03/03: gnu: rpcbind, libtirpc: Fix CVE-2017-8779.

guix-commits
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
03/03: gnu: rpcbind, libtirpc: Fix CVE-2017-8779.

From:	Leo Famulari
Subject:	03/03: gnu: rpcbind, libtirpc: Fix CVE-2017-8779.
Date:	Fri, 5 May 2017 15:34:43 -0400 (EDT)
lfam pushed a commit to branch master
in repository guix.

commit c39a54f431cc6ae61a09f8b06f3593939dd14c9b
Author: Leo Famulari <address@hidden>
Date:   Thu May 4 21:26:03 2017 -0400

    gnu: rpcbind, libtirpc: Fix CVE-2017-8779.
    
    * gnu/packages/patches/libtirpc-CVE-2017-8779.patch,
    gnu/packages/patches/rpcbind-CVE-2017-8779.patch: New files.
    * gnu/local.mk (dist_patch_DATA): Add them.
    * gnu/packages/onc-rpc.scm (rpcbind, libtirpc)[source]: Use them.
---
 gnu/local.mk                                      |   2 +
 gnu/packages/onc-rpc.scm                          |   3 +
 gnu/packages/patches/libtirpc-CVE-2017-8779.patch | 263 ++++++++++++++++++++++
 gnu/packages/patches/rpcbind-CVE-2017-8779.patch  |  29 +++
 4 files changed, 297 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index 97c291d..03412c6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -749,6 +749,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/libtiff-invalid-read.patch              \
   %D%/packages/patches/libtiff-null-dereference.patch          \
   %D%/packages/patches/libtiff-tiffcp-underflow.patch          \
+  %D%/packages/patches/libtirpc-CVE-2017-8779.patch            \
   %D%/packages/patches/libtorrent-rasterbar-boost-compat.patch \
   %D%/packages/patches/libtool-skip-tests2.patch               \
   %D%/packages/patches/libunwind-CVE-2015-3239.patch           \
@@ -929,6 +930,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/readline-6.2-CVE-2014-2524.patch                \
   %D%/packages/patches/readline-7.0-mingw.patch                        \
   %D%/packages/patches/ripperx-missing-file.patch              \
+  %D%/packages/patches/rpcbind-CVE-2017-8779.patch             \
   %D%/packages/patches/rpm-CVE-2014-8118.patch                 \
   %D%/packages/patches/rsem-makefile.patch                     \
   %D%/packages/patches/ruby-concurrent-ignore-broken-test.patch        \
diff --git a/gnu/packages/onc-rpc.scm b/gnu/packages/onc-rpc.scm
index c852f9a..a76ac36 100644
--- a/gnu/packages/onc-rpc.scm
+++ b/gnu/packages/onc-rpc.scm
@@ -22,6 +22,7 @@
   #:use-module (guix licenses)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (gnu packages)
   #:use-module (gnu packages kerberos)
   #:use-module (gnu packages pkg-config)
   #:use-module (guix build-system gnu))
@@ -35,6 +36,7 @@
               (uri (string-append "mirror://sourceforge/libtirpc/libtirpc/"
                                   version "/libtirpc-"
                                   version ".tar.bz2"))
+              (patches (search-patches "libtirpc-CVE-2017-8779.patch"))
               (sha256
                (base32
                 "17mqrdgsgp9m92pmq7bvr119svdg753prqqxmg4cnz5y657rfmji"))))
@@ -74,6 +76,7 @@ IPv4 and IPv6.  ONC RPC is notably used by the network file 
system (NFS).")
       (uri (string-append "mirror://sourceforge/" name "/" name "/"
                           version "/"
                           name "-" version ".tar.bz2"))
+      (patches (search-patches "rpcbind-CVE-2017-8779.patch"))
       (sha256
        (base32
         "0rjc867mdacag4yqvs827wqhkh27135rp9asj06ixhf71m9rljh7"))))
diff --git a/gnu/packages/patches/libtirpc-CVE-2017-8779.patch 
b/gnu/packages/patches/libtirpc-CVE-2017-8779.patch
new file mode 100644
index 0000000..742e64d
--- /dev/null
+++ b/gnu/packages/patches/libtirpc-CVE-2017-8779.patch
@@ -0,0 +1,263 @@
+Fix CVE-2017-8779:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
+
+Patch copied from the bug reporter's 3rd-party repository:
+
+https://github.com/guidovranken/rpcbomb/blob/master/libtirpc_patch.txt
+
+diff --git a/src/rpc_generic.c b/src/rpc_generic.c
+index 2f09a8f..589cbd5 100644
+--- a/src/rpc_generic.c
++++ b/src/rpc_generic.c
+@@ -615,6 +615,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
+ 
+       switch (af) {
+       case AF_INET:
++              if (nbuf->len < sizeof(*sin)) {
++                      return NULL;
++              }
+               sin = nbuf->buf;
+               if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf)
+                   == NULL)
+@@ -626,6 +629,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
+               break;
+ #ifdef INET6
+       case AF_INET6:
++              if (nbuf->len < sizeof(*sin6)) {
++                      return NULL;
++              }
+               sin6 = nbuf->buf;
+               if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6)
+                   == NULL)
+@@ -667,6 +673,8 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr)
+ 
+       port = 0;
