Bug 1448794 (CVE-2017-8804) - CVE-2017-8804 glibc: memory leak in sunrpc when decoding malformed XDR
Summary: CVE-2017-8804 glibc: memory leak in sunrpc when decoding malformed XDR
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-8804
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1448796
Blocks: 1448130
TreeView+ depends on / blocked
 
Reported: 2017-05-08 07:58 UTC by Doran Moppert
Modified: 2020-08-13 09:09 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-23 05:36:12 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Sourceware 21461 0 P2 RESOLVED DISPUTED: sunrpc: Memory leak after deserialization failure in xdr_bytes, xdr_string (CVE-2017-8804) 2020-11-18 22:38:24 UTC

Description Doran Moppert 2017-05-08 07:58:09 UTC
A crafted XDR message containing a string or bytes entity with a particularly large size but no content could cause xdr_opaque to leak virtual memory. Since the memory is never accessed, physical pages are not mapped (unless sysctl vm.overcommit_memory=2 is in effect). This was discovered in the wake of CVE-2017-8779.

Upstream issue:

https://sourceware.org/bugzilla/show_bug.cgi?id=21461

Upstream patch:

https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html

CVE assignment:

https://seclists.org/oss-sec/2017/q2/218

Comment 1 Doran Moppert 2017-05-08 07:59:22 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1448796]

Comment 3 Doran Moppert 2018-08-06 23:54:16 UTC
Per discussion on the libc-alpha mailing list (linked https://sourceware.org/bugzilla/show_bug.cgi?id=21461#c7), this is an application vulnerability rather than a flaw in glibc.  Users of the sunrpc library routines must be careful to use XDR_FREE, even when deserialisation failure occurs.


Note You need to log in before you can comment on or make changes to this bug.