CVE-2022-0485: 
NixOS vulnerability analysis and mitigation

A flaw was found in the copying tool nbdcopy of libnbd. When performing multi-threaded copies using asynchronous nbd calls, nbdcopy was blindly treating the completion of an asynchronous command as successful, rather than checking the *error parameter. This vulnerability, identified as CVE-2022-0485, could result in the silent creation of a corrupted destination image (NVD, Red Hat Bugzilla).

The vulnerability exists in the multi-threaded copy functionality of nbdcopy when using asynchronous NBD calls. The tool fails to properly check the error parameter during command completion, leading to potential data corruption. The issue has a CVSS v3.1 Base Score of 4.8 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. The flaw affects libnbd versions up to (excluding) 1.11.8 (NVD).

The vulnerability can result in two types of data corruption: when a read fails, nbdcopy blindly writes garbage to the destination; when a write fails, the tool does not flag that the destination was not written. Additionally, nbdcopy exits with a zero exit code in these failure scenarios, preventing programs running it from detecting the operation failure (Red Hat Bugzilla).

The issue has been fixed in libnbd version 1.11.8. The fix involves properly checking the error parameter during asynchronous command completion and ensuring that nbdcopy fails with a non-zero exit status when errors occur. The patch was committed upstream and backported to affected versions (GitLab Commit).