In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBDOPTINFO, NBDOPTGO, and NBDOPTEXPORT_NAME messages.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_name": "nbd-client", "binary_version": "1:3.16.2-1ubuntu0.2" }, { "binary_name": "nbd-client-dbgsym", "binary_version": "1:3.16.2-1ubuntu0.2" }, { "binary_name": "nbd-client-udeb", "binary_version": "1:3.16.2-1ubuntu0.2" }, { "binary_name": "nbd-server", "binary_version": "1:3.16.2-1ubuntu0.2" }, { "binary_name": "nbd-server-dbgsym", "binary_version": "1:3.16.2-1ubuntu0.2" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_name": "nbd-client", "binary_version": "1:3.20-1ubuntu0.1" }, { "binary_name": "nbd-client-dbgsym", "binary_version": "1:3.20-1ubuntu0.1" }, { "binary_name": "nbd-client-udeb", "binary_version": "1:3.20-1ubuntu0.1" }, { "binary_name": "nbd-server", "binary_version": "1:3.20-1ubuntu0.1" }, { "binary_name": "nbd-server-dbgsym", "binary_version": "1:3.20-1ubuntu0.1" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_name": "nbd-client", "binary_version": "1:3.23-3ubuntu1" }, { "binary_name": "nbd-client-dbgsym", "binary_version": "1:3.23-3ubuntu1" }, { "binary_name": "nbd-server", "binary_version": "1:3.23-3ubuntu1" }, { "binary_name": "nbd-server-dbgsym", "binary_version": "1:3.23-3ubuntu1" } ] }