1216769 – (CVE-2023-5871) VUL-0: CVE-2023-5871: libnbd: A malicious NBD server may crash libnbd

Bug 1216769 (CVE-2023-5871) - VUL-0: CVE-2023-5871: libnbd: A malicious NBD server may crash libnbd

Summary: VUL-0: CVE-2023-5871: libnbd: A malicious NBD server may crash libnbd

Status:	RESOLVED FIXED

Alias:	CVE-2023-5871

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/383726/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-5871:5.3:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-01 05:15 UTC by SMASH SMASH
Modified:	2024-05-28 11:48 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-11-01 05:15:13 UTC

A malicious NBD server can easily crash libnbd

Refer:
https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/PFVUCMPFQUDC23JXSCUUPXIGDZ7XCFMD/

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5871

Comment 3 James Fehlig 2023-11-13 21:43:35 UTC

An updated libnbd package containing the fix has been submitted to Factory, SUSE:ALP:Source:Standard:1.0, and SUSE:SLE-15-SP3:Update. Passing the bug to security-team...

Comment 5 OBSbugzilla Bot 2023-11-13 22:15:02 UTC

This is an autogenerated message for OBS integration:
This bug (1216769) was mentioned in
https://build.opensuse.org/request/show/1125731 Factory / libnbd

Comment 6 Maintenance Automation 2023-11-16 20:30:30 UTC

SUSE-SU-2023:4463-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1216769
CVE References: CVE-2023-5871
Sources used:
openSUSE Leap 15.4 (src): libnbd-1.18.1-150300.8.18.1
openSUSE Leap 15.5 (src): libnbd-1.18.1-150300.8.18.1
openSUSE Leap 15.3 (src): libnbd-1.18.1-150300.8.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Carlos López 2024-05-28 11:44:44 UTC

Done, closing.