Bug 30153 - nbd new security issues CVE-2022-2649[56]
Summary: nbd new security issues CVE-2022-2649[56]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 30163
  Show dependency treegraph
 
Reported: 2022-03-11 21:36 CET by David Walser
Modified: 2023-01-29 08:22 CET (History)
7 users (show)

See Also:
Source RPM: nbd-3.23-1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-03-11 21:36:57 CET
Debian-LTS has issued an advisory on March 10:
https://www.debian.org/lts/security/2022/dla-2944

The issue is fixed upstream in 3.24.

Mageia 8 is also affected.
David Walser 2022-03-11 21:37:14 CET

CC: (none) => mhrambo3501
Whiteboard: (none) => MGA8-64-OK
Status comment: (none) => Fixed upstream in 3.24

Comment 1 Mike Rambo 2022-03-12 02:52:32 CET
Updated package uploaded for cauldron and Mageia 8


Advisory:
========================

Updated nbd package fixes security vulnerability:

It was discovered that nbd prior to 3.24 contained an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name resulting in a write to a dangling pointer (CVE-2022-26495).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26495
https://www.debian.org/lts/security/2022/dla-2944
========================

Updated packages in core/updates_testing:
========================
nbd-3.24-1.mga8

from nbd-3.24-1.mga8.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: MGA8-64-OK => (none)
Status comment: Fixed upstream in 3.24 => (none)
Version: Cauldron => 8

Comment 2 Herman Viaene 2022-03-14 17:01:00 CET
MGA8-64 Plasma on Lenovo B50 in Dutch.
No installation issues
No previous info, so googled and found some mostly older pages like http://www.microhowto.info/howto/connect_to_a_remote_block_device_using_nbd.html
So went on angd got into trouble immediately
# systemctl -l status nbd-server
● nbd-server.service - Network Block Device server
     Loaded: loaded (/usr/lib/systemd/system/nbd-server.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
       Docs: man:nbd-server(1)
             man:nbd-server(5)

# systemctl  start nbd-server

# systemctl -l status nbd-server
● nbd-server.service - Network Block Device server
     Loaded: loaded (/usr/lib/systemd/system/nbd-server.service; disabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Mon 2022-03-14 16:40:35 CET; 3s ago
       Docs: man:nbd-server(1)
             man:nbd-server(5)
    Process: 6306 ExecStart=/usr/bin/nbd-server $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 6307 (code=exited, status=1/FAILURE)
        CPU: 5ms

mrt 14 16:40:35 mach5.hviaene.thuis systemd[1]: Starting Network Block Device server...
mrt 14 16:40:35 mach5.hviaene.thuis systemd[1]: Started Network Block Device server.
mrt 14 16:40:35 mach5.hviaene.thuis nbd_server[6307]: Invalid group name: nbd
mrt 14 16:40:35 mach5.hviaene.thuis systemd[1]: nbd-server.service: Main process exited, code=exited, status=1/FAILURE
mrt 14 16:40:35 mach5.hviaene.thuis nbd_server[6307]: Exiting.
mrt 14 16:40:35 mach5.hviaene.thuis systemd[1]: nbd-server.service: Failed with result 'exit-code'.
journalctl gave no more info.
Checked in MCC that indeed no group nbd exists. So what ??? Create the group manually???

CC: (none) => herman.viaene

Comment 3 David Walser 2022-03-15 00:22:29 CET
The package should be creating the group in a scriplet.  Sounds like a packaging bug.
Comment 4 David Walser 2022-03-15 19:40:23 CET
Debian has issued an advisory for this on March 12:
https://www.debian.org/security/2022/dsa-5100

It lists another CVE also fixed upstream in 3.24.

Keywords: (none) => feedback
Severity: normal => critical
Summary: nbd new security issue CVE-2022-26495 => nbd new security issues CVE-2022-2649[56]

Comment 5 David Walser 2022-03-15 19:42:35 CET
Ubuntu has issued an advisory for this on March 14:
https://ubuntu.com/security/notices/USN-5323-1
Comment 6 David Walser 2022-03-16 18:05:34 CET
Fedora has issued an advisory for this today (March 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PU5JFD4PEJED72TZLZ5R2Q2SFXICU5I5/
David Walser 2022-04-20 16:27:42 CEST

Keywords: feedback => (none)
Assignee: qa-bugs => mhrambo3501
Status comment: (none) => Package needs to create nbd group in scriplet

Comment 7 David Walser 2022-04-20 16:52:29 CEST
openSUSE has issued an advisory for this today (April 20):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GY3FXWPGNBOFA2QZOFDFNU2AZJWYEW7A/
Comment 8 Mike Rambo 2022-04-25 16:53:17 CEST
Updated package uploaded for cauldron and Mageia 8


Advisory:
========================

Updated nbd package fixes a security vulnerability and a package bug:

It was discovered that nbd prior to 3.24 contained an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name resulting in a write to a dangling pointer (CVE-2022-26495).

