Bug 468014 (CVE-2008-4619) - CVE-2008-4619 libtirpc: rpcbind DoS in the taddr2uaddr XDR_DECODE
Summary: CVE-2008-4619 libtirpc: rpcbind DoS in the taddr2uaddr XDR_DECODE
Alias: CVE-2008-4619
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Depends On:
TreeView+ depends on / blocked
Reported: 2008-10-22 12:26 UTC by Tomas Hoger
Modified: 2019-09-29 12:26 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-03-29 09:38:59 UTC

Attachments (Terms of Use)

Description Tomas Hoger 2008-10-22 12:26:14 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4619 to the following vulnerability:

The RPC subsystem in Sun Solaris 9 allows remote attackers to cause a denial of
service (daemon crash) via a crafted request to procedure 8, related to the
XDR_DECODE operation and the taddr2uaddr function.


Comment 1 Tomas Hoger 2008-10-22 12:38:39 UTC
This also crashes rpcbind on Fedora and seems to be a libtirpc issue.

In rpcb_service_4(), rpcbind calls libtirpc's xdr_netbuf() when taddr2uaddr decode is required.  xdr_netbuf() first reads maxlen from the argument, later uses this as an upper bound while reading transport-encoded address to objp->buf using xdr_bytes() without further validation.  However, malicious request from the PoC referenced above causes maxlen to be 0, which causes xdr_bytes() to return TRUE without initializing objp->buf.  That is later used as inet_ntop argument, causing SEGV.

Comment 2 Tomas Hoger 2008-10-22 12:41:24 UTC
Steve, can you please check whether I'm missing anything here?  You also seem to be part of the libtirpc's upstream, can you let other libtirpc developers know about this issue, or should I try to contact them?  Thanks!

Comment 3 Tomas Hoger 2008-10-24 20:09:04 UTC
I've created upstream bug report for this:

Comment 4 Steve Dickson 2008-10-27 16:40:07 UTC
I'm thinking the problem is not in xdr_netbuf() since its valid 
to return a zero length buffer. The problem is with the user of 
that zero length, in this case taddr2uaddr()->__rpc_taddr2uaddr_af()

Here is the patch I propose:

--- src/rpc_generic.c.orig	2008-10-27 10:04:32.000000000 -0400

+++ src/rpc_generic.c	2008-10-27 12:05:59.000000000 -0400

@@ -594,6 +594,9 @@ __rpc_taddr2uaddr_af(int af, const struc


 	u_int16_t port;


+	if (nbuf->len <= 0)

+		return NULL;


 	switch (af) {

 	case AF_INET:

 		sin = nbuf->buf;

Comment 5 Fedora Update System 2008-10-27 17:58:17 UTC
libtirpc-0.1.7-20.fc9 has been submitted as an update for Fedora 9.

Comment 6 Steve Dickson 2008-10-28 09:56:13 UTC
Fixed in libtirpc-0.1.9-6.fc10

Comment 7 Tomas Hoger 2008-10-29 07:46:06 UTC
Looks like this issue is bit older and was originally assigned CVE id CVE-2007-0165:

Unspecified vulnerability in libnsl in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (crash) via malformed RPC requests that trigger a crash in rpcbind. 


Comment 8 Tomas Hoger 2008-10-29 08:02:41 UTC
(In reply to comment #6)
> Fixed in libtirpc-0.1.9-6.fc10

Steve, you've managed to typo NVR in the RPM changelog, as it now says 0.1.8-X instead of 0.1.9-X.

Comment 9 Fedora Update System 2008-10-30 12:49:17 UTC
libtirpc-0.1.7-20.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.