Bug 1620293 – CVE-2018-14622 libtirpc: Segmentation fault in makefd_xprt return value in svc_vc.c

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1620293 - (CVE-2018-14622) CVE-2018-14622 libtirpc: Segmentation fault in makefd_xprt return value in svc_vc.c

Summary:	CVE-2018-14622 libtirpc: Segmentation fault in makefd_xprt return value in sv...

Status:	NEW

Aliases:	CVE-2018-14622

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20160303,reported=2...
Keywords:	Security

Depends On:	1620294 1620295
Blocks:	1620296
	Show dependency tree / graph

Reported:	2018-08-22 17:56 EDT by Laura Pardo
Modified:	2018-10-03 00:04 EDT (History)
CC List:	30 users (show)

See Also:
Fixed In Version:	libtirpc 0.3.3-rc3
Doc Type:	If docs needed, set a value
Doc Text:	A null-pointer dereference vulnerability was found in libtirpc. The return value of makefd_xprt() was not checked in all instances, which could lead to a crash when the server exhausted the maximum number of available file descriptors. A remote attacker could cause an rpc-based application to crash by flooding it with new connections.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Laura Pardo 2018-08-22 17:56:28 EDT

A flaw was found in libtirpc. The return value of makefd_xprt was used without checking for NULL in svc_vc.c, leading to a null pointer dereference / segfault if the maximum number of available file descriptors was exhausted.


References:
https://bugzilla.novell.com/show_bug.cgi?id=968175

Upstream Patch:
http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=1c77f7a869bdea2a34799d774460d1f9983d45f0

Comment 1 Laura Pardo 2018-08-22 17:56:59 EDT

Created libtirpc tracking bugs for this issue:

Affects: fedora-all [bug 1620295]

Comment 3 Doran Moppert 2018-08-22 23:05:41 EDT

This was fixed in RHEL 7 as part of bug 1410617.

Comment 5 Salvatore Bonaccorso 2018-08-30 09:47:19 EDT

Hi

I think there is need of clarification for CVE-2018-14622 (and CVE-2018-14621).

CVE-2018-14622 refers to http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=1c77f7a869bdea2a34799d774460d1f9983d45f0 and additionally to the SuSE bug https://bugzilla.novell.com/show_bug.cgi?id=968175

But there is as well https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9265 referecing http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=1c77f7a869bdea2a34799d774460d1f9983d45f0 and https://bugzilla.suse.com/show_bug.cgi?id=968175

CVE-2018-14621 seem to refer to the "second issue" of that SuSE bug, which SuSE prooposes to address with https://bugzilla.novell.com/attachment.cgi?id=666865 but the upstream commit finally adressing it seem to be http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=fce98161d9815ea016855d9f00274276452c2c4b (as such this issue woul only affect 0.3.3-rc3 onwards).

Does CVE-2018-14622 need to be rejected?

Comment 6 Salvatore Bonaccorso 2018-08-30 10:08:26 EDT

For the record, the 2015 CVE will be rejected in favour of the 2018 one.

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
ahardin
bleanhar
bmcclain
carnil
ccoleman
dbaker
dblechte
dedgar
dfediuck
dmoppert
eedri
eparis
jgoulding
jlayton
jokerman
kkeithle
mchappel
mgoldboi
michal.skrivanek
sbonazzo
sherold
sisharma
smohan
ssaha
steved
sthangav
trankin
vbellur
ylavi