Re: [Libguestfs] LIBNBD SECURITY: Negative results from nbd_get_size() - CVE-2023-5215

We have discovered a security flaw with potential minor impact in libnbd. Lifecycle --------- Reported: 2023-09-17 Fixed: 2023-09-22 Published: 2023-09-26 At the time of this email, the Red Hat security team is analyzing potential security impacts to determine if a CVE is warranted against libnbd; if one is assigned, a followup email will announce that identifier. However, even if a CVE is not assigned to libnbd, the issues documented here warrant an audit of clients that utilize the nbd_get_size() API from libnbd, to see if they might be subject to a weakness when interpreting a large size as a negative value. The libnbd developers felt it more important to issue this security notice prior to the release of v1.18 than to hold up the release schedule waiting for final analysis on whether libnbd needs a CVE.