Packaging has been adjusted to create the required nbd group at installation.


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26495
https://www.debian.org/lts/security/2022/dla-2944
========================

Updated packages in core/updates_testing:
========================
nbd-3.24-1.1.mga8

from nbd-3.24-1.1.mga8.src.rpm

Status comment: Package needs to create nbd group in scriplet => (none)
Assignee: mhrambo3501 => qa-bugs

Comment 9 Brian Rockwell 2022-05-07 02:22:02 CEST
Installed

$ nbd-client -v
This is nbd-client, from nbd 3.24

I tried nbd-server as well.  It runs, but I don't have enough knowledge to make it work.

CC: (none) => brtians1

Comment 10 Herman Viaene 2022-05-11 14:40:03 CEST
Found info in https://www.thegeekstuff.com/2009/02/nbd-tutorial-network-block-device-jumpstart-guide/
but when trying to start nbd-server itt still fails and journalctl shows:
ei 11 14:29:35 mach5.hviaene.thuis groupadd[220696]: group added to /etc/group: name=nbd, GID=954
mei 11 14:29:35 mach5.hviaene.thuis groupadd[220696]: group added to /etc/gshadow: name=nbd
mei 11 14:29:35 mach5.hviaene.thuis groupadd[220696]: new group: name=nbd, GID=954
mei 11 14:29:36 mach5.hviaene.thuis [RPM][215444]: install nbd-3.24-1.1.mga8.x86_64: success
mei 11 14:29:37 mach5.hviaene.thuis [RPM][215444]: install nbd-3.24-1.1.mga8.x86_64: success
mei 11 14:29:57 mach5.hviaene.thuis perl[215444]: running: rpm -ql nbd-3.24-1.1.mga8.x86_64
mei 11 14:29:57 mach5.hviaene.thuis perl[215444]: running: rpm -q --qf '%{description}' nbd-3.24-1.1.mga8.x86_64
mei 11 14:29:57 mach5.hviaene.thuis perl[215444]: running: rpm -q --changelog nbd-3.24-1.1.mga8.x86_64
mei 11 14:34:59 mach5.hviaene.thuis nbd_server[247928]: Invalid user name: nbd
mei 11 14:34:59 mach5.hviaene.thuis systemd[1]: nbd-server.service: Main process exited, code=exited, status=1/FAILURE
mei 11 14:34:59 mach5.hviaene.thuis nbd_server[247928]: Exiting.
mei 11 14:34:59 mach5.hviaene.thuis systemd[1]: nbd-server.service: Failed with result 'exit-code'.

So apparently not only a group, but also a user nbd is needed.
David Walser 2022-05-11 14:59:16 CEST

Keywords: (none) => feedback

Comment 11 Mike Rambo 2022-05-13 15:30:36 CEST
Another updated package uploaded for cauldron and Mageia 8


Advisory:
========================

Updated nbd package fixes a security vulnerability and a package bug:

It was discovered that nbd prior to 3.24 contained an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name resulting in a write to a dangling pointer (CVE-2022-26495).

Packaging has been adjusted to create the required nbd user and group at installation.


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26495
https://www.debian.org/lts/security/2022/dla-2944
========================

Updated packages in core/updates_testing:
========================
nbd-3.24-1.2.mga8

from nbd-3.24-1.2.mga8.src.rpm

Keywords: feedback => (none)

Comment 12 Herman Viaene 2022-05-14 12:07:50 CEST
nbd-3.24-1.2.mga8 does notresolve problem with missing nbd user as in Comment 10.
Comment 13 David Walser 2022-05-14 18:12:40 CEST
It looks like Mike fixed it correctly.  Try uninstalling the package and removing any references to nbd in /etc/{passwd,shadow,group} and re-installing it.
Comment 14 Mike Rambo 2022-05-15 15:37:05 CEST
fwiw - it installs and the nbd-server service runs for me.

