From 3a41bb20e2124158a1b0b4296157e4132ea6a9a5 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 07 2016 15:34:11 +0000
Subject: import rpcbind-0.2.0-33.el7_2


---

diff --git a/SOURCES/rpcbind-0.2.0-CVE20157236-memcorrup.patch b/SOURCES/rpcbind-0.2.0-CVE20157236-memcorrup.patch
new file mode 100644
index 0000000..c4904cb
--- /dev/null
+++ b/SOURCES/rpcbind-0.2.0-CVE20157236-memcorrup.patch
@@ -0,0 +1,38 @@
+diff -up rpcbind-0.2.0/src/rpcb_svc_com.c.orig rpcbind-0.2.0/src/rpcb_svc_com.c
+--- rpcbind-0.2.0/src/rpcb_svc_com.c.orig	2015-11-30 14:57:10.267576072 -0500
++++ rpcbind-0.2.0/src/rpcb_svc_com.c	2015-11-30 14:59:06.305393416 -0500
+@@ -1204,12 +1204,33 @@ check_rmtcalls(struct pollfd *pfds, int
+ 	return (ncallbacks_found);
+ }
+ 
++/*
++ * This is really a helper function defined in libtirpc, 
++ * but unfortunately, it hasn't been exported yet.
++ */
++static struct netbuf *
++__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
++{
++	if (nb->len != len) {
++		if (nb->len)
++			mem_free(nb->buf, nb->len);
++		nb->buf = mem_alloc(len);
++		if (nb->buf == NULL)
++			return NULL;
++
++		nb->maxlen = nb->len = len;
++	}
++	memcpy(nb->buf, ptr, len);
++	return nb;
++}
++
+ static void
+ xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
+ {
++	const struct netbuf *caller = fi->caller_addr;
+ 	u_int32_t *xidp;
+ 
+-	*(svc_getrpccaller(xprt)) = *(fi->caller_addr);
++	__rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
+ 	xidp = __rpcb_get_dg_xidp(xprt);
+ 	*xidp = fi->caller_xid;
+ }
diff --git a/SPECS/rpcbind.spec b/SPECS/rpcbind.spec
index d08ca2f..bfb0cdb 100644
--- a/SPECS/rpcbind.spec
+++ b/SPECS/rpcbind.spec
@@ -1,6 +1,6 @@
 Name:           rpcbind
 Version:        0.2.0
-Release:        32%{?dist}
+Release:        33%{?dist}
 Summary:        Universal Addresses to RPC Program Number Mapper
 Group:          System Environment/Daemons
 License:        BSD
@@ -24,6 +24,10 @@ Patch005: rpcbind-0.2.0-nss-altfiles.patch
 Patch006: rpcbind-0.2.0-systemd-socket.patch
 Patch007: rpcbind-0.2.0-good-term.patch
 Patch008: rpcbind-0.2.0-warmstart-noerror.patch
+#
+# RHEL7.2-Z
+#
+Patch009: rpcbind-0.2.0-CVE20157236-memcorrup.patch
 
 Requires: glibc-common setup
 Conflicts: man-pages < 2.43-12
@@ -58,6 +62,8 @@ RPC calls on a server on that machine.
 %patch007 -p1
 # 1227852 - rpcbind-0.2.0-27.el7 emits error messages after every reboot
 %patch008 -p1
+# 1283640 - CVE-2015-7236 rpcbind: Use-after-free vulnerability in PMAP_CALLIT
+%patch009 -p1
 
 %build
 %ifarch s390 s390x
@@ -153,13 +159,15 @@ fi
 %triggerun -- rpcbind > 0.2.0-26
 /bin/systemctl enable rpcbind.socket >/dev/null 2>&1 || :
 
-%triggerpostun -- rpcbind < 0.2.0-29
-[ ! -d /run/rpcbind ] && mkdir /run/rpcbind
-chown rpc:rpc /run/rpcbind
+%triggerpostun -- rpcbind < -2.2.0-29
+[ ! -d /run/rpcbind ] && mkdir /run/rpcbind || :
+/usr/bin/chown rpc:rpc /run/rpcbind
 [ -f /var/lib/rpcbind/rpcbind.xdr ] && \
-	mv /var/lib/rpcbind/rpcbind.xdr /run/rpcbind
+	mv /var/lib/rpcbind/rpcbind.xdr /run/rpcbind || :
 [ -f /var/lib/rpcbind/portmap.xdr ] && \
-	mv /var/lib/rpcbind/portmap.xdr /run/rpcbind
+	mv /var/lib/rpcbind/portmap.xdr /run/rpcbind || :
+[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/rpcbind
+/bin/systemctl try-restart nfs-server >/dev/null 2>&1 || :
 
 %files
 %defattr(-,root,root)
@@ -174,6 +182,12 @@ chown rpc:rpc /run/rpcbind
 %dir %attr(700,rpc,rpc) /var/lib/rpcbind
 
 %changelog
+* Mon Nov 30 2015 Steve Dickson <steved@redhat.com> - 0.2.0-33.el7_2
+- Fix memory corruption in PMAP_CALLIT code (bz 1283640)
+
+* Tue Oct 20 2015 Steve Dickson <steved@redhat.com> - 0.2.0-33
+- More triggerpostu typos (bz 1272841)
+
 * Fri Oct  2 2015 Steve Dickson <steved@redhat.com> - 0.2.0-32
 - Fixed typo in triggerpostu (bz 1268139)