Bug 930173 (CVE-2015-0847)

Summary: VUL-0: CVE-2015-0847: nbd: incorrect signal handling DoD
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Bergmann <abergmann>
Component: BasesystemAssignee: Thomas Abraham <tabraham>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, chcao, meissner, mpluskal, security-team
Version: 13.2   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:NVD:CVE-2015-0847:7.8:(AV:N/AC:L/Au:N/C:N/I:N/A:C) CVSSv2:RedHat:CVE-2015-0847:5.7:(AV:A/AC:M/Au:N/C:N/I:N/A:C) maint:planned:update
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2015-05-08 08:14:18 UTC 
http://seclists.org/oss-sec/2015/q2/388

CVE-2015-0847 in nbd-server From: Florian Weimer <fw () deneb enyo de>
Date: Thu, 07 May 2015 22:45:33 +0200

nbd-server uses signal handlers incorrectly, which leads to a denial
of service vulnerability.  We have assigned CVE-2015-0847 to this
vulnerability.

This was first reported to the Debian security team by Tuomas Räsänen,
but we did not think this warranted an embargo.

More details are available upstream:

<http://sourceforge.net/p/nbd/mailman/message/34091218/>
Comment 1 Swamp Workflow Management 2015-05-08 22:00:15 UTC 
bugbot adjusting priority
Comment 2 Marcus Schaefer 2015-05-11 07:31:23 UTC 
I'm not maintaining nbd. I jumped in to help when Kurt Garloff left the company but afaik Martin Pluskal took it over and cleaned it up greatly
Comment 3 Martin Pluskal 2015-05-11 08:29:17 UTC 
While I am not maintainer of nbd, I created sr for factory (nbd-3.10), backporting patches for maint update of old nbd (nbd-3.3) seems to be beyond my capabilities.
Comment 4 Chenzi Cao 2015-05-11 09:02:39 UTC 
Hi Tom, would you please help to have a look at this issue? Thank you!
Comment 5 Bernhard Wiedemann 2015-05-22 12:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (930173) was mentioned in
https://build.opensuse.org/request/show/308367 13.2+13.1 / nbd
Comment 6 Martin Pluskal 2015-05-22 12:02:46 UTC 
Created https://build.opensuse.org/request/show/308367 and

*** This bug has been marked as a duplicate of bug 931987 ***
Comment 7 Bernhard Wiedemann 2015-05-22 13:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (930173) was mentioned in
https://build.opensuse.org/request/show/308377 13.2+13.1 / nbd
Comment 8 Martin Pluskal 2015-05-22 13:01:51 UTC 
I am clumsy on fridays, it is obviously different issue.
Comment 9 Swamp Workflow Management 2015-06-03 15:06:24 UTC 
openSUSE-SU-2015:0994-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 930173,931987
CVE References: CVE-2013-7441,CVE-2015-0847
Sources used:
openSUSE 13.2 (src):    nbd-3.3-4.3.1
openSUSE 13.1 (src):    nbd-3.3-2.3.1