The fix for the premature open flaw in nbdkit introduced a new vulnerability, in that a client issuing NBD_OPT_INFO before NBD_OPT_GO would trigger back-to-back calls to the open() callback, leading to an assertion failure because the first open() did not have a matching close(). No known nbdkit clients behaved in this way, but a crafted client could use this to cause nbdkit to exit.
Acknowledgments: Name: Eric Blake (Red Hat)
External References: https://www.redhat.com/archives/libguestfs/2019-September/msg00272.html
Mitigation: If nbdkit is configured with TLS client authentication, only trusted clients can carry out this attack. Only attackers that can connect to the nbdkit service can exploit this vulnerability. If nbdkit is not exposed over TCP (eg, nbdkit -U), or is bound only to a private network interface, or is protected by firewall rules, the attack surface is correspondingly limited.
Upstream patches: 1.15 (development branch): - https://github.com/libguestfs/nbdkit/commit/a6b88b195a959b17524d1c8353fd425d4891dc5f 1.14: - https://github.com/libguestfs/nbdkit/commit/bf0d61883a2f02f4388ec10dc92d4c61c093679e 1.12: - https://github.com/libguestfs/nbdkit/commit/b2bc6683ea3cd1f6be694e8a681dfa411b7d15f3