[prev in list] [next in list] [prev in thread] [next in thread]
List: libguestfs
Subject: Re: [Libguestfs] LIBNBD SECURITY: Negative results from nbd_get_size() - CVE-2023-5215
From: Eric Blake <eblake () redhat ! com>
Date: 2023-09-27 12:57:59
Message-ID: smlztdbupa6b4t6k7jzqaa2jqojn7gqi2w2qbpjrhco4atid6n () llp3mph5vjhf
[Download RAW message or body]
On Tue, Sep 26, 2023 at 02:12:27PM -0500, Eric Blake wrote:
> We have discovered a security flaw with potential minor impact in
> libnbd.
>
> Lifecycle
> ---------
>
> Reported: 2023-09-17 Fixed: 2023-09-22 Published: 2023-09-26
>
> At the time of this email, the Red Hat security team is analyzing
> potential security impacts to determine if a CVE is warranted against
> libnbd; if one is assigned, a followup email will announce that
> identifier. However, even if a CVE is not assigned to libnbd, the
> issues documented here warrant an audit of clients that utilize the
> nbd_get_size() API from libnbd, to see if they might be subject to a
> weakness when interpreting a large size as a negative value. The
> libnbd developers felt it more important to issue this security notice
> prior to the release of v1.18 than to hold up the release schedule
> waiting for final analysis on whether libnbd needs a CVE.
The Red Hat security team assigned this CVE-2023-5215 as a low-impact
security vulnerability, with a rating of low impact severity.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc.
Virtualization: qemu.org | libguestfs.org
_______________________________________________
Libguestfs mailing list
Libguestfs@redhat.com
https://listman.redhat.com/mailman/listinfo/libguestfs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic