617938 – (CVE-2017-8804) <sys-libs/glibc-2.26.0: xdr_bytes and xdr_string functions buffer deserialization

Bug 617938 (CVE-2017-8804) - <sys-libs/glibc-2.26.0: xdr_bytes and xdr_string functions buffer deserialization

Summary: <sys-libs/glibc-2.26.0: xdr_bytes and xdr_string functions buffer deserializ...

Status:	RESOLVED FIXED

Alias:	CVE-2017-8804

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa+ cve]
Keywords:

Depends on:	657148
Blocks:
	Show dependency tree

Reported:	2017-05-09 07:35 UTC by GLSAMaker/CVETool Bot
Modified:	2019-03-14 01:33 UTC (History)
CC List:	1 user (show)

See Also:	https://sourceware.org/bugzilla/show_bug.cgi?id=21461
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2017-05-09 07:35:52 UTC

CVE-2017-8804 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8804):
  The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or
  libc6) 2.25 mishandle failures of buffer deserialization, which allows
  remote attackers to cause a denial of service (virtual memory allocation, or
  memory consumption if an overcommit setting is not used) via a crafted UDP
  packet to port 111, a related issue to CVE-2017-8779.

Comment 1 Andreas K. Hüttel archtester

2017-10-25 19:18:25 UTC

That code is gone in our glibc-2.26.

Comment 2 Andreas K. Hüttel archtester

2017-10-26 08:02:50 UTC

Given that 2.26 is not ready for *keywords* yet, stabilization will take some time.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2017-10-26 10:32:34 UTC

(In reply to Andreas K. Hüttel from comment #2)
> Given that 2.26 is not ready for *keywords* yet, stabilization will take
> some time.

As expected.  Backport possible? Thanks, Andreas.

Comment 4 Andreas K. Hüttel archtester

2017-10-27 22:50:01 UTC

(In reply to Aaron Bauman from comment #3)
> (In reply to Andreas K. Hüttel from comment #2)
> > Given that 2.26 is not ready for *keywords* yet, stabilization will take
> > some time.
> 
> As expected.  Backport possible? Thanks, Andreas.

Well... the upstream bug has a patch, but it hasn't been accepted into git there yet, so I would prefer to wait.

Our 2.26 is only unaffected because we finally drop the obsolete rpc support in glibc.

Comment 5 Larry the Git Cow gentoo-dev

2017-11-12 14:16:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02056778ea5961e77a59a7a246b355c1225c7404

commit 02056778ea5961e77a59a7a246b355c1225c7404
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2017-11-12 12:28:38 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2017-11-12 14:15:28 +0000

    sys-libs/glibc: Re-add keywords to glibc 2.26
    
    Bug: https://bugs.gentoo.org/492814
    Bug: https://bugs.gentoo.org/622694
    Bug: https://bugs.gentoo.org/617938
    Bug: https://bugs.gentoo.org/466176
    Bug: https://bugs.gentoo.org/628768
    Bug: https://bugs.gentoo.org/637016
    Bug: https://bugs.gentoo.org/636934
    Bug: https://bugs.gentoo.org/381391
    Bug: https://bugs.gentoo.org/636158
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 sys-libs/glibc/glibc-2.26-r3.ebuild | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)}

Comment 6 Andreas K. Hüttel archtester

2018-09-11 15:21:49 UTC

All affected versions are masked. Please proceed.

Comment 7 Andreas K. Hüttel archtester

2018-10-26 19:54:38 UTC

ping?

Comment 8 Andreas K. Hüttel archtester

2018-12-30 09:23:52 UTC

@security: ping?

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2019-03-14 01:33:47 UTC

This issue was resolved and addressed in
 GLSA 201903-09 at https://security.gentoo.org/glsa/201903-09
by GLSA coordinator Aaron Bauman (b-man).