[Libguestfs] LIBNBD SECURITY: Negative results from nbd_get_size() - CVE-2023-5215
Eric Blake
eblake at redhat.com
Wed Sep 27 12:57:59 UTC 2023
On Tue, Sep 26, 2023 at 02:12:27PM -0500, Eric Blake wrote:
> We have discovered a security flaw with potential minor impact in
> libnbd.
>
> Lifecycle
> ---------
>
> Reported: 2023-09-17 Fixed: 2023-09-22 Published: 2023-09-26
>
> At the time of this email, the Red Hat security team is analyzing
> potential security impacts to determine if a CVE is warranted against
> libnbd; if one is assigned, a followup email will announce that
> identifier. However, even if a CVE is not assigned to libnbd, the
> issues documented here warrant an audit of clients that utilize the
> nbd_get_size() API from libnbd, to see if they might be subject to a
> weakness when interpreting a large size as a negative value. The
> libnbd developers felt it more important to issue this security notice
> prior to the release of v1.18 than to hold up the release schedule
> waiting for final analysis on whether libnbd needs a CVE.
The Red Hat security team assigned this CVE-2023-5215 as a low-impact
security vulnerability, with a rating of low impact severity.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc.
Virtualization: qemu.org | libguestfs.org
More information about the Libguestfs
mailing list