On Wed, Apr 23, 2025 at 04:06:44PM -0500, Eric Blake via Libguestfs wrote: > Still waiting on Red Hat's security team to decide if these get CVE > designations, but at this point, we consider the impact to be low > enough severity (easy to avoid if your server rejects malicious > clients by the use of TLS) and related enough that there is no longer > any need to embargo the second one. > > I'll wait a bit longer to apply, to provide time to update the subject > lines according to whether we get CVEs assigned. > > Eric Blake (2): > server: Fix off-by-one for maximum block_status length [CVE-XXX] > blocksize: Fix 32-bit overflow in .extents [CVE-XXXX]
These have now been assigned CVE identifiers. CVE-2025-47711 is for the server error with any plugin returning .extents of 4G or more, and CVE-2025-47712 is for the blocksize filter bug on unaligned block status requests near 4G. I am now in the process of applying the patches to mainline and backporting them to branches that are still in active use; I will send a followup mail with tests for vulnerable versions and version numbers/commit ids to be used to avoid the problems, along with a patch to docs/nbdkit-security.pod pointing to that eventual mail. -- Eric Blake, Principal Software Engineer Red Hat, Inc. Virtualization: qemu.org | libguestfs.org _______________________________________________ Libguestfs mailing list -- guestfs@lists.libguestfs.org To unsubscribe send an email to guestfs-le...@lists.libguestfs.org
