Bug 1620293 (CVE-2018-14622)

Summary: CVE-2018-14622 libtirpc: Segmentation fault in makefd_xprt return value in svc_vc.c
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, ahardin, bleanhar, bmcclain, carnil, ccoleman, dbaker, dblechte, dedgar, dfediuck, dmoppert, eedri, eparis, jgoulding, jlayton, jokerman, kkeithle, mchappel, mgoldboi, michal.skrivanek, sbonazzo, sherold, sisharma, ssaha, steved, sthangav, trankin, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: libtirpc 0.3.3-rc3 Doc Type: If docs needed, set a value
Doc Text:
A null-pointer dereference vulnerability was found in libtirpc. The return value of makefd_xprt() was not checked in all instances, which could lead to a crash when the server exhausted the maximum number of available file descriptors. A remote attacker could cause an rpc-based application to crash by flooding it with new connections.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:36:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1620294, 1620295    
Bug Blocks: 1620296    

Description Laura Pardo 2018-08-22 21:56:28 UTC
A flaw was found in libtirpc. The return value of makefd_xprt was used without checking for NULL in svc_vc.c, leading to a null pointer dereference / segfault if the maximum number of available file descriptors was exhausted.


Upstream Patch:

Comment 1 Laura Pardo 2018-08-22 21:56:59 UTC
Created libtirpc tracking bugs for this issue:

Affects: fedora-all [bug 1620295]

Comment 3 Doran Moppert 2018-08-23 03:05:41 UTC
This was fixed in RHEL 7 as part of bug 1410617.

Comment 5 Salvatore Bonaccorso 2018-08-30 13:47:19 UTC

I think there is need of clarification for CVE-2018-14622 (and CVE-2018-14621).

CVE-2018-14622 refers to http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=1c77f7a869bdea2a34799d774460d1f9983d45f0 and additionally to the SuSE bug https://bugzilla.novell.com/show_bug.cgi?id=968175

But there is as well https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9265 referecing http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=1c77f7a869bdea2a34799d774460d1f9983d45f0 and https://bugzilla.suse.com/show_bug.cgi?id=968175

CVE-2018-14621 seem to refer to the "second issue" of that SuSE bug, which SuSE prooposes to address with https://bugzilla.novell.com/attachment.cgi?id=666865 but the upstream commit finally adressing it seem to be http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=fce98161d9815ea016855d9f00274276452c2c4b (as such this issue woul only affect 0.3.3-rc3 onwards).

Does CVE-2018-14622 need to be rejected?

Comment 6 Salvatore Bonaccorso 2018-08-30 14:08:26 UTC
For the record, the 2015 CVE will be rejected in favour of the 2018 one.