Updated package uploaded for cauldron and Mageia 8


Advisory:
========================

Updated nbd package fixes security vulnerability:

It was discovered that nbd prior to 3.24 contained an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name resulting in a write to a dangling pointer (CVE-2022-26495).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26495
https://www.debian.org/lts/security/2022/dla-2944
========================

Updated packages in core/updates_testing:
========================
nbd-3.24-1.mga8

from nbd-3.24-1.mga8.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: MGA8-64-OK => (none)
Status comment: Fixed upstream in 3.24 => (none)
Version: Cauldron => 8

MGA8-64 Plasma on Lenovo B50 in Dutch.
No installation issues
No previous info, so googled and found some mostly older pages like http://www.microhowto.info/howto/connect_to_a_remote_block_device_using_nbd.html
So went on angd got into trouble immediately
# systemctl -l status nbd-server
● nbd-server.service - Network Block Device server
     Loaded: loaded (/usr/lib/systemd/system/nbd-server.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
       Docs: man:nbd-server(1)
             man:nbd-server(5)

# systemctl  start nbd-server

# systemctl -l status nbd-server
● nbd-server.service - Network Block Device server
     Loaded: loaded (/usr/lib/systemd/system/nbd-server.service; disabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Mon 2022-03-14 16:40:35 CET; 3s ago
       Docs: man:nbd-server(1)
             man:nbd-server(5)
    Process: 6306 ExecStart=/usr/bin/nbd-server $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 6307 (code=exited, status=1/FAILURE)
        CPU: 5ms

mrt 14 16:40:35 mach5.hviaene.thuis systemd[1]: Starting Network Block Device server...
mrt 14 16:40:35 mach5.hviaene.thuis systemd[1]: Started Network Block Device server.
mrt 14 16:40:35 mach5.hviaene.thuis nbd_server[6307]: Invalid group name: nbd
mrt 14 16:40:35 mach5.hviaene.thuis systemd[1]: nbd-server.service: Main process exited, code=exited, status=1/FAILURE
mrt 14 16:40:35 mach5.hviaene.thuis nbd_server[6307]: Exiting.
mrt 14 16:40:35 mach5.hviaene.thuis systemd[1]: nbd-server.service: Failed with result 'exit-code'.
journalctl gave no more info.
Checked in MCC that indeed no group nbd exists. So what ??? Create the group manually???

CC: (none) => herman.viaene

The package should be creating the group in a scriplet.  Sounds like a packaging bug.

Debian has issued an advisory for this on March 12:
https://www.debian.org/security/2022/dsa-5100

It lists another CVE also fixed upstream in 3.24.

Keywords: (none) => feedback
Severity: normal => critical
Summary: nbd new security issue CVE-2022-26495 => nbd new security issues CVE-2022-2649[56]

Ubuntu has issued an advisory for this on March 14:
https://ubuntu.com/security/notices/USN-5323-1

Fedora has issued an advisory for this today (March 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PU5JFD4PEJED72TZLZ5R2Q2SFXICU5I5/

openSUSE has issued an advisory for this today (April 20):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GY3FXWPGNBOFA2QZOFDFNU2AZJWYEW7A/

Updated package uploaded for cauldron and Mageia 8


Advisory:
========================

Updated nbd package fixes a security vulnerability and a package bug:

It was discovered that nbd prior to 3.24 contained an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name resulting in a write to a dangling pointer (CVE-2022-26495).

Packaging has been adjusted to create the required nbd group at installation.


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26495
https://www.debian.org/lts/security/2022/dla-2944
========================

Updated packages in core/updates_testing:
========================
nbd-3.24-1.1.mga8

from nbd-3.24-1.1.mga8.src.rpm

Status comment: Package needs to create nbd group in scriplet => (none)
Assignee: mhrambo3501 => qa-bugs

Installed

$ nbd-client -v
This is nbd-client, from nbd 3.24

I tried nbd-server as well.  It runs, but I don't have enough knowledge to make it work.

CC: (none) => brtians1

Found info in https://www.thegeekstuff.com/2009/02/nbd-tutorial-network-block-device-jumpstart-guide/
but when trying to start nbd-server itt still fails and journalctl shows:
ei 11 14:29:35 mach5.hviaene.thuis groupadd[220696]: group added to /etc/group: name=nbd, GID=954
mei 11 14:29:35 mach5.hviaene.thuis groupadd[220696]: group added to /etc/gshadow: name=nbd
mei 11 14:29:35 mach5.hviaene.thuis groupadd[220696]: new group: name=nbd, GID=954
mei 11 14:29:36 mach5.hviaene.thuis [RPM][215444]: install nbd-3.24-1.1.mga8.x86_64: success
mei 11 14:29:37 mach5.hviaene.thuis [RPM][215444]: install nbd-3.24-1.1.mga8.x86_64: success
mei 11 14:29:57 mach5.hviaene.thuis perl[215444]: running: rpm -ql nbd-3.24-1.1.mga8.x86_64
mei 11 14:29:57 mach5.hviaene.thuis perl[215444]: running: rpm -q --qf '%{description}' nbd-3.24-1.1.mga8.x86_64
mei 11 14:29:57 mach5.hviaene.thuis perl[215444]: running: rpm -q --changelog nbd-3.24-1.1.mga8.x86_64
mei 11 14:34:59 mach5.hviaene.thuis nbd_server[247928]: Invalid user name: nbd
mei 11 14:34:59 mach5.hviaene.thuis systemd[1]: nbd-server.service: Main process exited, code=exited, status=1/FAILURE
mei 11 14:34:59 mach5.hviaene.thuis nbd_server[247928]: Exiting.
mei 11 14:34:59 mach5.hviaene.thuis systemd[1]: nbd-server.service: Failed with result 'exit-code'.