[mrambo@baggins ~]$ sudo urpmi mageia/mga8/nbd/RPMS/x86_64/nbd-3.24-1.2.mga8.x86_64.rpm 

SECURITY: The following package is _NOT_ signed (OK ((none))): mageia/mga8/nbd/RPMS/x86_64/nbd-3.24-1.2.mga8.x86_64.rpm
installing nbd-3.24-1.2.mga8.x86_64.rpm from mageia/mga8/nbd/RPMS/x86_64
Preparing...                     ###########################################################################################################
      1/1: nbd                   ###########################################################################################################

[mrambo@baggins ~]$ systemctl status nbd-server
● nbd-server.service - Network Block Device server
     Loaded: loaded (/usr/lib/systemd/system/nbd-server.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
       Docs: man:nbd-server(1)
             man:nbd-server(5)

[mrambo@baggins ~]$ systemctl start nbd-server

[mrambo@baggins ~]$ systemctl status nbd-server
● nbd-server.service - Network Block Device server
     Loaded: loaded (/usr/lib/systemd/system/nbd-server.service; disabled; vendor preset: disabled)
     Active: active (running) since Sun 2022-05-15 09:21:19 EDT; 5s ago
       Docs: man:nbd-server(1)
             man:nbd-server(5)
    Process: 115717 ExecStart=/usr/bin/nbd-server $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 115718 (nbd-server)
      Tasks: 1 (limit: 19134)
     Memory: 720.0K
        CPU: 1.637s
     CGroup: /system.slice/nbd-server.service
             └─115718 /usr/bin/nbd-server

May 15 09:21:19 baggins systemd[1]: Starting Network Block Device server...
May 15 09:21:19 baggins systemd[1]: Started Network Block Device server.

[mrambo@baggins ~]$ ps aux | grep nbd
nbd       115718  0.7  0.0  10344  3344 ?        Ss   09:21   0:01 /usr/bin/nbd-server

I'm not as well versed in adding, using, and removing the testing repo as people in QA so I just used the rpm created when I built the package but it should be identical with the package built on the build system except it is unsigned.
Comment 15 Herman Viaene 2022-05-16 15:37:41 CEST
Followed David's suggestion in Comment 13 and now the server starts OK.
Tried to make a setup server - client on the same laptop, but the tutorial I found was apparently obsolete.
Found another https://sweetcode.io/introduction-to-linux-network-block-devices/, but  I run into problems which are beyond me, like
and
https://blog.krybot.com/a?ID=01150-dfe34959-09da-4998-9a56-7029e75f8806
# nbd-client 192.168.2.5 1043/dev/nbd0
Warning: the oldstyle protocol is no longer supported.
This method now uses the newstyle protocol with a default export
getaddrinfo failed: Name or service not known

I'll leave it for judgment to OK this update, but I fear I cann't make any progres further.
Comment 16 Dave Hodgins 2022-05-16 20:17:32 CEST
On the server when I start the service I get
nbd-server.service: Failed to parse PID from file /run/nbd-server.pid: Invalid argument
Restarting the server, it works ok so there seems to be a timing issue
creating the pid file, however even if it fails to create the pid file it
does start.

On my client system ...
# nbd-client -l 192.168.10.2
Negotiation: ..
export1
otherexport

I'm having trouble getting the client system to mount the export1 device. I'll
continue working on it to figure it out.

CC: (none) => davidwhodgins

Comment 17 Mike Rambo 2022-06-12 02:32:05 CEST
My efforts got only as far as yours in that I can get a list available exports but cannot mount them. The help websites I used all say that you need to specify a device for the mount in the form /dev/nbdX but those device nodes do not exist on either of my machines (both are physical mga8 boxes - no VM).

However, this does not appear to be a change from the existing package which makes we wonder if nbd has worked any time recently. The error I see from the client is the same.

nbd-client 192.168.3.23 /dev/nbd0 -name export1
Negotiation: ..size = 0MB
Error: Couldn't resolve the nbd netlink family, make sure the nbd module is loaded and your nbd driver supports the netlink interface.

Exiting.

Ah... There is a module to load. modprobe nbd will get you /dev/nbd0 - /dev/nbd15.

nbd-client 192.168.3.23 /dev/nbd0 -name export1
Negotiation: ..size = 0MB
Error: Failed to setup device, check dmesg

Exiting.

Checking dmesg didn't reveal anything. The most recent entry was several hours old and had nothing to do with nbd.

I got the same results with both the new client in nbd-3.24-1.2.mga8 as well as the original client in nbd-3.20-3.mga8. Last of all I tried the old package on the server box too and still could not get beyond the 'failed to setup device' message.

I'm at a loss. The new package behaves the same as the old package so there doesn't seem to be a regression, but I also cannot get either of them to actually work.

