* bug#26781: rpcbind, libtirpc CVE-2017-8779
@ 2017-05-05 1:32 Leo Famulari
2017-05-05 3:02 ` Kei Kebreau
2017-05-05 7:56 ` Ludovic Courtès
0 siblings, 2 replies; 4+ messages in thread
From: Leo Famulari @ 2017-05-05 1:32 UTC (permalink / raw)
To: 26781
[-- Attachment #1.1: Type: text/plain, Size: 257 bytes --]
These patches update libtirpc and rpcbind to the latest release and fix
CVE-2017-8779 ("rpcbomb").
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/
[-- Attachment #1.2: 0001-gnu-rpcbind-Update-to-0.2.4.patch --]
[-- Type: text/plain, Size: 1493 bytes --]
From a021cd8f8302a69d7865e696675b1de1d55a5b43 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 4 May 2017 21:04:33 -0400
Subject: [PATCH 1/3] gnu: rpcbind: Update to 0.2.4.
* gnu/packages/onc-rpc.scm (rpcbind): Update to 0.2.4.
---
gnu/packages/onc-rpc.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/onc-rpc.scm b/gnu/packages/onc-rpc.scm
index 5f67823a4..31e2388f0 100644
--- a/gnu/packages/onc-rpc.scm
+++ b/gnu/packages/onc-rpc.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2014, 2017 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016 John Darrington <jmd@gnu.org>
+;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -66,7 +67,7 @@ IPv4 and IPv6. ONC RPC is notably used by the network file system (NFS).")
(define-public rpcbind
(package
(name "rpcbind")
- (version "0.2.3")
+ (version "0.2.4")
(source
(origin
(method url-fetch)
@@ -75,7 +76,7 @@ IPv4 and IPv6. ONC RPC is notably used by the network file system (NFS).")
name "-" version ".tar.bz2"))
(sha256
(base32
- "0yyjzv4161rqxrgjcijkrawnk55rb96ha0pav48s03l2klx855wq"))))
+ "0rjc867mdacag4yqvs827wqhkh27135rp9asj06ixhf71m9rljh7"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
--
2.12.2
[-- Attachment #1.3: 0002-gnu-libtirpc-Update-to-1.0.1.patch --]
[-- Type: text/plain, Size: 1153 bytes --]
From 66b36606fe00d3720cd20ec1ce1a1280bde627ec Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 4 May 2017 21:05:44 -0400
Subject: [PATCH 2/3] gnu: libtirpc: Update to 1.0.1.
* gnu/packages/onc-rpc.scm (libtirpc): Update to 1.0.1.
---
gnu/packages/onc-rpc.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/onc-rpc.scm b/gnu/packages/onc-rpc.scm
index 31e2388f0..c852f9a4a 100644
--- a/gnu/packages/onc-rpc.scm
+++ b/gnu/packages/onc-rpc.scm
@@ -29,7 +29,7 @@
(define-public libtirpc
(package
(name "libtirpc")
- (version "0.2.4")
+ (version "1.0.1")
(source (origin
(method url-fetch)
(uri (string-append "mirror://sourceforge/libtirpc/libtirpc/"
@@ -37,7 +37,7 @@
version ".tar.bz2"))
(sha256
(base32
- "18a337wa4amf0k21wnimp3yzs5l3cxqndz4x3x8bm993zhfy5hs5"))))
+ "17mqrdgsgp9m92pmq7bvr119svdg753prqqxmg4cnz5y657rfmji"))))
(build-system gnu-build-system)
(arguments
`(#:phases
--
2.12.2
[-- Attachment #1.4: 0003-gnu-rpcbind-libtirpc-Fix-CVE-2017-8779.patch --]
[-- Type: text/plain, Size: 12403 bytes --]
From 6045f61a68907491ffb2637c5e8315e94b31dcee Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 4 May 2017 21:26:03 -0400
Subject: [PATCH 3/3] gnu: rpcbind, libtirpc: Fix CVE-2017-8779.
* gnu/packages/patches/libtirpc-CVE-2017-8779.patch,
gnu/packages/patches/rpcbind-CVE-2017-8779.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/onc-rpc.scm (rpcbind, libtirpc)[source]: Use them.