So apparently not only a group, but also a user nbd is needed.

Another updated package uploaded for cauldron and Mageia 8


Advisory:
========================

Updated nbd package fixes a security vulnerability and a package bug:

It was discovered that nbd prior to 3.24 contained an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name resulting in a write to a dangling pointer (CVE-2022-26495).

Packaging has been adjusted to create the required nbd user and group at installation.


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26495
https://www.debian.org/lts/security/2022/dla-2944
========================

Updated packages in core/updates_testing:
========================
nbd-3.24-1.2.mga8

from nbd-3.24-1.2.mga8.src.rpm

Keywords: feedback => (none)

nbd-3.24-1.2.mga8 does notresolve problem with missing nbd user as in Comment 10.

It looks like Mike fixed it correctly.  Try uninstalling the package and removing any references to nbd in /etc/{passwd,shadow,group} and re-installing it.

fwiw - it installs and the nbd-server service runs for me.

[mrambo@baggins ~]$ sudo urpmi mageia/mga8/nbd/RPMS/x86_64/nbd-3.24-1.2.mga8.x86_64.rpm 

SECURITY: The following package is _NOT_ signed (OK ((none))): mageia/mga8/nbd/RPMS/x86_64/nbd-3.24-1.2.mga8.x86_64.rpm
installing nbd-3.24-1.2.mga8.x86_64.rpm from mageia/mga8/nbd/RPMS/x86_64
Preparing...                     ###########################################################################################################
      1/1: nbd                   ###########################################################################################################

[mrambo@baggins ~]$ systemctl status nbd-server
● nbd-server.service - Network Block Device server
     Loaded: loaded (/usr/lib/systemd/system/nbd-server.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
       Docs: man:nbd-server(1)
             man:nbd-server(5)

[mrambo@baggins ~]$ systemctl start nbd-server

[mrambo@baggins ~]$ systemctl status nbd-server
● nbd-server.service - Network Block Device server
     Loaded: loaded (/usr/lib/systemd/system/nbd-server.service; disabled; vendor preset: disabled)
     Active: active (running) since Sun 2022-05-15 09:21:19 EDT; 5s ago
       Docs: man:nbd-server(1)
             man:nbd-server(5)
    Process: 115717 ExecStart=/usr/bin/nbd-server $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 115718 (nbd-server)
      Tasks: 1 (limit: 19134)
     Memory: 720.0K
        CPU: 1.637s
     CGroup: /system.slice/nbd-server.service
             └─115718 /usr/bin/nbd-server

May 15 09:21:19 baggins systemd[1]: Starting Network Block Device server...
May 15 09:21:19 baggins systemd[1]: Started Network Block Device server.

[mrambo@baggins ~]$ ps aux | grep nbd
nbd       115718  0.7  0.0  10344  3344 ?        Ss   09:21   0:01 /usr/bin/nbd-server

I'm not as well versed in adding, using, and removing the testing repo as people in QA so I just used the rpm created when I built the package but it should be identical with the package built on the build system except it is unsigned.

Followed David's suggestion in Comment 13 and now the server starts OK.
Tried to make a setup server - client on the same laptop, but the tutorial I found was apparently obsolete.
Found another https://sweetcode.io/introduction-to-linux-network-block-devices/, but  I run into problems which are beyond me, like
and
https://blog.krybot.com/a?ID=01150-dfe34959-09da-4998-9a56-7029e75f8806
# nbd-client 192.168.2.5 1043/dev/nbd0
Warning: the oldstyle protocol is no longer supported.
This method now uses the newstyle protocol with a default export
getaddrinfo failed: Name or service not known

I'll leave it for judgment to OK this update, but I fear I cann't make any progres further.

On the server when I start the service I get
nbd-server.service: Failed to parse PID from file /run/nbd-server.pid: Invalid argument
Restarting the server, it works ok so there seems to be a timing issue
creating the pid file, however even if it fails to create the pid file it
does start.

On my client system ...
# nbd-client -l 192.168.10.2
Negotiation: ..
export1
otherexport

I'm having trouble getting the client system to mount the export1 device. I'll
continue working on it to figure it out.

