Bug#671478: CVE-2011-4609

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#671478: CVE-2011-4609
From: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Fri, 04 May 2012 14:29:04 +0200
Message-id: <[🔎] 20120504122904.13876.70128.reportbug@vurm.knut.univention.de>
Reply-to: Moritz Muehlenhoff <muehlenhoff@univention.de>, 671478@bugs.debian.org

Package: eglibc
Severity: important
Tags: security

There was a security issue in RPC handling, which is unfixed in Squeeze
and sid:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4609

The Bugzilla entry has a fix for glibc. I'm attaching a eglibc version
of that patch from Ubuntu to this bug.

This appears to be still unfixed in eglibc trunk, maybe it should
be upstream before?

This doesn't warrant a DSA, but maybe it can be added to potential
further eglibc point updates.

Cheers,
        Moritz

Origin: Red Hat, glibc-2.12-1.47.el6_2.5.src.rpm:glibc-rh767692-2.patch
Bug: https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/901716
Subject: DoS in RPC implementation

CVE-2011-4069


---
 sunrpc/svc_tcp.c  |    6 ++++++
 sunrpc/svc_udp.c  |   13 +++++++++++--
 sunrpc/svc_unix.c |    6 ++++++
 3 files changed, 23 insertions(+), 2 deletions(-)

Index: b/sunrpc/svc_tcp.c
===================================================================
--- a/sunrpc/svc_tcp.c
+++ b/sunrpc/svc_tcp.c
@@ -44,6 +44,7 @@
 #include <sys/poll.h>
 #include <errno.h>
 #include <stdlib.h>
+#include <time.h>
 
 #ifdef USE_IN_LIBIO
 # include <wchar.h>
@@ -243,6 +244,11 @@ again:
     {
       if (errno == EINTR)
 	goto again;
+      if (errno == EMFILE)
+        {
+          struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+          __nanosleep(&ts , NULL);
+        }
       return FALSE;
     }
   /*
Index: b/sunrpc/svc_udp.c
===================================================================
--- a/sunrpc/svc_udp.c
+++ b/sunrpc/svc_udp.c
@@ -40,6 +40,7 @@
 #include <sys/socket.h>
 #include <errno.h>
 #include <libintl.h>
+#include <time.h>
 
 #ifdef IP_PKTINFO
 #include <sys/uio.h>
@@ -272,8 +273,16 @@ again:
 		       (int) su->su_iosz, 0,
 		       (struct sockaddr *) &(xprt->xp_raddr), &len);
   xprt->xp_addrlen = len;
-  if (rlen == -1 && errno == EINTR)
-    goto again;
+  if (rlen == -1)
+    {
+      if (errno == EINTR)
+        goto again;
+      if (errno == EMFILE)
+        {
+          struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+          __nanosleep(&ts , NULL);
+        }
+    }
   if (rlen < 16)		/* < 4 32-bit ints? */
     return FALSE;
   xdrs->x_op = XDR_DECODE;
Index: b/sunrpc/svc_unix.c
===================================================================
--- a/sunrpc/svc_unix.c
+++ b/sunrpc/svc_unix.c
@@ -46,6 +46,7 @@
 #include <errno.h>
 #include <stdlib.h>
 #include <libintl.h>
+#include <time.h>
 
 #ifdef USE_IN_LIBIO
 # include <wchar.h>
@@ -245,6 +246,11 @@ again:
     {
       if (errno == EINTR)
 	goto again;
+      if (errno == EMFILE)
+        {
+          struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+          __nanosleep(&ts , NULL);
+        }
       return FALSE;
     }
   /*

Reply to:

Prev by Date: [bts-link] source package eglibc
Next by Date: Processed: tagging 671299
Previous by thread: Processed: [bts-link] source package eglibc
Next by thread: Processed: tagging 671299
Index(es):
- Date
- Thread