I found these two sites to be the most helpful.
https://forums.gentoo.org/viewtopic-t-896132.html
https://www.aixperts.co.uk/?p=301
Comment 18 Mike Rambo 2022-06-15 17:48:33 CEST
Connecting as root gets past the "Failed to setup device" error.

$ sudo nbd-client 192.168.3.23 /dev/nbd0 -name export1
Negotiation: ..size = 0MB
Connected /dev/nbd0

The above is with the new package on both server and client but I haven't been able to do anything more with it yet. I've trying to share a file as I saw in an example somewhere. Maybe it needs an actual block device? The documentation is not the best.
Comment 19 Herman Viaene 2022-07-30 11:45:38 CEST
Got back on the subject, and made a little  progress
After starting the server I get
# nbd-client -l mach7
Negotiation: ..
export1
otherexport
Just as Dave got.
Following one of the tutorials I did
# dd if=/dev/zero of=/mnt/dhini bs=1024 count=36000
36000+0 records in
36000+0 records out
36864000 bytes (37 MB, 35 MiB) copied, 0.654016 s, 56.4 MB/s
[root@mach7 ~]# mke2fs /mnt/dhini
mke2fs 1.45.6 (20-Mar-2020)
Discarding device blocks: done                            
Creating filesystem with 36000 1k blocks and 9000 inodes
Filesystem UUID: c6eda01a-1b5d-48c0-b15e-f72a026055ae
Superblock backups stored on blocks: 
        8193, 24577

Allocating group tables: done                            
Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done

But how to get this into the server configuration file beats me and I get no futher than
# nbd-client -l mach7 1043 /mnt/dhini
Negotiation: ..

E: listing not allowed by server.
Adding 
allowlist = true
to the config file does not help, but at least it shows the server is responding.
I'll let Dave and Mike having their say on whether this is enough to let the update go.
Comment 20 Thomas Andrews 2022-10-28 15:49:09 CEST
90 days, three months, without so much as a comment, on a critical update? 

Not good.

CC: (none) => andrewsfarm

Comment 21 David Walser 2022-10-29 00:20:25 CEST
Sounds like we should have pushed this one.
Comment 22 Mike Rambo 2022-10-29 20:08:51 CEST
I don't see a reason to hold it. The package was imported by zezinho in 2020 a couple of months before he died so there is no official maintainer. I pushed the fix just because it looked fairly straight-forward but I don't actually know anything about nbd. I tried to help when I saw there were problems testing, and though I was never able to get it to fully work, the patched and original versions "didn't work" in the same way so there does not appear to be any regression. There has never been any other bug against this package. Given that it may have never worked (from all I can tell) maybe it should be dropped from cauldron before mga9 is branched.
Comment 23 David Walser 2022-10-29 23:43:53 CEST
Yes it definitely should be dropped.
Comment 24 Thomas Andrews 2022-10-30 01:21:58 CEST
(In reply to David Walser from comment #21)
> Sounds like we should have pushed this one.
(In reply to Mike Rambo from comment #22)
> I don't see a reason to hold it. 

I'm sending this on on the basis of several clean installs. The problems don't appear to be new regressions.

Validating. Advisory in Comment 11.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

David Walser 2022-10-30 04:58:56 CET

Blocks: (none) => 30163

Dave Hodgins 2022-11-01 22:32:43 CET

Keywords: (none) => advisory

Comment 25 Mageia Robot 2022-11-02 00:00:21 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0403.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 26 Wouter Verhelst 2023-01-29 08:22:32 CET
(In reply to Mike Rambo from comment #18)
> Connecting as root gets past the "Failed to setup device" error.
> 
> $ sudo nbd-client 192.168.3.23 /dev/nbd0 -name export1
> Negotiation: ..size = 0MB
> Connected /dev/nbd0
> 
> The above is with the new package on both server and client but I haven't
> been able to do anything more with it yet. I've trying to share a file as I
> saw in an example somewhere. Maybe it needs an actual block device? The
> documentation is not the best.

Upstream here.

This comment almost got it right; the only step you were missing is that the export you created was for a zero sized file, or that the NBD use did not have permissions to read and/or write that file. To fix, you need to use dd or ftruncate or something along the lines to make sure the file has a reasonable size (it can be a sparse file) and then retry.

Love you get this 'connected' message with a non-zero size, the connected device is active and it can be read from or written to. To mount it, you would need to create a filesystem (as far as user space is concerned at this point, it's a regular block device)

CC: (none) => wouter


Note You need to log in before you can comment on or make changes to this bug.