| Name | CVE-2022-0485 |
| Description | A flaw was found in the copying tool `nbdcopy` of libnbd. When performing multi-threaded copies using asynchronous nbd calls, nbdcopy was blindly treating the completion of an asynchronous command as successful, rather than checking the *error parameter. This could result in the silent creation of a corrupted destination image. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1005307 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libnbd (PTS) | bullseye | 1.6.1-1 | vulnerable |
| bookworm | 1.14.2-1 | fixed | |
| trixie, sid | 1.20.3-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libnbd | source | (unstable) | 1.10.5-1 | 1005307 |
[bullseye] - libnbd <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2050324
Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/8d444b41d09a700c7ee6f9182a649f3f2d325abb (v1.11.8)
Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/9219d2e70c770d8efb98d6e8eaf68e8e354631e3 (v1.10.4)
Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/6c8f2f859926b82094fb5e85c446ea099700fa10 (v1.6.6)
https://listman.redhat.com/archives/libguestfs/2022-February/msg00104.html