Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libnbd for openSUSE:Factory checked in at 2023-11-14 21:42:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libnbd (Old) and /work/SRC/openSUSE:Factory/.libnbd.new.17445 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libnbd" Tue Nov 14 21:42:25 2023 rev:14 rq:1125731 version:1.18.1 Changes: -------- --- /work/SRC/openSUSE:Factory/libnbd/libnbd.changes 2023-11-01 22:11:34.607215499 +0100 +++ /work/SRC/openSUSE:Factory/.libnbd.new.17445/libnbd.changes 2023-11-14 21:42:30.427452898 +0100 @@ -1,0 +2,7 @@ +Mon Nov 13 21:15:40 UTC 2023 - James Fehlig <jfeh...@suse.com> + +- Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871 + 4451e5b6-CVE-2023-5871.patch + bsc#1216769 + +------------------------------------------------------------------- New: ---- 4451e5b6-CVE-2023-5871.patch BETA DEBUG BEGIN: New:- Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871 4451e5b6-CVE-2023-5871.patch bsc#1216769 BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libnbd.spec ++++++ --- /var/tmp/diff_new_pack.SfQhcY/_old 2023-11-14 21:42:30.899470370 +0100 +++ /var/tmp/diff_new_pack.SfQhcY/_new 2023-11-14 21:42:30.903470519 +0100 @@ -25,6 +25,7 @@ License: LGPL-2.1-or-later URL: https://gitlab.com/nbdkit/libnbd Source0: %{name}-%{version}.tar.bz2 +Patch0: 4451e5b6-CVE-2023-5871.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: fdupes ++++++ 4451e5b6-CVE-2023-5871.patch ++++++ commit 4451e5b61ca07771ceef3e012223779e7a0c7701 Author: Eric Blake <ebl...@redhat.com> Date: Mon Oct 30 12:50:53 2023 -0500 generator: Fix assertion in ext-mode BLOCK_STATUS, CVE-2023-5871 Another round of fuzz testing revealed that when a server negotiates extended headers and replies with a 64-bit flag value where the client used the 32-bit API command, we were correctly flagging the server's response as being an EOVERFLOW condition, but then immediately failing in an assertion failure instead of reporting it to the application. The following one-byte change to qemu.git at commit fd9a38fd43 allows the creation of an intentionally malicious server: | diff --git i/nbd/server.c w/nbd/server.c | index 859c163d19f..32e1e771a95 100644 | --- i/nbd/server.c | +++ w/nbd/server.c | @@ -2178,7 +2178,7 @@ static void nbd_extent_array_convert_to_be(NBDExtentArray *ea) | | for (i = 0; i < ea->count; i++) { | ea->extents[i].length = cpu_to_be64(ea->extents[i].length); | - ea->extents[i].flags = cpu_to_be64(ea->extents[i].flags); | + ea->extents[i].flags = ~cpu_to_be64(ea->extents[i].flags); | } | } and can then be detected with the following command line: $ nbdsh -c - <<\EOF > def f(a,b,c,d): > pass > > h.connect_systemd_socket_activation(["/path/to/bad/qemu-nbd", > "-r", "-f", "raw", "TODO"]) > h.block_staus(h.get_size(), 0, f) > EOF nbdsh: generator/states-reply-chunk.c:626: enter_STATE_REPLY_CHUNK_REPLY_RECV_BS_ENTRIES: Assertion `(len | flags) <= UINT32_MAX' failed. Aborted (core dumped) whereas a fixed libnbd will give: nbdsh: command line script failed: nbd_block_status: block-status: command failed: Value too large for defined data type We can either relax the assertion (by changing to 'assert ((len | flags) <= UINT32_MAX || cmd->error)'), or intentionally truncate flags to make the existing assertion reliable. This patch goes with the latter approach. Sadly, this crash is possible in all existing 1.18.x stable releases, if they were built with assertions enabled (most distros do this by default), meaning a malicious server has an easy way to cause a Denial of Service attack by triggering the assertion failure in vulnerable clients, so we have assigned this CVE-2023-5871. Mitigating factors: the crash only happens for a server that sends a 64-bit status block reply (no known production servers do so; qemu 8.2 will be the first known server to support extended headers, but it is not yet released); and as usual, a client can use TLS to guarantee it is connecting only to a known-safe server. If libnbd is compiled without assertions, there is no crash or other mistaken behavior; and when assertions are enabled, the attacker cannot accomplish anything more than a denial of service. Reported-by: Richard W.M. Jones <rjo...@redhat.com> Fixes: 20dadb0e10 ("generator: Prepare for extent64 callback", v1.17.4) Signed-off-by: Eric Blake <ebl...@redhat.com> (cherry picked from commit 177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6) Signed-off-by: Eric Blake <ebl...@redhat.com> Index: libnbd-1.18.1/generator/states-reply-chunk.c =================================================================== --- libnbd-1.18.1.orig/generator/states-reply-chunk.c +++ libnbd-1.18.1/generator/states-reply-chunk.c @@ -600,6 +600,7 @@ STATE_MACHINE { break; /* Skip this and later extents; we already made progress */ /* Expose this extent as an error; we made no progress */ cmd->error = cmd->error ? : EOVERFLOW; + flags = (uint32_t)flags; } }
