Candidate: CVE-2019-14842
PublicDate: 2019-11-26 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14842
 https://www.redhat.com/archives/libguestfs/2019-October/msg00060.html
 https://github.com/libguestfs/libnbd/commit/f75f602a6361c0c5f42debfeea6980f698ce7f09 (1.1.4)
 https://github.com/libguestfs/libnbd/commit/2c1987fc23d6d0f537edc6d4701e95a2387f7917 (stable-1.0)
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14842
Description:
 Structured reply is a feature of the newstyle NBD protocol allowing the
 server to send a reply in chunks. A bounds check which was supposed to test
 for chunk offsets smaller than the beginning of the request did not work
 because of signed/unsigned confusion. If one of these chunks contains a
 negative offset then data under control of the server is written to memory
 before the read buffer supplied by the client. If the read buffer is
 located on the stack then this allows the stack return address from
 nbd_pread() to be trivially modified, allowing arbitrary code execution
 under the control of the server. If the buffer is located on the heap then
 other memory objects before the buffer can be overwritten, which again
 would usually lead to arbitrary code execution.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942215
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_libnbd:
upstream_libnbd: released (1.0.3-1)
precise/esm_libnbd: DNE
trusty_libnbd: ignored (out of standard support)
trusty/esm_libnbd: DNE
xenial_libnbd: DNE
bionic_libnbd: DNE
disco_libnbd: DNE
eoan_libnbd: DNE
devel_libnbd: not-affected (1.0.3-1)