Security update for nbdkit

Announcement ID:	SUSE-SU-2025:01888-1
Release Date:	2025-06-11T05:43:28Z
Rating:	moderate
References:	bsc#1243108 bsc#1243110
Cross-References:	CVE-2025-47711 CVE-2025-47712
CVSS scores:	CVE-2025-47711 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-47711 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-47711 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2025-47712 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-47712 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-47712 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Affected Products:	Server Applications Module 15-SP7 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves two vulnerabilities can now be installed.

Description:

This update for nbdkit fixes the following issues:

Update to version 1.40.6.

Security fixes:

• CVE-2025-47712: integer overflow in blocksize filter when processing client block status requests larger than 2**32 will trigger an assertion failure and cause a denial-of-service. (bsc#1243108).
• CVE-2025-47711: off-by-one error when processing block status results from plugins on behalf of an NBD client may trigger an assertion failure and cause a denial of service (bsc#1243110).

Other fixes and changes:

• golang: Support GCC 15.
• openbsd: curl: Include pthread.h.
• rust: Fix "overindented" list in comment.
• rust: Declare explicit extern "C" API.
• plugins/rust: Use CStr literals for static strings.
• vddk: do_extents: Avoid reading partial chunk beyond the end of the disk.
• vddk: do_extents: Exit the function if we hit req_one condition.
• vddk: do_extents: Mark some local variables const.
• vddk: Cache the disk size in the handle.
• vddk: Include <stdbool.h>.
• python: examples: Fix comment above API_VERSION constant.
• tcl: Fix for Tcl 9.0 compatibility.
• plugins/ocaml/NBDKit.ml: Sort bindings into order.
• ocaml: Don't call abort if caml_c_thread_unregister fails.
• ocaml: Use real addresses instead of (void*)<constant>s.
• evil: Link to nbdkit_parse_probability(3).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Server Applications Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP7-2025-1888=1

Package List:

• Server Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • nbdkit-basic-filters-debuginfo-1.40.6-150700.4.3.1
  • nbdkit-server-1.40.6-150700.4.3.1
  • nbdkit-server-debuginfo-1.40.6-150700.4.3.1
  • nbdkit-nbd-plugin-debuginfo-1.40.6-150700.4.3.1
  • nbdkit-basic-plugins-debuginfo-1.40.6-150700.4.3.1
  • nbdkit-basic-filters-1.40.6-150700.4.3.1
  • nbdkit-debuginfo-1.40.6-150700.4.3.1
  • nbdkit-curl-plugin-1.40.6-150700.4.3.1
  • nbdkit-nbd-plugin-1.40.6-150700.4.3.1
  • nbdkit-debugsource-1.40.6-150700.4.3.1
  • nbdkit-python-plugin-1.40.6-150700.4.3.1
  • nbdkit-ssh-plugin-1.40.6-150700.4.3.1
  • nbdkit-ssh-plugin-debuginfo-1.40.6-150700.4.3.1
  • nbdkit-curl-plugin-debuginfo-1.40.6-150700.4.3.1
  • nbdkit-1.40.6-150700.4.3.1
  • nbdkit-python-plugin-debuginfo-1.40.6-150700.4.3.1
  • nbdkit-basic-plugins-1.40.6-150700.4.3.1
• Server Applications Module 15-SP7 (x86_64)
  • nbdkit-vddk-plugin-1.40.6-150700.4.3.1
  • nbdkit-vddk-plugin-debuginfo-1.40.6-150700.4.3.1

References:

• https://www.suse.com/security/cve/CVE-2025-47711.html
• https://www.suse.com/security/cve/CVE-2025-47712.html
• https://bugzilla.suse.com/show_bug.cgi?id=1243108
• https://bugzilla.suse.com/show_bug.cgi?id=1243110