libnbd CVE-2022-0485 Advisory: nbdcopy ignores read/write errors causing target image corruption

Key Information Overview Vulnerability Overview: Vulnerability ID: Bugzilla - Bug 2046194 CVE Number: CVE-2022-0485 Affected Component: libnbd Vulnerability Type: nbdcopy ignores read and write errors, leading to corrupted target images Timeline: Reported Time: 2022-01-26 11:18 UTC Modified Time: 2022-05-17 13:13 UTC Last Closed: 2022-05-17 12:51:02 UTC Key Description: Issue Description: When copying from an NBD server using asynchronous replication mode (default), if the server returns an error, nbdcopy may create a corrupted target image. Additionally, nbdcopy exits with a zero exit code, so programs using it cannot detect that the operation failed. Severity: Medium Reproduction Steps: Reproducing Read Errors: - Create source image - Create target image - Start nbd2k2 to read data from source image - Copy from nbdkit to target image - Check nbdkit logs Reproducing Write Errors: - Create target image - Create source image - Start nbdkit to write to target image - Copy from source image to nbdkit - Check nbdkit logs Patches and Fixes: Patch Links: - Upstream patch Errata Advisory: RHSA-2022:2409 Additional Information: Related GitHub Commits: - Commit 1 - Commit 2 - Commit 3 - Commit 4 Dependent Products: None specified PM-RHEL Tag: mirror+

Goal Reached Thanks to every supporter — we hit 100%!

libnbd CVE-2022-0485 Advisory: nbdcopy ignores read/write errors causing target image corruption