+       sin = NULL;
++      if (uaddr == NULL)
++              return NULL;
+       addrstr = strdup(uaddr);
+       if (addrstr == NULL)
+               return NULL;
+diff --git a/src/rpcb_prot.c b/src/rpcb_prot.c
+index 43fd385..a923c8e 100644
+--- a/src/rpcb_prot.c
++++ b/src/rpcb_prot.c
+@@ -41,6 +41,7 @@
+ #include <rpc/types.h>
+ #include <rpc/xdr.h>
+ #include <rpc/rpcb_prot.h>
++#include "rpc_com.h"
+ 
+ bool_t
+ xdr_rpcb(xdrs, objp)
+@@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp)
+       if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
+               return (FALSE);
+       }
+-      if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
++      if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
+               return (FALSE);
+       }
+-      if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {
++      if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
+               return (FALSE);
+       }
+-      if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
++      if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
+               return (FALSE);
+       }
+       return (TRUE);
+@@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp)
+       XDR *xdrs;
+       rpcb_entry *objp;
+ {
+-      if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
++      if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
+               return (FALSE);
+       }
+-      if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
++      if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
+               return (FALSE);
+       }
+       if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
+               return (FALSE);
+       }
+-      if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
++      if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
+               return (FALSE);
+       }
+-      if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
++      if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
+               return (FALSE);
+       }
+       return (TRUE);
+@@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p)
+       bool_t dummy;
+       struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;
+ 
+-      if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
++      if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
+               return (FALSE);
+       }
+       if (!xdr_u_int(xdrs, &objp->results.results_len)) {
+@@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp)
+       if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
+               return (FALSE);
+       }
++
++      if (objp->maxlen > RPC_MAXDATASIZE) {
++              return (FALSE);
++      }
++
+       dummy = xdr_bytes(xdrs, (char **)&(objp->buf),
+                       (u_int *)&(objp->len), objp->maxlen);
+       return (dummy);
+diff --git a/src/rpcb_st_xdr.c b/src/rpcb_st_xdr.c
+index 08db745..28e6a48 100644
+--- a/src/rpcb_st_xdr.c
++++ b/src/rpcb_st_xdr.c
+@@ -37,6 +37,7 @@
+ 
+ 
+ #include <rpc/rpc.h>
++#include "rpc_com.h"
+ 
+ /* Link list of all the stats about getport and getaddr */
+ 
+@@ -58,7 +59,7 @@ xdr_rpcbs_addrlist(xdrs, objp)
+           if (!xdr_int(xdrs, &objp->failure)) {
+               return (FALSE);
+           }
+-          if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++          if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+               return (FALSE);
+           }
+ 
+@@ -109,7 +110,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+               IXDR_PUT_INT32(buf, objp->failure);
+               IXDR_PUT_INT32(buf, objp->indirect);
+       }
+-      if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++      if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+               return (FALSE);
+       }
+       if (!xdr_pointer(xdrs, (char **)&objp->next,
+@@ -147,7 +148,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+               objp->failure = (int)IXDR_GET_INT32(buf);
+               objp->indirect = (int)IXDR_GET_INT32(buf);
+       }
+-      if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++      if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+               return (FALSE);
+       }
+       if (!xdr_pointer(xdrs, (char **)&objp->next,
+@@ -175,7 +176,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
+       if (!xdr_int(xdrs, &objp->indirect)) {
+               return (FALSE);
+       }
+-      if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
++      if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
+               return (FALSE);
+       }
+       if (!xdr_pointer(xdrs, (char **)&objp->next,
+diff --git a/src/xdr.c b/src/xdr.c
+index f3fb9ad..b9a1558 100644
+--- a/src/xdr.c
++++ b/src/xdr.c
+@@ -42,8 +42,10 @@
+ #include <stdlib.h>
+ #include <string.h>
+ 
++#include <rpc/rpc.h>
+ #include <rpc/types.h>
