nbd: CVE-2013-7441: server dies if client asks for a non-existing export

Debian Bug report logs - #781547
nbd: CVE-2013-7441: server dies if client asks for a non-existing export

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Tuomas Räsänen <tuomasjjrasanen@tjjr.fi>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nbd-server: server dies if client asks for a non-existing export

Date: Mon, 30 Mar 2015 23:04:51 +0300

Package: nbd-server
Version: 1:3.2-4~deb7u4
Severity: important
Tags: security

Dear Maintainer,

There's a remotely exploitable denial of service flaw, similar/identical
to CVE-2011-1925 in nbd-server. It has been documented publicly in
2013-01-28[1]. It has been fixed in upstream version 3.4 [2] and hence
affects only the stable release (1:3.2-4~deb7u4).

[1]: http://sourceforge.net/p/nbd/mailman/message/30410146/
[2]: https://github.com/yoe/nbd/commit/741495cb08503fd32a9d22648e63b64390c601f4

The flaw can be exploited easily by connecting to a server (listening at
10.0.0.1 in this example) and asking for a non-existing export:

  nbd-client 10.0.0.1 -N some-non-existing-export-name /dev/nbd1

The root (listener) nbd-server process will exit because of failed
negotiation procedure, effectively denying the service from others.

I'm the author of the commit which fixed the issue in upstream release
3.4 and I'm willing to help to get it fixed/backported also to stable. I
have drafted and tested a backported patch on top of nbd 1:3.2-4~deb7u4
[3]. It is basically identical to
741495cb08503fd32a9d22648e63b64390c601f4, I just had to use msg2(),
msg3() and msg4() instead of msg() and a single modernsock instead of a
socket array.

[3]: https://github.com/tuomasjjrasanen/nbd/commit/6e7cc14f21f9e899412d307c331acb2cad85fc56

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nbd-server depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  libc6                  2.13-38+deb7u8
ii  libglib2.0-0           2.33.12+really2.32.4-5
ii  ucf                    3.0025+nmu3

nbd-server recommends no packages.

nbd-server suggests no packages.

-- debconf information:
  nbd-server/convert: true
  nbd-server/useports: false
  nbd-server/autogen:
  nbd-server/name:
  nbd-server/filename:
  nbd-server/number: 0
  nbd-server/port:

Message #10 received at 781547@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Tuomas Räsänen <tuomasjjrasanen@tjjr.fi>, 781547@bugs.debian.org

Subject: Re: Bug#781547: nbd-server: server dies if client asks for a non-existing export

Date: Thu, 21 May 2015 16:59:42 +0200

Control: retitle -1 nbd: CVE-2013-7441: server dies if client asks for a non-existing export

On Mon, Mar 30, 2015 at 11:04:51PM +0300, Tuomas Räsänen wrote:
> There's a remotely exploitable denial of service flaw, similar/identical
> to CVE-2011-1925 in nbd-server. It has been documented publicly in
> 2013-01-28[1]. It has been fixed in upstream version 3.4 [2] and hence
> affects only the stable release (1:3.2-4~deb7u4).
> 
> [1]: http://sourceforge.net/p/nbd/mailman/message/30410146/
> [2]: https://github.com/yoe/nbd/commit/741495cb08503fd32a9d22648e63b64390c601f4

CVE-2013-7441 was assigned for this issue in
http://www.openwall.com/lists/oss-security/2015/05/21/5 .

Regards,
Salvatore

Message #17 received at 781547-close@bugs.debian.org (full text, mbox, reply):

