diff --git a/SOURCES/libtirpc-0.2.4-CVE-2017-8779.patch b/SOURCES/libtirpc-0.2.4-CVE-2017-8779.patch new file mode 100644 index 0000000..91b6157 --- /dev/null +++ b/SOURCES/libtirpc-0.2.4-CVE-2017-8779.patch @@ -0,0 +1,251 @@ +diff -up libtirpc-0.2.4/src/rpcb_prot.c.orig libtirpc-0.2.4/src/rpcb_prot.c +--- libtirpc-0.2.4/src/rpcb_prot.c.orig 2013-12-09 15:59:51.000000000 -0500 ++++ libtirpc-0.2.4/src/rpcb_prot.c 2017-05-17 13:05:47.562168877 -0400 +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include "rpc_com.h" + + bool_t + xdr_rpcb(xdrs, objp) +@@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp) + if (!xdr_u_int32_t(xdrs, &objp->r_vers)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) { + return (FALSE); + } + return (TRUE); +@@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp) + XDR *xdrs; + rpcb_entry *objp; + { +- if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) { + return (FALSE); + } + return (TRUE); +@@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p) + bool_t dummy; + struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p; + +- if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_u_int(xdrs, &objp->results.results_len)) { +@@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp) + if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) { + return (FALSE); + } ++ ++ if (objp->maxlen > RPC_MAXDATASIZE) { ++ return (FALSE); ++ } ++ + dummy = xdr_bytes(xdrs, (char **)&(objp->buf), + (u_int *)&(objp->len), objp->maxlen); + return (dummy); +diff -up libtirpc-0.2.4/src/rpcb_st_xdr.c.orig libtirpc-0.2.4/src/rpcb_st_xdr.c +--- libtirpc-0.2.4/src/rpcb_st_xdr.c.orig 2013-12-09 15:59:51.000000000 -0500 ++++ libtirpc-0.2.4/src/rpcb_st_xdr.c 2017-05-17 13:05:47.562168877 -0400 +@@ -38,6 +38,7 @@ + #include + + #include ++#include "rpc_com.h" + + /* Link list of all the stats about getport and getaddr */ + +@@ -59,7 +60,7 @@ xdr_rpcbs_addrlist(xdrs, objp) + if (!xdr_int(xdrs, &objp->failure)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + +@@ -110,7 +111,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) + IXDR_PUT_INT32(buf, objp->failure); + IXDR_PUT_INT32(buf, objp->indirect); + } +- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_pointer(xdrs, (char **)&objp->next, +@@ -148,7 +149,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) + objp->failure = (int)IXDR_GET_INT32(buf); + objp->indirect = (int)IXDR_GET_INT32(buf); + } +- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_pointer(xdrs, (char **)&objp->next, +@@ -176,7 +177,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) + if (!xdr_int(xdrs, &objp->indirect)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_pointer(xdrs, (char **)&objp->next, +diff -up libtirpc-0.2.4/src/rpc_generic.c.orig libtirpc-0.2.4/src/rpc_generic.c +--- libtirpc-0.2.4/src/rpc_generic.c.orig 2013-12-09 15:59:51.000000000 -0500 ++++ libtirpc-0.2.4/src/rpc_generic.c 2017-05-17 13:05:47.562168877 -0400 +@@ -615,6 +615,9 @@ __rpc_taddr2uaddr_af(int af, const struc + + switch (af) { + case AF_INET: ++ if (nbuf->len < sizeof(*sin)) { ++ return NULL; ++ } + sin = nbuf->buf; + if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf) + == NULL) +@@ -626,6 +629,9 @@ __rpc_taddr2uaddr_af(int af, const struc + break; + #ifdef INET6 + case AF_INET6: ++ if (nbuf->len < sizeof(*sin6)) { ++ return NULL; ++ } + sin6 = nbuf->buf; + if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6) + == NULL) +@@ -668,6 +674,8 @@ __rpc_uaddr2taddr_af(int af, const char + + port = 0; + sin = NULL; ++ if (uaddr == NULL) ++ return NULL; + addrstr = strdup(uaddr); + if (addrstr == NULL) + return NULL; +diff -up libtirpc-0.2.4/src/xdr.c.orig libtirpc-0.2.4/src/xdr.c +--- libtirpc-0.2.4/src/xdr.c.orig 2013-12-09 15:59:51.000000000 -0500 ++++ libtirpc-0.2.4/src/xdr.c 2017-05-17 13:05:47.563168892 -0400 +@@ -43,8 +43,10 @@ + #include + #include + ++#include + #include + #include ++#include + + typedef quad_t longlong_t; /* ANSI long long type */ + typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */ +@@ -54,7 +56,6 @@ typedef u_quad_t u_longlong_t; + */ + #define XDR_FALSE ((long) 0) + #define XDR_TRUE ((long) 1) +-#define LASTUNSIGNED ((u_int) 0-1) + + /* + * for unit alignment +@@ -630,6 +631,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) + { + char *sp = *cpp; /* sp is the actual string pointer */ + u_int nodesize; ++ bool_t ret, allocated = FALSE; + + /* + * first deal with the length since xdr bytes are counted +@@ -653,6 +655,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) + } + if (sp == NULL) { + *cpp = sp = mem_alloc(nodesize); ++ allocated = TRUE; + } + if (sp == NULL) { + warnx("xdr_bytes: out of memory"); +@@ -661,7 +664,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) + /* FALLTHROUGH */ + + case XDR_ENCODE: +- return (xdr_opaque(xdrs, sp, nodesize)); ++ ret = xdr_opaque(xdrs, sp, nodesize); ++ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) { ++ if (allocated == TRUE) { ++ free(sp); ++ *cpp = NULL; ++ } ++ } ++ return (ret); + + case XDR_FREE: + if (sp != NULL) { +@@ -755,6 +765,7 @@ xdr_string(xdrs, cpp, maxsize) + char *sp = *cpp; /* sp is the actual string pointer */ + u_int size; + u_int nodesize; ++ bool_t ret, allocated = FALSE; + + /* + * first deal with the length since xdr strings are counted-strings +@@ -794,8 +805,10 @@ xdr_string(xdrs, cpp, maxsize) + switch (xdrs->x_op) { + + case XDR_DECODE: +- if (sp == NULL) ++ if (sp == NULL) { + *cpp = sp = mem_alloc(nodesize); ++ allocated = TRUE; ++ } + if (sp == NULL) { + warnx("xdr_string: out of memory"); + return (FALSE); +@@ -804,7 +817,14 @@ xdr_string(xdrs, cpp, maxsize) + /* FALLTHROUGH */ + + case XDR_ENCODE: +- return (xdr_opaque(xdrs, sp, size)); ++ ret = xdr_opaque(xdrs, sp, size); ++ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) { ++ if (allocated == TRUE) { ++ free(sp); ++ *cpp = NULL; ++ } ++ } ++ return (ret); + + case XDR_FREE: + mem_free(sp, nodesize); +@@ -824,7 +844,7 @@ xdr_wrapstring(xdrs, cpp) + XDR *xdrs; + char **cpp; + { +- return xdr_string(xdrs, cpp, LASTUNSIGNED); ++ return xdr_string(xdrs, cpp, RPC_MAXDATASIZE); + } + + /* diff --git a/SPECS/libtirpc.spec b/SPECS/libtirpc.spec index 19e47a9..ca4ed39 100644 --- a/SPECS/libtirpc.spec +++ b/SPECS/libtirpc.spec @@ -33,6 +33,11 @@ Patch005: libtirpc-0.2.4-svc_vc_create-memleak.patch Patch006: libtirpc-0.2.4-svc-gss-memleaks.patch Patch007: libtirpc-0.2.4-clnt-mthr-create.patch +# +# RHEL7.3-Z +# +Patch008: libtirpc-0.2.4-CVE-2017-8779.patch + %description This package contains SunLib's implementation of transport-independent RPC (TI-RPC) documentation. This library forms a piece of the base of @@ -72,6 +77,8 @@ developing programs which use the tirpc library. %patch006 -p1 # 1342545 - Threads specifically interacting with libtirpc library... %patch007 -p1 +# 1449462 - CVE-2017-8779 rpcbind: libtirpc, libntirpc: Memory leak... +%patch008 -p1 # Remove .orig files find . -name "*.orig" | xargs rm -f @@ -160,6 +167,9 @@ rm -rf %{buildroot} %{_mandir}/*/* %changelog +* Wed May 17 2017 Steve Dickson 0.2.4-0.8_3 +- Fixed for CVE-2017-8779 (bz 1449462) + * Mon Jun 6 2016 Steve Dickson 0.2.4-0.8 - handle concurrent connect calls in clnt_vc_create() (bz 1342545)