Re: CVE request: nbd-server

[Vincent Danen <vdanen () redhat com>]

* [2011-05-17 20:40:01 +0200] Wouter Verhelst wrote:

> On Tue, May 17, 2011 at 11:07:46AM -0600, Vincent Danen wrote:
> > * [2011-05-17 10:38:20 +0200] Thijs Kinkhorst wrote:
> >
> > >Hi,
> > >
> > >In Debian the following was reported:
> > >nbd-server 2.9.21 has a NULL-pointer dereference in its negotiation
> > >phase, which allows unauthenticated users to DoS the server by causing
> > >the negotiation to fail (e.g., by specifying a non-existing name for an
> > >export).
> > >
> > >Filed as http://bugs.debian.org/627042. This affects only 2.9.21 so for us
> > >goes that only our unstable distribution is affected.
> > >
> > >We'd like to have a CVE name for this.
> >
> > The Debian bug is really light on details, so here is the git commit
> > that fixes this:
> >
> > http://nbd.git.sourceforge.net/git/gitweb.cgi?p=nbd/nbd;a=commitdiff;h=ebbbe0b3ce5393fa42a259f5e03d549508586aaa
> >
> > But I don't see any evidence that this _only_ affects 2.9.21.  Are we
> > sure that it doesn't affect earlier versions?  The reporter doesn't
> > indicate one way or the other.
>
> Yes, absolutely; 2.9.21 and 2.9.21a (diff between .21 and .21a is a
> documentation-related file that wasn't added to Makefile.am). The bug
> was introduced with this commit:
>
> http://nbd.git.sourceforge.net/git/gitweb.cgi?p=nbd/nbd;a=commit;h=9ea4e742ce6f1b7793d1edfca70427a8660aeffa
>
> To be 100% sure, I just checked out the tree at the 2.9.20 tag and
> recompiled; I couldn't reproduce it.

Fantastic.  Thank you for the check and the additional commit link.

--
Vincent Danen / Red Hat Security Response Team