Bugzilla – Bug 1215799
VUL-0: CVE-2023-5215: libnbd: NBS server does not return expected block size
Last modified: 2024-01-08 15:39:55 UTC
In libnbd since v1.0 a server can reply with a block size larger than 2^63 (the NBD spec states size is a 64-bit unsigned value) possibly leading to application crash or other unintended behavior for NBD clients that doesn't treat the return value correctly. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5215 https://bugzilla.redhat.com/show_bug.cgi?id=2241041 https://listman.redhat.com/archives/libguestfs/2023-September/032635.html
Tracking as affected: - SUSE:ALP:Source:Standard:1.0/libnbd 1.14.1 - SUSE:SLE-15-SP3:Update/libnbd 1.12.4 - openSUSE:Factory/libnbd 1.14.1
correction, this does not need a submission: - SUSE:SLE-15-SP3:Update/libnbd 1.12.4
(In reply to Hu from comment #2) > correction, this does not need a submission: > - SUSE:SLE-15-SP3:Update/libnbd 1.12.4 Ok. As for the other two, I've updated libnbd to recently released 1.18.0, which includes the fix. It's been submitted to Factory (#1114449) and ALP (#308923). I think that's it for me. Passing to the security-team...
This is an autogenerated message for OBS integration: This bug (1215799) was mentioned in https://build.opensuse.org/request/show/1114449 Factory / libnbd
(In reply to Hu from comment #2) > correction, this does not need a submission: > - SUSE:SLE-15-SP3:Update/libnbd 1.12.4 BTW, why doesn't this one need a submission? libnbd and nbdkit are not distributed, but they are used in kubevirt's CDI container. As for fixing this older version, I'd prefer to update it to 1.18.0, which is the version used by Factory/ALP. Same for nbdkit, which I'd like to update to 1.36.0. Currently, libnbd is inherited from SUSE:SUSE:SLE-15-SP3:Update and nbdkit from SUSE:SLE-15-SP4:Update. kubevirt is no longer supported on SP3, with SP4 support ending at the close of the year. So question for maintenance: how to update these packages for SLE15? Submit updates to the existing packages and allow them to be inherited in newer SPs? Or leave the existing stuff and submit the latest to SUSE:SLE-15-SP6:GA? Also recall the special maintenance agreement wrt updating kubevirt components without ECO process https://confluence.suse.com/display/Virtualization/KubeVirt+toolstack+in+the+SLE+world
yes, security needs a submission for it yes if it gets built into a customer facing container. i am okay with the update. As it only gets into the CDI container and shipped to openSUSE Leap, I think we are more free with version updates in place. I let maint-coord comment too.
(In reply to Marcus Meissner from comment #7) > i am okay with the update. > > As it only gets into the CDI container and shipped to openSUSE Leap, I think > we are more free with version updates in place. Thanks. I've submitted and updated libnbd to SUSE:SLE-15-SP3:Update (req#311587) and updated nbdkit to SUSE:SLE-15-SP4:Update (req#311588).
SUSE-SU-2023:4222-1: An update that solves one vulnerability and contains one feature can now be installed. Category: security (moderate) Bug References: 1215799 CVE References: CVE-2023-5215 Jira References: ECO-3633 Sources used: openSUSE Leap 15.3 (src): libnbd-1.18.1-150300.8.15.1 openSUSE Leap 15.4 (src): libnbd-1.18.1-150300.8.15.1 openSUSE Leap 15.5 (src): libnbd-1.18.1-150300.8.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Submitted CDI update to rebuild the container images and include the new libnbd and nbdkit: https://build.suse.de/request/show/311963
done