---
gnu/local.mk | 2 +
gnu/packages/onc-rpc.scm | 3 +
gnu/packages/patches/libtirpc-CVE-2017-8779.patch | 263 ++++++++++++++++++++++
gnu/packages/patches/rpcbind-CVE-2017-8779.patch | 29 +++
4 files changed, 297 insertions(+)
create mode 100644 gnu/packages/patches/libtirpc-CVE-2017-8779.patch
create mode 100644 gnu/packages/patches/rpcbind-CVE-2017-8779.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index ce7ecc36c..6dbee2b5e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -744,6 +744,7 @@ dist_patch_DATA = \
%D%/packages/patches/libtiff-invalid-read.patch \
%D%/packages/patches/libtiff-null-dereference.patch \
%D%/packages/patches/libtiff-tiffcp-underflow.patch \
+ %D%/packages/patches/libtirpc-CVE-2017-8779.patch \
%D%/packages/patches/libtorrent-rasterbar-boost-compat.patch \
%D%/packages/patches/libtool-skip-tests2.patch \
%D%/packages/patches/libunwind-CVE-2015-3239.patch \
@@ -924,6 +925,7 @@ dist_patch_DATA = \
%D%/packages/patches/readline-6.2-CVE-2014-2524.patch \
%D%/packages/patches/readline-7.0-mingw.patch \
%D%/packages/patches/ripperx-missing-file.patch \
+ %D%/packages/patches/rpcbind-CVE-2017-8779.patch \
%D%/packages/patches/rpm-CVE-2014-8118.patch \
%D%/packages/patches/rsem-makefile.patch \
%D%/packages/patches/ruby-concurrent-ignore-broken-test.patch \
diff --git a/gnu/packages/onc-rpc.scm b/gnu/packages/onc-rpc.scm
index c852f9a4a..a76ac36ea 100644
--- a/gnu/packages/onc-rpc.scm
+++ b/gnu/packages/onc-rpc.scm
@@ -22,6 +22,7 @@
#:use-module (guix licenses)
#:use-module (guix packages)
#:use-module (guix download)
+ #:use-module (gnu packages)
#:use-module (gnu packages kerberos)
#:use-module (gnu packages pkg-config)
#:use-module (guix build-system gnu))
@@ -35,6 +36,7 @@
(uri (string-append "mirror://sourceforge/libtirpc/libtirpc/"
version "/libtirpc-"
version ".tar.bz2"))
+ (patches (search-patches "libtirpc-CVE-2017-8779.patch"))
(sha256
(base32
"17mqrdgsgp9m92pmq7bvr119svdg753prqqxmg4cnz5y657rfmji"))))
@@ -74,6 +76,7 @@ IPv4 and IPv6. ONC RPC is notably used by the network file system (NFS).")
(uri (string-append "mirror://sourceforge/" name "/" name "/"
version "/"
name "-" version ".tar.bz2"))
+ (patches (search-patches "rpcbind-CVE-2017-8779.patch"))
(sha256
(base32
"0rjc867mdacag4yqvs827wqhkh27135rp9asj06ixhf71m9rljh7"))))
diff --git a/gnu/packages/patches/libtirpc-CVE-2017-8779.patch b/gnu/packages/patches/libtirpc-CVE-2017-8779.patch
new file mode 100644
index 000000000..742e64df2
--- /dev/null
+++ b/gnu/packages/patches/libtirpc-CVE-2017-8779.patch
@@ -0,0 +1,263 @@
+Fix CVE-2017-8779:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
+
+Patch copied from the bug reporter's 3rd-party repository:
+
+https://github.com/guidovranken/rpcbomb/blob/master/libtirpc_patch.txt
+
+diff --git a/src/rpc_generic.c b/src/rpc_generic.c
+index 2f09a8f..589cbd5 100644
+--- a/src/rpc_generic.c
++++ b/src/rpc_generic.c
+@@ -615,6 +615,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
+
+ switch (af) {
+ case AF_INET:
++ if (nbuf->len < sizeof(*sin)) {
++ return NULL;
++ }
+ sin = nbuf->buf;
+ if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf)
+ == NULL)
+@@ -626,6 +629,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
+ break;
+ #ifdef INET6
+ case AF_INET6:
++ if (nbuf->len < sizeof(*sin6)) {
++ return NULL;
++ }
+ sin6 = nbuf->buf;
+ if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6)
+ == NULL)
+@@ -667,6 +673,8 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr)
+
+ port = 0;
+ sin = NULL;
++ if (uaddr == NULL)
++ return NULL;
+ addrstr = strdup(uaddr);
+ if (addrstr == NULL)
+ return NULL;
+diff --git a/src/rpcb_prot.c b/src/rpcb_prot.c
+index 43fd385..a923c8e 100644
+--- a/src/rpcb_prot.c
++++ b/src/rpcb_prot.c
+@@ -41,6 +41,7 @@
+ #include <rpc/types.h>
+ #include <rpc/xdr.h>
+ #include <rpc/rpcb_prot.h>
++#include "rpc_com.h"
+
+ bool_t
+ xdr_rpcb(xdrs, objp)
+@@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp)
+ if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
+ return (FALSE);
+ }
+- if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
++ if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
+ return (FALSE);
+ }
+- if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {
++ if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
+ return (FALSE);
+ }
+- if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
++ if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
+ return (FALSE);
+ }
+ return (TRUE);
+@@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp)
+ XDR *xdrs;
+ rpcb_entry *objp;
+ {
+- if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
++ if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
+ return (FALSE);
+ }
+- if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
++ if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
+ return (FALSE);
+ }
+ if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
+ return (FALSE);
+ }
+- if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
++ if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
+ return (FALSE);
+ }
+- if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
++ if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
+ return (FALSE);
+ }
+ return (TRUE);
+@@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p)
+ bool_t dummy;
+ struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;
+
+- if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
++ if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
+ return (FALSE);
+ }
+ if (!xdr_u_int(xdrs, &objp->results.results_len)) {
+@@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp)
+ if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
+ return (FALSE);
+ }
++
++ if (objp->maxlen > RPC_MAXDATASIZE) {
++ return (FALSE);
++ }
++
+ dummy = xdr_bytes(xdrs, (char **)&(objp->buf),
+ (u_int *)&(objp->len), objp->maxlen);
+ return (dummy);
+diff --git a/src/rpcb_st_xdr.c b/src/rpcb_st_xdr.c
+index 08db745..28e6a48 100644
+--- a/src/rpcb_st_xdr.c
++++ b/src/rpcb_st_xdr.c
+@@ -37,6 +37,7 @@
+
+
+ #include <rpc/rpc.h>
++#include "rpc_com.h"
+
+ /* Link list of all the stats about getport and getaddr */
+
+@@ -58,7 +59,7 @@ xdr_rpcbs_addrlist(xdrs, objp)
+ if (!xdr_int(xdrs, &objp->failure)) {
+ return (FALSE);
+ }
+- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+ return (FALSE);
+ }
+
+@@ -109,7 +110,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+ IXDR_PUT_INT32(buf, objp->failure);
+ IXDR_PUT_INT32(buf, objp->indirect);
+ }
+- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+ return (FALSE);
+ }
+ if (!xdr_pointer(xdrs, (char **)&objp->next,
+@@ -147,7 +148,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+ objp->failure = (int)IXDR_GET_INT32(buf);
+ objp->indirect = (int)IXDR_GET_INT32(buf);
+ }
+- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+ return (FALSE);
+ }
+ if (!xdr_pointer(xdrs, (char **)&objp->next,
+@@ -175,7 +176,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+ if (!xdr_int(xdrs, &objp->indirect)) {
+ return (FALSE);
+ }
+- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+ return (FALSE);
+ }
+ if (!xdr_pointer(xdrs, (char **)&objp->next,
+diff --git a/src/xdr.c b/src/xdr.c
+index f3fb9ad..b9a1558 100644
+--- a/src/xdr.c
++++ b/src/xdr.c
+@@ -42,8 +42,10 @@
+ #include <stdlib.h>
+ #include <string.h>
+
++#include <rpc/rpc.h>
+ #include <rpc/types.h>
+ #include <rpc/xdr.h>
++#include <rpc/rpc_com.h>
+
+ typedef quad_t longlong_t; /* ANSI long long type */
+ typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */
+@@ -53,7 +55,6 @@ typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */
+ */
+ #define XDR_FALSE ((long) 0)
+ #define XDR_TRUE ((long) 1)
+-#define LASTUNSIGNED ((u_int) 0-1)
+
+ /*
+ * for unit alignment
+@@ -629,6 +630,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+ {
+ char *sp = *cpp; /* sp is the actual string pointer */
+ u_int nodesize;
++ bool_t ret, allocated = FALSE;
+
+ /*
+ * first deal with the length since xdr bytes are counted
+@@ -652,6 +654,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+ }
+ if (sp == NULL) {
+ *cpp = sp = mem_alloc(nodesize);
++ allocated = TRUE;
+ }
+ if (sp == NULL) {
+ warnx("xdr_bytes: out of memory");
+@@ -660,7 +663,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+ /* FALLTHROUGH */
+
+ case XDR_ENCODE:
+- return (xdr_opaque(xdrs, sp, nodesize));
++ ret = xdr_opaque(xdrs, sp, nodesize);
++ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
++ if (allocated == TRUE) {
++ free(sp);
++ *cpp = NULL;
++ }
++ }
++ return (ret);
+
+ case XDR_FREE:
+ if (sp != NULL) {
+@@ -754,6 +764,7 @@ xdr_string(xdrs, cpp, maxsize)
+ char *sp = *cpp; /* sp is the actual string pointer */
+ u_int size;
+ u_int nodesize;
++ bool_t ret, allocated = FALSE;
+
+ /*
+ * first deal with the length since xdr strings are counted-strings
+@@ -793,8 +804,10 @@ xdr_string(xdrs, cpp, maxsize)
+ switch (xdrs->x_op) {
+
+ case XDR_DECODE:
+- if (sp == NULL)
++ if (sp == NULL) {
+ *cpp = sp = mem_alloc(nodesize);
++ allocated = TRUE;
++ }
+ if (sp == NULL) {
+ warnx("xdr_string: out of memory");
+ return (FALSE);
+@@ -803,7 +816,14 @@ xdr_string(xdrs, cpp, maxsize)
+ /* FALLTHROUGH */
+
+ case XDR_ENCODE:
+- return (xdr_opaque(xdrs, sp, size));
++ ret = xdr_opaque(xdrs, sp, size);
++ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
++ if (allocated == TRUE) {
++ free(sp);
++ *cpp = NULL;
++ }
++ }
++ return (ret);
+
+ case XDR_FREE:
+ mem_free(sp, nodesize);
+@@ -823,7 +843,7 @@ xdr_wrapstring(xdrs, cpp)
+ XDR *xdrs;
+ char **cpp;
+ {
+- return xdr_string(xdrs, cpp, LASTUNSIGNED);
++ return xdr_string(xdrs, cpp, RPC_MAXDATASIZE);
+ }
+
+ /*
diff --git a/gnu/packages/patches/rpcbind-CVE-2017-8779.patch b/gnu/packages/patches/rpcbind-CVE-2017-8779.patch
new file mode 100644
index 000000000..6ca93ff12
--- /dev/null
+++ b/gnu/packages/patches/rpcbind-CVE-2017-8779.patch
@@ -0,0 +1,29 @@
+Fix CVE-2017-8779:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
+
+Patch copied from the bug reporter's 3rd-party repository:
+
+https://github.com/guidovranken/rpcbomb/blob/master/rpcbind_patch.txt
+
+diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
+index 5862c26..e11f61b 100644
+--- a/src/rpcb_svc_com.c
++++ b/src/rpcb_svc_com.c
+@@ -48,6 +48,7 @@
+ #include <rpc/rpc.h>
+ #include <rpc/rpcb_prot.h>
+ #include <rpc/svc_dg.h>
++#include <rpc/rpc_com.h>
+ #include <netconfig.h>
+ #include <errno.h>
+ #include <syslog.h>
+@@ -432,7 +433,7 @@ rpcbproc_taddr2uaddr_com(void *arg, struct svc_req *rqstp /*__unused*/,
+ static bool_t
+ xdr_encap_parms(XDR *xdrs, struct encap_parms *epp)
+ {
+- return (xdr_bytes(xdrs, &(epp->args), (u_int *) &(epp->arglen), ~0));
++ return (xdr_bytes(xdrs, &(epp->args), (u_int *) &(epp->arglen), RPC_MAXDATASIZE));
+ }
+
+ /*
--
2.12.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-05-05 19:36 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-05 1:32 bug#26781: rpcbind, libtirpc CVE-2017-8779 Leo Famulari
2017-05-05 3:02 ` Kei Kebreau
2017-05-05 7:56 ` Ludovic Courtès
2017-05-05 19:35 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).