Bug 44674 - libtirpc: Multiple issues (4.2)
libtirpc: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on:
Blocks: 44675 46158
  Show dependency treegraph
 
Reported: 2017-05-23 18:30 CEST by Arvid Requate
Modified: 2018-05-08 14:56 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-05-23 18:30:04 CEST
Upstream Debian package version 0.2.5-1+deb8u1 fixes this issue::

* rpcbind does not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb. (CVE-2017-8779)


libtirpc is a transport-independent RPC library used by rpcbind and other programs.
Comment 1 Philipp Hahn univentionstaff 2018-01-25 10:59:27 CET
Mass-import from Debian-Security:
  python -m univention.repong.^Cbmirror -s jessie -r 4.2-3 --override=$HOME/REPOS/repo-ng/mirror/update_ucs42_mirror_from_debian.yml --errata=doc/errata --sql --process=ALL -vvvv --now=201801211553

YAML: git:bd6159834a..449aa5a7cf
Comment 2 Quality Assurance univentionstaff 2018-05-04 16:55:04 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/libtirpc_0.2.5-1.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/libtirpc_0.2.5-1+deb8u1.dsc
@@ -1,3 +1,7 @@
+0.2.5-1+deb8u1 [Thu, 04 May 2017 16:05:42 +0200] Moritz Mühlenhoff <jmm@debian.org>:
+
+  * CVE-2017-8779
+
 0.2.5-1 [Tue, 09 Sep 2014 02:30:09 +0100] Anibal Monsalve Salazar <anibal@debian.org>:
 
   * New upstream version 0.2.5.
Comment 3 Quality Assurance univentionstaff 2018-05-04 16:55:09 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/rpcbind_0.2.1-6+deb8u1A~4.2.0.201702281317.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/rpcbind_0.2.1-6+deb8u2A~4.2.3.201801251012.dsc
@@ -1,7 +1,11 @@
-0.2.1-6+deb8u1A~4.2.0.201702281317 [Tue, 28 Feb 2017 13:17:58 +0100] Univention builddaemon <buildd@univention.de>:
+0.2.1-6+deb8u2A~4.2.3.201801251012 [Thu, 25 Jan 2018 10:12:58 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     0001-version-check-ucs420
+
+0.2.1-6+deb8u2 [Thu, 04 May 2017 19:37:10 +0200] Moritz Mühlenhoff <jmm@debian.org>:
+
+  * CVE-2017-8779
 
 0.2.1-6+deb8u1 [Fri, 18 Sep 2015 18:45:15 +0200] Salvatore Bonaccorso <carnil@debian.org>:
Comment 4 Arvid Requate univentionstaff 2018-05-07 11:25:12 CEST
* No UCS specific patches
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory Ok