Bug#907719: stretch-pu: package libtirpc/0.2.5-1.2+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
libtirpc is affected by a flaw which got assigned CVE-2018-14622,
#907608 but we won't issue a DSA for it. Qutoing the SUSE report:
> libtirpc has a built-in limit on the file descriptors it can handle, because it
> relies on select() with its associated FD_SETSIZE limit.
>
> When you register a TCP transport, incoming connections will be handled by a
> function calledd rendezvous_request(), which does this:
>
> newxprt = makefd_xprt(sock, r->sendsize, r->recvsize);
> if (!__rpc_set_netbuf(&newxprt->xp_rtaddr, &addr, len))
> return (FALSE);
>
> makefd_xprt in turn has this little safety built in:
>
> if (fd >= FD_SETSIZE) {
> warnx("svc_vc: makefd_xprt: fd too high\n");
> xprt = NULL;
> goto done;
> }
> [...]
> done:
> return (xprt);
>
> That combination is not a healthy one.
Upstream fix:
http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commitdiff;h=1c77f7a869bdea2a34799d774460d1f9983d45f0
. The issue is fixed for us in the experimental version, not yet at
the poing of this writing in unstable, but I have proposed a NMU and
uploaded to delayed/10 queue, cf. #907608.
Attaching the full debdiff.
Changelog entry:
> libtirpc (0.2.5-1.2+deb9u1) stretch; urgency=medium
>
> * Non-maintainer upload.
> * rendezvous_request: check the makefd_xprt return value (CVE-2018-14622)
> (Closes: #907608)
>
> -- Salvatore Bonaccorso <carnil@debian.org> Fri, 31 Aug 2018 21:56:01 +0200
Regards,
Salvatore
diff -Nru libtirpc-0.2.5/debian/changelog libtirpc-0.2.5/debian/changelog
--- libtirpc-0.2.5/debian/changelog 2017-05-05 17:24:41.000000000 +0200
+++ libtirpc-0.2.5/debian/changelog 2018-08-31 21:56:01.000000000 +0200
@@ -1,3 +1,11 @@
+libtirpc (0.2.5-1.2+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * rendezvous_request: check the makefd_xprt return value (CVE-2018-14622)
+ (Closes: #907608)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 31 Aug 2018 21:56:01 +0200
+
libtirpc (0.2.5-1.2) unstable; urgency=high
* Non-maintainer upload.
diff -Nru libtirpc-0.2.5/debian/patches/12-rendezvous_request-check-the-makefd_xprt-return-valu.patch libtirpc-0.2.5/debian/patches/12-rendezvous_request-check-the-makefd_xprt-return-valu.patch
--- libtirpc-0.2.5/debian/patches/12-rendezvous_request-check-the-makefd_xprt-return-valu.patch 1970-01-01 01:00:00.000000000 +0100
+++ libtirpc-0.2.5/debian/patches/12-rendezvous_request-check-the-makefd_xprt-return-valu.patch 2018-08-31 21:56:01.000000000 +0200
@@ -0,0 +1,34 @@
+From: Ditang Chen <ditang.c@gmail.com>
+Date: Mon, 13 Jul 2015 10:36:16 -0400
+Subject: rendezvous_request: check the makefd_xprt return value
+Origin: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=1c77f7a869bdea2a34799d774460d1f9983d45f0
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-14622
+Bug-Debian: https://bugs.debian.org/907608
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1620293
+Bug-SUSE: https://bugzilla.novell.com/show_bug.cgi?id=968175
+
+xprt may return NULL, so check the return value is necessary.
+
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Ditang Chen <ditang.c@gmail.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ src/svc_vc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/svc_vc.c b/src/svc_vc.c
+index 6848c098f055..3cddcbceebae 100644
+--- a/src/svc_vc.c
++++ b/src/svc_vc.c
+@@ -337,6 +337,8 @@ again:
+ */
+
+ newxprt = makefd_xprt(sock, r->sendsize, r->recvsize);
++ if (!newxprt)
++ return (FALSE);
+
+ if (!__rpc_set_netbuf(&newxprt->xp_rtaddr, &addr, len))
+ return (FALSE);
+--
+2.18.0
+
diff -Nru libtirpc-0.2.5/debian/patches/series libtirpc-0.2.5/debian/patches/series
--- libtirpc-0.2.5/debian/patches/series 2017-05-05 17:24:41.000000000 +0200
+++ libtirpc-0.2.5/debian/patches/series 2018-08-31 21:56:01.000000000 +0200
@@ -5,3 +5,4 @@
09-autogen.sh.diff
10-CVE-2016-4429.diff
11-CVE-2017-8779.diff
+12-rendezvous_request-check-the-makefd_xprt-return-valu.patch
Reply to: