[Libguestfs] [NBDKIT SECURITY] Denial of Service / Amplification Attack in nbdkit

[Richard W.M. Jones]

On Tue, Oct 01, 2019 at 08:34:38AM -0500, Eric Blake wrote:
> On 9/20/19 8:58 AM, Eric Blake wrote:
> >On 9/12/19 12:41 PM, Richard W.M. Jones wrote:
> >>We have discovered a potential Denial of Service / Amplification Attack
> >>in nbdkit.
> >
> >Unfortunately, our fix for this issue cause another potential Denial of
> >Service attack:
> >
> >>
> >>Lifecycle
> >>---------
> >>
> >>Reported: 2019-09-11  Fixed: 2019-09-11  Published: 2019-09-12
> >>
> >>There is no CVE number assigned for this issue yet, but the bug is
> >>being categorized and processed by Red Hat's security team which may
> >>result in a CVE being published later.
> >>
> >
> >Reported: 2019-09-18  Fixed: 2019-09-19  Published: 2019-09-20
> >
> >Also pending Red Hat security review for whether this deserves a CVE
> >(presumably either both issues, or neither, will have a CVE)
> 
> Both CVEs have now been assigned:
> CVE-2019-14850 - denial of service due to premature .open, depending
> on plugin used
> CVE-2019-14851 - denial of service due to assertion after
> NBD_OPT_INFO, independent of plugin

I spent a bit of time working on the RHEL BZs for this today, and in
the process I backported the fix for CVE-2019-14850 to

nbdkit 1.8:
https://github.com/libguestfs/nbdkit/commit/f03f18af2fe393776ea3e400f64ff1de56ca052b

and nbdkit 1.4:
https://github.com/libguestfs/nbdkit/commit/111afbacf494e331d8c0e8fc6a6cbe8979260544

Both were non-trivial backports, in fact almost complete rewrites of
the patch.

Neither version of nbdkit is vulnerable to CVE-2019-14851 because they
didn't implement NBD_OPT_INFO.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW