Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 466902 (CVE-2013-1950)

Summary: <net-libs/libtirpc-0.2.4-r1: "svc_dg_getargs()" Denial of Service Vulnerability (CVE-2013-1950)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/53026/
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-04-23 13:49:51 UTC 
From ${URL} :

Description
A vulnerability has been reported in libtirpc, which can be exploited by malicious people to cause 
a DoS (Denial of Service).

The vulnerability is caused due to an error within the "svc_dg_getargs()" function (src/svc_dg.c) 
and can be exploited to crash an application using the library via a specially crafted RPC request.

This is related to:
SA8347

The vulnerability is reported in version 0.2.3.


Solution
Fixed in the GIT repository.
Further details available to Secunia VIM customers

Original Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=948378
http://seclists.org/oss-sec/2013/q2/150


@maintainer(s): after the bump, please say explicitly if the package is ready for the stabilization or not
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-08-31 18:50:46 UTC 
CVE-2013-1950 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1950):
  The svc_dg_getargs function in libtirpc 0.2.3 and earlier allows remote
  attackers to cause a denial of service (rpcbind crash) via a Sun RPC request
  with crafted arguments that trigger a free of an invalid pointer.
Comment 3 SpanKY gentoo-dev 2014-02-02 08:03:39 UTC 
0.2.4-r1 is in the tree
Comment 4 Sergey Popov (RETIRED) gentoo-dev 2014-02-28 11:35:15 UTC 
(In reply to SpanKY from comment #3)
> 0.2.4-r1 is in the tree

Good. Can we stable it?
Comment 5 SpanKY gentoo-dev 2014-03-22 23:32:00 UTC 
(In reply to Sergey Popov from comment #4)

should be fine
Comment 6 SpanKY gentoo-dev 2015-11-02 19:36:41 UTC 
0.2.5 is stable now for everyone
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-01 09:14:38 UTC 
Per previous comment 0.2.5 is stable.  Please remove vulnerable 0.1.10 ebuild.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-06-21 05:59:55 UTC 
GLSA Vote: No

Cleaned up:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d635f65afc6c69f0a8ebacfc3caf873f4bb28c8