Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 617938 (CVE-2017-8804)

Summary: <sys-libs/glibc-2.26.0: xdr_bytes and xdr_string functions buffer deserialization
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://sourceware.org/bugzilla/show_bug.cgi?id=21461
Whiteboard: A3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 657148    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2017-05-09 07:35:52 UTC
CVE-2017-8804 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8804):
  The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or
  libc6) 2.25 mishandle failures of buffer deserialization, which allows
  remote attackers to cause a denial of service (virtual memory allocation, or
  memory consumption if an overcommit setting is not used) via a crafted UDP
  packet to port 111, a related issue to CVE-2017-8779.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2017-10-25 19:18:25 UTC
That code is gone in our glibc-2.26.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2017-10-26 08:02:50 UTC
Given that 2.26 is not ready for *keywords* yet, stabilization will take some time.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2017-10-26 10:32:34 UTC
(In reply to Andreas K. Hüttel from comment #2)
> Given that 2.26 is not ready for *keywords* yet, stabilization will take
> some time.

As expected.  Backport possible? Thanks, Andreas.
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2017-10-27 22:50:01 UTC
(In reply to Aaron Bauman from comment #3)
> (In reply to Andreas K. Hüttel from comment #2)
> > Given that 2.26 is not ready for *keywords* yet, stabilization will take
> > some time.
> 
> As expected.  Backport possible? Thanks, Andreas.

Well... the upstream bug has a patch, but it hasn't been accepted into git there yet, so I would prefer to wait.

Our 2.26 is only unaffected because we finally drop the obsolete rpc support in glibc.
Comment 5 Larry the Git Cow gentoo-dev 2017-11-12 14:16:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02056778ea5961e77a59a7a246b355c1225c7404

commit 02056778ea5961e77a59a7a246b355c1225c7404
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2017-11-12 12:28:38 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2017-11-12 14:15:28 +0000

    sys-libs/glibc: Re-add keywords to glibc 2.26
    
    Bug: https://bugs.gentoo.org/492814
    Bug: https://bugs.gentoo.org/622694
    Bug: https://bugs.gentoo.org/617938
    Bug: https://bugs.gentoo.org/466176
    Bug: https://bugs.gentoo.org/628768
    Bug: https://bugs.gentoo.org/637016
    Bug: https://bugs.gentoo.org/636934
    Bug: https://bugs.gentoo.org/381391
    Bug: https://bugs.gentoo.org/636158
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 sys-libs/glibc/glibc-2.26-r3.ebuild | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)}
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2018-09-11 15:21:49 UTC
All affected versions are masked. Please proceed.
Comment 7 Andreas K. Hüttel archtester gentoo-dev 2018-10-26 19:54:38 UTC
ping?
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2018-12-30 09:23:52 UTC
@security: ping?
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2019-03-14 01:33:47 UTC
This issue was resolved and addressed in
 GLSA 201903-09 at https://security.gentoo.org/glsa/201903-09
by GLSA coordinator Aaron Bauman (b-man).