The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or
libc6) 2.25 mishandle failures of buffer deserialization, which allows
remote attackers to cause a denial of service (virtual memory allocation, or
memory consumption if an overcommit setting is not used) via a crafted UDP
packet to port 111, a related issue to CVE-2017-8779.
That code is gone in our glibc-2.26.
Given that 2.26 is not ready for *keywords* yet, stabilization will take some time.
(In reply to Andreas K. Hüttel from comment #2)
> Given that 2.26 is not ready for *keywords* yet, stabilization will take
> some time.
As expected. Backport possible? Thanks, Andreas.
(In reply to Aaron Bauman from comment #3)
> (In reply to Andreas K. Hüttel from comment #2)
> > Given that 2.26 is not ready for *keywords* yet, stabilization will take
> > some time.
> As expected. Backport possible? Thanks, Andreas.
Well... the upstream bug has a patch, but it hasn't been accepted into git there yet, so I would prefer to wait.
Our 2.26 is only unaffected because we finally drop the obsolete rpc support in glibc.
The bug has been referenced in the following commit(s):
Author: Andreas K. Hüttel <firstname.lastname@example.org>
AuthorDate: 2017-11-12 12:28:38 +0000
Commit: Andreas K. Hüttel <email@example.com>
CommitDate: 2017-11-12 14:15:28 +0000
sys-libs/glibc: Re-add keywords to glibc 2.26
Package-Manager: Portage-2.3.13, Repoman-2.3.4
sys-libs/glibc/glibc-2.26-r3.ebuild | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)}
All affected versions are masked. Please proceed.
This issue was resolved and addressed in
GLSA 201903-09 at https://security.gentoo.org/glsa/201903-09
by GLSA coordinator Aaron Bauman (b-man).