852962 – (CVE-2013-6410) VUL-1: CVE-2013-6410: nbd: incorrect use of strncmp() may allow unauthorized access

Bug 852962 (CVE-2013-6410) - VUL-1: CVE-2013-6410: nbd: incorrect use of strncmp() may allow unauthorized access

Summary: VUL-1: CVE-2013-6410: nbd: incorrect use of strncmp() may allow unauthorized ...

Status:	RESOLVED WONTFIX

Alias:	CVE-2013-6410

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assignee:	Marcus Schaefer
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-11-29 12:54 UTC by Victor Pereira
Modified:	2016-04-27 19:18 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2013-11-29 12:54:51 UTC

CVE-2013-6410

nbd-server has the ability to deny connection requests to clients unless their IP addresses are listed in a tcpwrappers-style configuration file.

Due to incorrect use of strncmp() in the parser for this file, however, it would allow clients to connect so long as their IP address in ASCII representation would start with something in the ACL file; e.g., 198.51.100.12 would be allowed if 198.51.100.1 was listed.


References:

http://seclists.org/oss-sec/2013/q4/366
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6410
https://bugzilla.redhat.com/show_bug.cgi?id=1035998

Comment 1 Swamp Workflow Management 2013-11-29 23:00:15 UTC

bugbot adjusting priority

Comment 2 Marcus Meissner 2013-11-30 11:46:26 UTC

(affects sle10 codebase , nbd is not in newer ones)