[Libguestfs] Re: [nbdkit PATCH v2 0/2] Fix two assertion failures on large block size
On Wed, Apr 23, 2025 at 04:06:44PM -0500, Eric Blake via Libguestfs wrote:
Still waiting on Red Hat's security team to decide if these get
CVE
designations, but at this point, we consider the impact to be low
enough severity (easy to avoid if your server rejects malicious
clients by the use of TLS) and related enough that there is no longer
any need to embargo the second one.
I'll wait a bit longer to apply, to provide time to update the subject
lines according to whether we get CVEs assigned.
Eric Blake (2):
server: Fix off-by-one for maximum block_status length [CVE-XXX]
blocksize: Fix 32-bit overflow in .extents [CVE-XXXX]
These have now been assigned CVE identifiers. CVE-2025-47711 is for
the server error with any plugin returning .extents of 4G or more, and
CVE-2025-47712 is for the blocksize filter bug on unaligned block
status requests near 4G.
I am now in the process of applying the patches to mainline and
backporting them to branches that are still in active use; I will send
a followup mail with tests for vulnerable versions and version
numbers/commit ids to be used to avoid the problems, along with a
patch to docs/nbdkit-security.pod pointing to that eventual mail.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc.
Virtualization: qemu.org | libguestfs.org