CC: (none) => davidwhodgins

My efforts got only as far as yours in that I can get a list available exports but cannot mount them. The help websites I used all say that you need to specify a device for the mount in the form /dev/nbdX but those device nodes do not exist on either of my machines (both are physical mga8 boxes - no VM).

However, this does not appear to be a change from the existing package which makes we wonder if nbd has worked any time recently. The error I see from the client is the same.

nbd-client 192.168.3.23 /dev/nbd0 -name export1
Negotiation: ..size = 0MB
Error: Couldn't resolve the nbd netlink family, make sure the nbd module is loaded and your nbd driver supports the netlink interface.

Exiting.

Ah... There is a module to load. modprobe nbd will get you /dev/nbd0 - /dev/nbd15.

nbd-client 192.168.3.23 /dev/nbd0 -name export1
Negotiation: ..size = 0MB
Error: Failed to setup device, check dmesg

Exiting.

Checking dmesg didn't reveal anything. The most recent entry was several hours old and had nothing to do with nbd.

I got the same results with both the new client in nbd-3.24-1.2.mga8 as well as the original client in nbd-3.20-3.mga8. Last of all I tried the old package on the server box too and still could not get beyond the 'failed to setup device' message.

I'm at a loss. The new package behaves the same as the old package so there doesn't seem to be a regression, but I also cannot get either of them to actually work.

I found these two sites to be the most helpful.
https://forums.gentoo.org/viewtopic-t-896132.html
https://www.aixperts.co.uk/?p=301

Connecting as root gets past the "Failed to setup device" error.

$ sudo nbd-client 192.168.3.23 /dev/nbd0 -name export1
Negotiation: ..size = 0MB
Connected /dev/nbd0

The above is with the new package on both server and client but I haven't been able to do anything more with it yet. I've trying to share a file as I saw in an example somewhere. Maybe it needs an actual block device? The documentation is not the best.

Got back on the subject, and made a little  progress
After starting the server I get
# nbd-client -l mach7
Negotiation: ..
export1
otherexport
Just as Dave got.
Following one of the tutorials I did
# dd if=/dev/zero of=/mnt/dhini bs=1024 count=36000
36000+0 records in
36000+0 records out
36864000 bytes (37 MB, 35 MiB) copied, 0.654016 s, 56.4 MB/s
[root@mach7 ~]# mke2fs /mnt/dhini
mke2fs 1.45.6 (20-Mar-2020)
Discarding device blocks: done                            
Creating filesystem with 36000 1k blocks and 9000 inodes
Filesystem UUID: c6eda01a-1b5d-48c0-b15e-f72a026055ae
Superblock backups stored on blocks: 
        8193, 24577

Allocating group tables: done                            
Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done

But how to get this into the server configuration file beats me and I get no futher than
# nbd-client -l mach7 1043 /mnt/dhini
Negotiation: ..

E: listing not allowed by server.
Adding 
allowlist = true
to the config file does not help, but at least it shows the server is responding.
I'll let Dave and Mike having their say on whether this is enough to let the update go.

90 days, three months, without so much as a comment, on a critical update? 

Not good.

CC: (none) => andrewsfarm

Sounds like we should have pushed this one.

I don't see a reason to hold it. The package was imported by zezinho in 2020 a couple of months before he died so there is no official maintainer. I pushed the fix just because it looked fairly straight-forward but I don't actually know anything about nbd. I tried to help when I saw there were problems testing, and though I was never able to get it to fully work, the patched and original versions "didn't work" in the same way so there does not appear to be any regression. There has never been any other bug against this package. Given that it may have never worked (from all I can tell) maybe it should be dropped from cauldron before mga9 is branched.

Yes it definitely should be dropped.

(In reply to David Walser from comment #21)
> Sounds like we should have pushed this one.
(In reply to Mike Rambo from comment #22)
> I don't see a reason to hold it. 

I'm sending this on on the basis of several clean installs. The problems don't appear to be new regressions.

Validating. Advisory in Comment 11.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0403.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

(In reply to Mike Rambo from comment #18)
> Connecting as root gets past the "Failed to setup device" error.
> 
> $ sudo nbd-client 192.168.3.23 /dev/nbd0 -name export1
> Negotiation: ..size = 0MB
> Connected /dev/nbd0
> 
> The above is with the new package on both server and client but I haven't
> been able to do anything more with it yet. I've trying to share a file as I
> saw in an example somewhere. Maybe it needs an actual block device? The
> documentation is not the best.

Upstream here.

This comment almost got it right; the only step you were missing is that the export you created was for a zero sized file, or that the NBD use did not have permissions to read and/or write that file. To fix, you need to use dd or ftruncate or something along the lines to make sure the file has a reasonable size (it can be a sparse file) and then retry.

Love you get this 'connected' message with a non-zero size, the connected device is active and it can be read from or written to. To mount it, you would need to create a filesystem (as far as user space is concerned at this point, it's a regular block device)

CC: (none) => wouter