb.cgi?p=nbd/nbd;a=commit;h=9ea4e742ce6f1b7793d1edfca70427a8660aeffa

To be 100% sure, I just checked out the tree at the 2.9.20 tag and
recompiled; I couldn't reproduce it.

-- 
The volume of a pizza of thickness a and radius z can be described by
the following formula:

pi zz a