CVE-2023-5215

2023-09-2814:15:26

Debian Security Bug Tracker

security-tracker.debian.org

libnbd

application crash

server response

nbd clients

unintended behavior

64-bit value

cve-2023-5215

unix

6.5 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

10.4%

JSON

A flaw was found in libnbd. A server can reply with a block size larger than 2^63 (the NBD spec states the size is a 64-bit unsigned value). This issue could lead to an application crash or other unintended behavior for NBD clients that doesn’t treat the return value of the nbd_get_size() function correctly.

OSVersionArchitecturePackageVersionFilename
Debian12alllibnbd<= 1.14.2-1libnbd_1.14.2-1_all.deb
Debian11alllibnbd<= 1.6.1-1libnbd_1.6.1-1_all.deb
Debian999alllibnbd< 1.16.5-1libnbd_1.16.5-1_all.deb
Debian13alllibnbd< 1.16.5-1libnbd_1.16.5-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	libnbd	<= 1.14.2-1	libnbd_1.14.2-1_all.deb
Debian	11	all	libnbd	<= 1.6.1-1	libnbd_1.6.1-1_all.deb
Debian	999	all	libnbd	< 1.16.5-1	libnbd_1.16.5-1_all.deb
Debian	13	all	libnbd	< 1.16.5-1	libnbd_1.16.5-1_all.deb