[Libguestfs] Re: [nbdkit PATCH v2 0/2] Fix two assertion failures on large block size

On Thu, May 08, 2025 at 01:51:21PM -0500, Eric Blake via Libguestfs wrote: > On Wed, Apr 23, 2025 at 04:06:44PM -0500, Eric Blake via Libguestfs wrote: > > Still waiting on Red Hat's security team to decide if these get CVE > > designations, but at this point, we consider the impact to be low > > enough severity (easy to avoid if your server rejects malicious > > clients by the use of TLS) and related enough that there is no longer > > any need to embargo the second one. > > > > I'll wait a bit longer to apply, to provide time to update the subject > > lines according to whether we get CVEs assigned. > > > > Eric Blake (2): > > server: Fix off-by-one for maximum block_status length [CVE-XXX] > > blocksize: Fix 32-bit overflow in .extents [CVE-XXXX] > > These have now been assigned CVE identifiers. CVE-2025-47711 is for > the server error with any plugin returning .extents of 4G or more, and > CVE-2025-47712 is for the blocksize filter bug on unaligned block > status requests near 4G. > > I am now in the process of applying the patches to mainline and > backporting them to branches that are still in active use; I will send > a followup mail with tests for vulnerable versions and version > numbers/commit ids to be used to avoid the problems, along with a > patch to docs/nbdkit-security.pod pointing to that eventual mail. Thanks Eric. The fixes are available in development version 1.43.7 and stable version 1.42.3.