Ubuntu
nbd package

Merge nbd from Debian unstable for kinetic

Bug #1971294 reported by Bryce Harrington
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nbd (Ubuntu)
Fix Released
Undecided
Athos Ribeiro
Ubuntu ubuntu-22.05

Bug Description

Upstream: tbd
Debian: 1:3.24-1
Ubuntu: 1:3.23-3ubuntu1

### New Debian Changes ###

nbd (1:3.24-1) unstable; urgency=medium

  * New upstream release.
    - CVE-2022-26495: Disallow name lenghts of (unsigned int)-1, by
      constraining the length to 4096 bytes
    - CVE-2022-26496: Fix buffer overflow in NBD_OPT_INFO/NBD_OPT_GO
      handling.
    - These security are tracked in the Debian BTS; Closes: #1006915.
    - nbd-server transaction logs can now optionally also log data
    - New binary: nbd-trplay, to replay (to an image) a transaction log.

 -- Wouter Verhelst <email address hidden> Tue, 08 Mar 2022 10:02:56 +0200

nbd (1:3.23-3) unstable; urgency=medium

  * debian/control: also add bison and flex
  * debian/rules: override dh_autoreconf with a call to ./autogen.sh, so
    that things actually work.

 -- Wouter Verhelst <email address hidden> Wed, 24 Nov 2021 15:45:33 +0200

nbd (1:3.23-2) unstable; urgency=medium

  * debian/control: add autoconf-archive to build-depends

 -- Wouter Verhelst <email address hidden> Mon, 22 Nov 2021 11:11:34 +0200

nbd (1:3.23-1) unstable; urgency=medium

  * New upstream release
    - Fixes hostname resolving issues; closes: #996487.

 -- Wouter Verhelst <email address hidden> Sun, 21 Nov 2021 18:13:36 +0200

nbd (1:3.22-1) unstable; urgency=medium

  [ Debian Janitor ]
  * Trim trailing whitespace.
  * Add missing ${misc:Depends} to Depends for nbd-client-udeb.
  * Bump debhelper from old 9 to 12.
  * Set debhelper-compat version in Build-Depends.
  * Replace XC-Package-Type with Package-Type.

  [ Wouter Verhelst ]
  * New upstream release

 -- Wouter Verhelst <email address hidden> Mon, 04 Oct 2021 14:34:34 +0200

nbd (1:3.21-1) unstable; urgency=medium

  * New upstream release.

 -- Wouter Verhelst <email address hidden> Mon, 18 Jan 2021 20:51:42 +0200

nbd (1:3.20-1) unstable; urgency=medium

  * New upstream release

 -- Wouter Verhelst <email address hidden> Mon, 16 Sep 2019 09:05:42 +0200

nbd (1:3.19-3) unstable; urgency=medium

  * debian/control: add docbook-utils to build-depends. This shouldn't
    strictly be necessary, but it's the quickest fix that allows the
    package to build again... Closes: #922383

 -- Wouter Verhelst <email address hidden> Sun, 17 Feb 2019 10:51:59 +0200

nbd (1:3.19-2) unstable; urgency=medium

  * Don't remove nonexisting files...

 -- Wouter Verhelst <email address hidden> Fri, 15 Feb 2019 06:25:31 +0100

nbd (1:3.19-1) unstable; urgency=medium

  * New upstream release
  * Document the fact that we're using template units. Closes: #908977.
  [ Jelmer Vernooij ]
  * debian/source/format: Set source format to '1.0'. Fixes lintian error
    unknown-source-format.

 -- Wouter Verhelst <email address hidden> Thu, 14 Feb 2019 14:06:59 +0100

nbd (1:3.18-1) unstable; urgency=medium

  * New upstream release
  * debian/control: update Vcs-* package fields to point to salsa, not
    alioth.
  * debian/control: bump Standards-Version to 4.1.3 (no relevant changes)
  * debian/control: limit the libnl-genl-dev dependency to linux-any
    (since nbd-client isn't built on !linux)

 -- Wouter Verhelst <email address hidden> Sat, 18 Aug 2018 17:19:50 +0200

nbd (1:3.17-2) unstable; urgency=medium

  * Add missing build-dependency on libnl-genl-dev

 -- Wouter Verhelst <email address hidden> Sat, 17 Mar 2018 22:48:11 +0100

### Old Ubuntu Delta ###

nbd (1:3.23-3ubuntu1) jammy; urgency=medium

  * SECURITY UPDATE: heap overflow via long name length
    - nbd-server.c: limit the size of a name length.
    - 4e5c5d2ed71cc9c34559e5fbeeb7f390661e530c
    - CVE-2022-26495
  * SECURITY UPDATE: buffer overflow in NBD_OPT_INFO/NBD_OPT_GO handling
    - nbd-server.c: use consume function instead of socket_read.
    - 3740ff7fc9c3847d309c180a1a9fc9bc895342d5
    - CVE-2022-26496

 -- Marc Deslauriers <email address hidden> Thu, 10 Mar 2022 09:08:15 -0500

CVE References

Bryce Harrington (bryce)
Changed in nbd (Ubuntu):
milestone: none → ubuntu-22.05
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

The current delta contains two security fixes, which are included in the new Debian unstable version of the package, as stated in d/changelog and as verified in

https://salsa.debian.org/wouter/nbd/-/commit/d88ff98b5f314fa52049e98ae56b2ec0b7f9c8b7#d8b58112d12c35316db0278cb2a2753729d77d53_2116_2180

Therefore, this can be a sync instead.

Changed in nbd (Ubuntu):
assignee: nobody → Athos Ribeiro (athos-ribeiro)
status: New → In Progress
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

+1, please go ahead and sync it Athos.

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

This bug was fixed in the package nbd - 1:3.24-1

---------------
nbd (1:3.24-1) unstable; urgency=medium

  * New upstream release.
    - CVE-2022-26495: Disallow name lenghts of (unsigned int)-1, by
      constraining the length to 4096 bytes
    - CVE-2022-26496: Fix buffer overflow in NBD_OPT_INFO/NBD_OPT_GO
      handling.
    - These security are tracked in the Debian BTS; Closes: #1006915.
    - nbd-server transaction logs can now optionally also log data
    - New binary: nbd-trplay, to replay (to an image) a transaction log.

 -- Wouter Verhelst <email address hidden> Tue, 08 Mar 2022 10:02:56 +0200

Changed in nbd (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.