Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 617472 (CVE-2017-8779) - <net-nds/rpcbind-0.2.4-r1, <net-libs/libtirpc-1.0.1-r1: Unbounded maximum RPC data size during memory allocation for XDR strings (CVE-2017-8779)
Summary: <net-nds/rpcbind-0.2.4-r1, <net-libs/libtirpc-1.0.1-r1: Unbounded maximum RPC...
Status: RESOLVED FIXED
Alias: CVE-2017-8779
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-04 15:37 UTC by Agostino Sarubbo
Modified: 2018-01-25 00:39 UTC (History)
2 users (show)

See Also:
Package list:
=net-nds/rpcbind-0.2.4-r1 =net-libs/libtirpc-1.0.1-r1
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-04 15:37:58 UTC
From ${URL} :

Rpcbind does not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no 
subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.

References:

http://seclists.org/oss-sec/2017/q2/209
https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Patrick McLean gentoo-dev 2017-05-08 18:42:12 UTC
Bump done, will need to be re-stabilized. Should be fine to stabilize, those patches look safe.

net-libs/libtirpc-1.0.1-r1
net-nds/rpcbind-0.2.4-r1

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d968a5aa9ebfa6bc766bed99370e164f08b9a0dc
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eae6e7a80bc2934ae1557731fc0ad71cd92af99b
Comment 2 Agostino Sarubbo gentoo-dev 2017-05-10 09:33:33 UTC
amd64 stable
Comment 3 Jeroen Roovers gentoo-dev 2017-05-10 10:55:39 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2017-05-10 15:45:27 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-05-12 14:57:55 UTC
sparc stable
Comment 6 Tobias Klausmann gentoo-dev 2017-05-12 17:58:58 UTC
Stable on alpha.
Comment 7 Michael Weber (RETIRED) gentoo-dev 2017-05-14 09:46:36 UTC
ppc ppc64 stable
Comment 8 Markus Meier gentoo-dev 2017-05-16 04:45:01 UTC
arm stable
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-21 07:25:18 UTC
Remaining arches are not part of security supported architectures, proceeding with security. Arches please stabilize as soon as possible to secure package.

GLSA Vote: Yes
New GLSA Request filed.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2017-06-06 06:47:45 UTC
ia64 please finish stabilization.

Maintainer(s), please drop the vulnerable version(s). GLSA is going to be released.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2017-06-06 08:57:18 UTC
This issue was resolved and addressed in
 GLSA 201706-07 at https://security.gentoo.org/glsa/201706-07
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 Thomas Deutschmann gentoo-dev Security 2017-06-06 08:58:10 UTC
Re-opening for remaining architecture.
Comment 13 Valeriy Malov 2017-06-06 11:34:03 UTC
There's a typo in glsa-201706-07.xml / on glsa page, rpcbind affected/unaffected version is set to "0.2.4-r", which breaks glsa-check -t all
Comment 14 Thomas Deutschmann gentoo-dev Security 2017-06-06 12:00:35 UTC
(In reply to Valeriy Malov from comment #13)
> There's a typo in glsa-201706-07.xml / on glsa page, rpcbind
> affected/unaffected version is set to "0.2.4-r", which breaks glsa-check -t
> all

Thanks! GLSA fixed.
Comment 15 Agostino Sarubbo gentoo-dev 2017-06-10 15:17:47 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-07-09 21:26:17 UTC
@base-system, can we please clean?
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-20 02:29:36 UTC
please drop <net-nds/rpcbind-0.2.4-r1!