Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 399085 (CVE-2011-4609)

Summary: <sys-libs/glibc-2.15-r2 : EMFILE Error Handling Two Denial of Service Vulnerabilities (CVE-2011-4609)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: whissi
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=767299
Whiteboard: A3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-01-16 15:43:41 UTC 
From secunia security advisory at $URL:

Description:
The vulnerabilities are caused due to errors within the "rendezvous_request()" and "svcudp_recv()" functions when handling EMFILE errors, which can be exploited to cause high CPU consumption and render the system unresponsive.

The vulnerabilities are reported in version 2.14.1. Other versions may also be affected.


Solution:
Unpatched.
Restrict access to RPC services to trusted hosts only.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2013-01-01 16:00:14 UTC 
Hi,

this bug was fixed on 28th Nov 2012 by upstream. See

http://sourceware.org/bugzilla/show_bug.cgi?id=14889

Patch:

http://sourceware.org/git/?p=glibc.git;a=commit;h=14bc93a967e62abf8cf2704725b6f76619399f83
Comment 2 Agostino Sarubbo gentoo-dev 2013-01-01 17:07:12 UTC 
(In reply to comment #1)
> Hi,
> 
> this bug was fixed on 28th Nov 2012 by upstream. See
> 
> http://sourceware.org/bugzilla/show_bug.cgi?id=14889
> 
> Patch:
> 
> http://sourceware.org/git/?p=glibc.git;a=commit;
> h=14bc93a967e62abf8cf2704725b6f76619399f83

thanks for the notice
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-05-09 11:35:33 UTC 
CVE-2011-4609 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4609):
  The svc_run function in the RPC implementation in glibc before 2.15 allows
  remote attackers to cause a denial of service (CPU consumption) via a large
  number of RPC connections.
Comment 4 SpanKY gentoo-dev 2014-02-18 19:16:18 UTC 
this is in glibc-2.17 which is stable now
Comment 5 Sergey Popov gentoo-dev 2014-02-27 14:13:14 UTC 
Always covered by GLSA 201312-01