Bug 1620293 (CVE-2018-14622) - CVE-2018-14622 libtirpc: Segmentation fault in makefd_xprt return value in svc_vc.c
Summary: CVE-2018-14622 libtirpc: Segmentation fault in makefd_xprt return value in sv...
Status: NEW
Alias: CVE-2018-14622
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20160303,reported=2...
Keywords: Security
Depends On: 1620294 1620295
Blocks: 1620296
TreeView+ depends on / blocked
 
Reported: 2018-08-22 21:56 UTC by Laura Pardo
Modified: 2019-05-07 10:41 UTC (History)
29 users (show)

(edit)
A null-pointer dereference vulnerability was found in libtirpc.  The return value of makefd_xprt() was not checked in all instances, which could lead to a crash when the server exhausted the maximum number of available file descriptors.  A remote attacker could cause an rpc-based application to crash by flooding it with new connections.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Laura Pardo 2018-08-22 21:56:28 UTC
A flaw was found in libtirpc. The return value of makefd_xprt was used without checking for NULL in svc_vc.c, leading to a null pointer dereference / segfault if the maximum number of available file descriptors was exhausted.


References:
https://bugzilla.novell.com/show_bug.cgi?id=968175

Upstream Patch:
http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=1c77f7a869bdea2a34799d774460d1f9983d45f0

Comment 1 Laura Pardo 2018-08-22 21:56:59 UTC
Created libtirpc tracking bugs for this issue:

Affects: fedora-all [bug 1620295]

Comment 3 Doran Moppert 2018-08-23 03:05:41 UTC
This was fixed in RHEL 7 as part of bug 1410617.

Comment 5 Salvatore Bonaccorso 2018-08-30 13:47:19 UTC
Hi

I think there is need of clarification for CVE-2018-14622 (and CVE-2018-14621).

CVE-2018-14622 refers to http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=1c77f7a869bdea2a34799d774460d1f9983d45f0 and additionally to the SuSE bug https://bugzilla.novell.com/show_bug.cgi?id=968175

But there is as well https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9265 referecing http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=1c77f7a869bdea2a34799d774460d1f9983d45f0 and https://bugzilla.suse.com/show_bug.cgi?id=968175

CVE-2018-14621 seem to refer to the "second issue" of that SuSE bug, which SuSE prooposes to address with https://bugzilla.novell.com/attachment.cgi?id=666865 but the upstream commit finally adressing it seem to be http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=fce98161d9815ea016855d9f00274276452c2c4b (as such this issue woul only affect 0.3.3-rc3 onwards).

Does CVE-2018-14622 need to be rejected?

Comment 6 Salvatore Bonaccorso 2018-08-30 14:08:26 UTC
For the record, the 2015 CVE will be rejected in favour of the 2018 one.


Note You need to log in before you can comment on or make changes to this bug.