+ #include <rpc/xdr.h>
++#include <rpc/rpc_com.h>
+ 
+ typedef quad_t          longlong_t;     /* ANSI long long type */
+ typedef u_quad_t        u_longlong_t;   /* ANSI unsigned long long type */
+@@ -53,7 +55,6 @@ typedef u_quad_t        u_longlong_t;   /* ANSI unsigned 
long long type */
+  */
+ #define XDR_FALSE     ((long) 0)
+ #define XDR_TRUE      ((long) 1)
+-#define LASTUNSIGNED  ((u_int) 0-1)
+ 
+ /*
+  * for unit alignment
+@@ -629,6 +630,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+ {
+       char *sp = *cpp;  /* sp is the actual string pointer */
+       u_int nodesize;
++      bool_t ret, allocated = FALSE;
+ 
+       /*
+        * first deal with the length since xdr bytes are counted
+@@ -652,6 +654,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+               }
+               if (sp == NULL) {
+                       *cpp = sp = mem_alloc(nodesize);
++                      allocated = TRUE;
+               }
+               if (sp == NULL) {
+                       warnx("xdr_bytes: out of memory");
+@@ -660,7 +663,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
+               /* FALLTHROUGH */
+ 
+       case XDR_ENCODE:
+-              return (xdr_opaque(xdrs, sp, nodesize));
++              ret = xdr_opaque(xdrs, sp, nodesize);
++              if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
++                      if (allocated == TRUE) {
++                              free(sp);
++                              *cpp = NULL;
++                      }
++              }
++              return (ret);
+ 
+       case XDR_FREE:
+               if (sp != NULL) {
+@@ -754,6 +764,7 @@ xdr_string(xdrs, cpp, maxsize)
+       char *sp = *cpp;  /* sp is the actual string pointer */
+       u_int size;
+       u_int nodesize;
++      bool_t ret, allocated = FALSE;
+ 
+       /*
+        * first deal with the length since xdr strings are counted-strings
+@@ -793,8 +804,10 @@ xdr_string(xdrs, cpp, maxsize)
+       switch (xdrs->x_op) {
+ 
+       case XDR_DECODE:
+-              if (sp == NULL)
++              if (sp == NULL) {
+                       *cpp = sp = mem_alloc(nodesize);
++                      allocated = TRUE;
++              }
+               if (sp == NULL) {
+                       warnx("xdr_string: out of memory");
+                       return (FALSE);
+@@ -803,7 +816,14 @@ xdr_string(xdrs, cpp, maxsize)
+               /* FALLTHROUGH */
+ 
+       case XDR_ENCODE:
+-              return (xdr_opaque(xdrs, sp, size));
++              ret = xdr_opaque(xdrs, sp, size);
++              if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
++                      if (allocated == TRUE) {
++                              free(sp);
++                              *cpp = NULL;
++                      }
++              }
++              return (ret);
+ 
+       case XDR_FREE:
+               mem_free(sp, nodesize);
+@@ -823,7 +843,7 @@ xdr_wrapstring(xdrs, cpp)
+       XDR *xdrs;
+       char **cpp;
+ {
+-      return xdr_string(xdrs, cpp, LASTUNSIGNED);
++      return xdr_string(xdrs, cpp, RPC_MAXDATASIZE);
+ }
+ 
+ /*
diff --git a/gnu/packages/patches/rpcbind-CVE-2017-8779.patch 
b/gnu/packages/patches/rpcbind-CVE-2017-8779.patch
new file mode 100644
index 0000000..6ca93ff
--- /dev/null
+++ b/gnu/packages/patches/rpcbind-CVE-2017-8779.patch
@@ -0,0 +1,29 @@
+Fix CVE-2017-8779:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
+
+Patch copied from the bug reporter's 3rd-party repository:
+
+https://github.com/guidovranken/rpcbomb/blob/master/rpcbind_patch.txt
+
+diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
+index 5862c26..e11f61b 100644
+--- a/src/rpcb_svc_com.c
++++ b/src/rpcb_svc_com.c
+@@ -48,6 +48,7 @@
+ #include <rpc/rpc.h>
+ #include <rpc/rpcb_prot.h>
+ #include <rpc/svc_dg.h>
++#include <rpc/rpc_com.h>
+ #include <netconfig.h>
+ #include <errno.h>
+ #include <syslog.h>
+@@ -432,7 +433,7 @@ rpcbproc_taddr2uaddr_com(void *arg, struct svc_req *rqstp 
/*__unused*/,
+ static bool_t
+ xdr_encap_parms(XDR *xdrs, struct encap_parms *epp)
+ {
+-      return (xdr_bytes(xdrs, &(epp->args), (u_int *) &(epp->arglen), ~0));
++      return (xdr_bytes(xdrs, &(epp->args), (u_int *) &(epp->arglen), 
RPC_MAXDATASIZE));
+ }
+ 
+ /*
[Prev in Thread]
Current Thread
[Next in Thread]
branch master updated (7846185 -> c39a54f), Leo Famulari, 2017/05/05
- 01/03: gnu: rpcbind: Update to 0.2.4., Leo Famulari, 2017/05/05
- 02/03: gnu: libtirpc: Update to 1.0.1., Leo Famulari, 2017/05/05
- 03/03: gnu: rpcbind, libtirpc: Fix CVE-2017-8779., Leo Famulari <=
Prev by Date: branch master updated (7846185 -> c39a54f)
Next by Date: branch master updated (c39a54f -> cc3bc02)
Previous by thread: 02/03: gnu: libtirpc: Update to 1.0.1.
Next by thread: branch master updated (c39a54f -> cc3bc02)
Index(es):
- Date
- Thread