CVE-2022-0485

NameCVE-2022-0485
DescriptionA flaw was found in the copying tool `nbdcopy` of libnbd. When performing multi-threaded copies using asynchronous nbd calls, nbdcopy was blindly treating the completion of an asynchronous command as successful, rather than checking the *error parameter. This could result in the silent creation of a corrupted destination image.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1005307

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libnbd (PTS)bullseye1.6.1-1vulnerable
bookworm1.14.2-1fixed
sid, trixie1.20.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libnbdsource(unstable)1.10.5-11005307

Notes

[bullseye] - libnbd <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2050324
Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/8d444b41d09a700c7ee6f9182a649f3f2d325abb (v1.11.8)
Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/9219d2e70c770d8efb98d6e8eaf68e8e354631e3 (v1.10.4)
Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/6c8f2f859926b82094fb5e85c446ea099700fa10 (v1.6.6)
https://listman.redhat.com/archives/libguestfs/2022-February/msg00104.html

Search for package or bug name: Reporting problems