Package: nbd-server Version: 1:3.2-4~deb7u4 Severity: important Tags: security
Dear Maintainer, There's a remotely exploitable denial of service flaw, similar/identical to CVE-2011-1925 in nbd-server. It has been documented publicly in 2013-01-28[1]. It has been fixed in upstream version 3.4 [2] and hence affects only the stable release (1:3.2-4~deb7u4). [1]: http://sourceforge.net/p/nbd/mailman/message/30410146/ [2]: https://github.com/yoe/nbd/commit/741495cb08503fd32a9d22648e63b64390c601f4 The flaw can be exploited easily by connecting to a server (listening at 10.0.0.1 in this example) and asking for a non-existing export: nbd-client 10.0.0.1 -N some-non-existing-export-name /dev/nbd1 The root (listener) nbd-server process will exit because of failed negotiation procedure, effectively denying the service from others. I'm the author of the commit which fixed the issue in upstream release 3.4 and I'm willing to help to get it fixed/backported also to stable. I have drafted and tested a backported patch on top of nbd 1:3.2-4~deb7u4 [3]. It is basically identical to 741495cb08503fd32a9d22648e63b64390c601f4, I just had to use msg2(), msg3() and msg4() instead of msg() and a single modernsock instead of a socket array. [3]: https://github.com/tuomasjjrasanen/nbd/commit/6e7cc14f21f9e899412d307c331acb2cad85fc56 -- System Information: Debian Release: 7.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages nbd-server depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.49 ii libc6 2.13-38+deb7u8 ii libglib2.0-0 2.33.12+really2.32.4-5 ii ucf 3.0025+nmu3 nbd-server recommends no packages. nbd-server suggests no packages. -- debconf information: nbd-server/convert: true nbd-server/useports: false nbd-server/autogen: nbd-server/name: nbd-server/filename: nbd-server/number: 0 nbd-server/port: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
