Noticed in commits between 1.3.3 and 1.3.4: * https://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=4a2d85c64110ee9e21a8c4f9dafd6b0ae621506d ('getnetconfigent: avoid potential DoS issue by removing unnecessary sleep ', https://bugzilla.redhat.com/show_bug.cgi?id=2150611) * https://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=1d2e10afb2ffc35cb3623f57a15f712359f18e75 ('rpcb_clnt.c: Eliminate double frees in delete_cache()', https://bugzilla.redhat.com/show_bug.cgi?id=2224666) Given the second bug is private and it mentions a UAF, I suppose it's likely to be a vulnerability.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1fd13e4d6fb8ad865f249f6b723a0e5c7297c2e6 commit 1fd13e4d6fb8ad865f249f6b723a0e5c7297c2e6 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-10-09 02:21:10 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-09 02:21:10 +0000 net-libs/libtirpc: add 1.3.4 Bug: https://bugs.gentoo.org/915404 Signed-off-by: Sam James <sam@gentoo.org> net-libs/libtirpc/Manifest | 1 + net-libs/libtirpc/libtirpc-1.3.4.ebuild | 73 +++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+)