From: Wouter Verhelst <wouter@debian.org>

To: 781547-close@bugs.debian.org

Subject: Bug#781547: fixed in nbd 1:3.2-4~deb7u5

Date: Sun, 24 May 2015 13:32:40 +0000

Source: nbd
Source-Version: 1:3.2-4~deb7u5

We believe that the bug you reported is fixed in the latest version of
nbd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 781547@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Wouter Verhelst <wouter@debian.org> (supplier of updated nbd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 15 May 2015 13:03:42 +0200
Source: nbd
Binary: nbd-server nbd-client nbd-client-udeb
Architecture: source amd64
Version: 1:3.2-4~deb7u5
Distribution: oldstable-security
Urgency: medium
Maintainer: Wouter Verhelst <wouter@debian.org>
Changed-By: Wouter Verhelst <wouter@debian.org>
Description: 
 nbd-client - Network Block Device protocol - client
 nbd-client-udeb - Network Block Device protocol - client for Debian Installer (udeb)
 nbd-server - Network Block Device protocol - server
Closes: 781547 784657
Changes: 
 nbd (1:3.2-4~deb7u5) oldstable-security; urgency=medium
 .
   * Backport fix for CVE-2015-0847 to fix handling of SIGTERM and SIGCHLD.
     Closes: #784657.
   * Merge patch by Tuomas Räsänen to do all negotiation in the child
     process. Closes: #781547, CVE-2013-7441.
Checksums-Sha1: 
 0897e07a2b04cfaf70a2da4fe758f61d26c18e7c 1906 nbd_3.2-4~deb7u5.dsc
 5cdd331603b4b296b32cc2607cfc0e4945bb627e 115363 nbd_3.2-4~deb7u5.diff.gz
 5b5b09227bb8fca08fc09f8469d971025af36cd9 75060 nbd-server_3.2-4~deb7u5_amd64.deb
 a65d8f00a8f4e2b42fed73106c93561dbe92a984 63900 nbd-client_3.2-4~deb7u5_amd64.deb
 1cfcd2b27d549b6da75ca033899fc882ba37d4cf 8104 nbd-client-udeb_3.2-4~deb7u5_amd64.udeb
Checksums-Sha256: 
 6acde77baa273acb9c940968fcda3146344ba639449770217c6aea3e061afe9f 1906 nbd_3.2-4~deb7u5.dsc
 ea441327a7cc6d8b96a144e88d3e7c784cef76614b301f86d2d7689b440bf159 115363 nbd_3.2-4~deb7u5.diff.gz
 8930a7956977ddf8cfbf100810c057b76244afa987db8afdda9465c32f0183d6 75060 nbd-server_3.2-4~deb7u5_amd64.deb
 e130df34097cb3ef9669291e1426658dc68195786bb8877a59aef23472455779 63900 nbd-client_3.2-4~deb7u5_amd64.deb
 a0a91fd8da84ccaa83b10ec5817c5de80fdd5da4ffe7ed8bcbb8aab371367b4f 8104 nbd-client-udeb_3.2-4~deb7u5_amd64.udeb
Files: 
 4f44babb856a5cf29837d4945e3b7e11 1906 admin optional nbd_3.2-4~deb7u5.dsc
 e3adbaec367f828873e92f8fde5ad087 115363 admin optional nbd_3.2-4~deb7u5.diff.gz
 d836a28cd8b3736473121e6aa226d2f4 75060 admin optional nbd-server_3.2-4~deb7u5_amd64.deb
 25f74db4c921bef8e80ea0f9f2d615d6 63900 admin optional nbd-client_3.2-4~deb7u5_amd64.deb
 dd4fd331b8202a7b1cf2a07d054e9000 8104 debian-installer optional nbd-client-udeb_3.2-4~deb7u5_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVXuY2AAoJEMKUD5Ub3wqd7H4P+wVU+0ZGhEjfxJnMZ+ZM5Lyr
z3I/PnxF6+j0OB4PQwEzh81opmpqh5s9nbb119QQ/V9hnCUec4+dkID8Q4uSzB+5
NTQ967E2yk03BlXEqoTLJc3uWntDl6vxvxwyNi9+qLYPidS6Yn1Gd86fvgICd0vR
nVBnCAqSl8ixNvMaFNleqCmMk/lJHM3uwF6lkWSvRnANOkpqOUShdlNbDMp4qEI5
BKdNTgYY4BfPQz1sSNUDeTnguOz8KobhsDdaSVGtza7bgmE0mVbUZag9+VGGuk21
VgcsZXqkWGflaGn4CSWSTMwmpTE5qnykUOmVKilRvatNDBYDRdurrJstBN9chTUu
36f5yYcluUlUkaIgIBBxZECF3me99FidUhiz5R4yCr4ary1L9R+pq6RTKDSe+Bm4
AgVQWV9XoJBpThmP2cYhfIg8aVufqawTD4xFutYR3hX91OVhwE4GRcQqc+SzIVue
4pQQx63yxoP5DJBoX/eXAeYDxu7nMK3l/1ymsTIS6bBzU2fjPIuPJ8ia3IiDvY+t
BXgq4s4ief9pjJPmKeHTGtPBcdcerqjCW5VtdftrJ8w7gM4gVUuKQitpNnqTg5LO
9GAlFFM8RQF09goUS4Wmw2LQtxkwq7i3y9mSIny9h7UFI4X7yh4jjR9eaVmR0VKL
9SIWdsPLz7hZ56bKTTSq
=tsd6
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.