[Libguestfs] Re: [nbdkit PATCH v2 0/2] Fix two assertion failures on large block size

On Sat, May 10, 2025 at 10:08:30AM +0100, Richard W.M. Jones wrote: > On Thu, May 08, 2025 at 01:51:21PM -0500, Eric Blake via Libguestfs wrote: > > On Wed, Apr 23, 2025 at 04:06:44PM -0500, Eric Blake via Libguestfs wrote: > > > Still waiting on Red Hat's security team to decide if these get CVE > > > designations, but at this point, we consider the impact to be low > > > enough severity (easy to avoid if your server rejects malicious > > > clients by the use of TLS) and related enough that there is no longer > > > any need to embargo the second one. > > > > > > I'll wait a bit longer to apply, to provide time to update the subject > > > lines according to whether we get CVEs assigned. > > > > > > Eric Blake (2): > > > server: Fix off-by-one for maximum block_status length [CVE-XXX] > > > blocksize: Fix 32-bit overflow in .extents [CVE-XXXX] > > > > These have now been assigned CVE identifiers. CVE-2025-47711 is for > > the server error with any plugin returning .extents of 4G or more, and > > CVE-2025-47712 is for the blocksize filter bug on unaligned block > > status requests near 4G. > > > > I am now in the process of applying the patches to mainline and > > backporting them to branches that are still in active use; I will send > > a followup mail with tests for vulnerable versions and version > > numbers/commit ids to be used to avoid the problems, along with a > > patch to docs/nbdkit-security.pod pointing to that eventual mail. > > Thanks Eric. The fixes are available in development version 1.43.7 > and stable version 1.42.3. And now in stable versions 1.40.6 and 1.38.6.